[Samba] Samba PDC - Kerberised CIFS access
Shahid M Shaikh
shahid.shaikh at in.ibm.com
Fri Mar 13 17:49:20 GMT 2009
Hi Eduardo,
M1 is Samba PDC. It is hosting a domain. It also stores domain users.
Though samba password for all the users are invalid in smbpasswd.
M3 is CIFS Server and is part of the domain of Samba PDC. Hence I join M3
into M1 using net rpc join.
For that I have created a machine user account on Samba PDC.
On M3, I have configured smb.conf to accept kerberos tickets. So a client
who wants to access the CIFS shares
needs to have valid kerberos tickets ( user tgt and CIFS service principal
tgs).
Is that clear to you now?
Regards,
Shahid Shaikh.
Eduardo Sachs
<edu.sachs at gmail.
com> To
samba at lists.samba.org
13-03-09 10:23 PM cc
Shahid M Shaikh/India/IBM at IBMIN
Subject
Re: [Samba] Samba PDC - Kerberised
CIFS access
Hi Shahid,
I so sorry, but I don't understand your collocation about your answer.
You managed to join the M3 in Samba PDC, and same time accessing it
through the Kerberos authentication? Was that?
Helmut, I so sorry!
Thanks!
2009/3/13 Shahid M Shaikh <shahid.shaikh at in.ibm.com>:
> Hi Eduardo,
>
> Thanks much for all the information you have shared with us regarding the
> samba issue.
>
> I used net rpc join command to join into the domain hosted by M1.
>
> I was able to join to the domain successfully.
>
> Regards,
> Shahid Shaikh.
>
>
>
>
> Eduardo Sachs
> <edu.sachs at gmail.
> com> To
> Shahid M Shaikh/India/IBM at IBMIN
> 13-03-09 07:19 PM cc
> samba at lists.samba.org, Christian M
> Ambach
> <christian.ambach at de.ibm.com>,
> Volker.Lendecke at sernet.de, Mathias
> Dietz <MDIETZ at de.ibm.com>, Ujjwal
> Lanjewar/India/IBM at IBMIN, Michael
> Diederich <diederich at de.ibm.com>,
> Pankaj S Zanwar/India/IBM at IBMIN
> Subject
> Re: [Samba] Samba PDC - Kerberised
> CIFS access
>
>
>
>
>
>
>
>
>
>
> I so sorry for many emails, but, is necessary:
>
> In my case, the Samba 3.0.x does not cause this problem, only in Samba
> 3.2.x and 3.3.X.
>
> Thanks!
>
> 2009/3/13 Eduardo Sachs <edu.sachs at gmail.com>:
>> More informations...
>>
>> Example of procedure:
>>
>> 1 - M4 Access M3 with auth Kerberos:
>> M4# smbclient //M3/publico -k
>> OS=[Unix] Server=[Samba 3.2.5]
>> smb: \> ls
>> . D 0 Wed Mar 11 21:04:19
2009
>> .. D 0 Wed Mar 11 21:04:19
2009
>>
>> 48444 blocks of size 262144. 36638 blocks available
>> smb: \> quit
>>
>> 2 - M3 Join Samba PDC:
>> M3# net join -U root
>> Enter root's password:
>> Joined domain _LOCAL_.
>>
>> 3 - M4 Access M3 with auth Kerberos fail.
>> M4# smbclient //M3/publico -k
>> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client,
>> M3 is out of Domain Samba PDC because delete secrets.tdb:
>> M3# /var/lib/samba/secrets.tdb && /etc/init.d/samba restart
>>
>> 5 - M4 to back access M3 with auth Kerberos:
>> M4# smbclient //M3/publico -k
>> OS=[Unix] Server=[Samba 3.2.5]
>> smb: \> ls
>> . D 0 Wed Mar 11 21:04:19
2009
>> .. D 0 Wed Mar 11 21:04:19
2009
>>
>> 48444 blocks of size 262144. 36638 blocks available
>> smb: \> quit
>>
>> Thanks!
>>
>> 2009/3/13 Eduardo Sachs <edu.sachs at gmail.com>:
>>> Shahid,
>>>
>>> You used the command 'net join' to join in domain Samba PDC in M3?
>>>
>>> My problem is when I join the M3 in domain Samba PDC (M1) with the
>>> command 'net join', after this, I can not access the M3 using Kerberos
>>> authentication.
>>>
>>> Other description,
>>>
>>> Your error is [1]:
>>> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
>>> Decrypt integrity check failed
>>> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab
> principals
>>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>>>
>>> My error is [23]:
>>> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
>>> Decrypt integrity check failed
>>> ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab
>>> principals
>>> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
> request)
>>>
>>> When I delete the file /var/lib/samba/secrets.tdb of M3 and restart
>>> Samba Client of M3, will be back to work authentication Kerberos in M3
>>> for my cifs client M4, but, is out of domain Samba PDC.
>>>
>>> But, the problem may be related.
>>>
>>> My english is terrible, sorry...
>>>
>>> Thanks!
>>>
>>>
>>> 2009/3/12 Eduardo Sachs <edu.sachs at gmail.com>:
>>>> Shahid,
>>>>
>>>> I have same problem, but, I use Domain Heimdal Kerberos, look this bug
> ticket:
>>>>
>>>> https://bugzilla.samba.org/show_bug.cgi?id=5810
>>>>
>>>> The developers have not yet responded.
>>>>
>>>> Thanks!
>>>>
>>>> 2009/3/11 Shahid M Shaikh <shahid.shaikh at in.ibm.com>:
>>>>> Hi All,
>>>>>
>>>>> I have machine M1 hosting Samba PDC. It stores only user information.
>>>>> I have machine M2 acting as KDC server.
>>>>> I have machine M3 hosting CIFS shares and it joins into the domain
> hosted
>>>>> by PDC M1.
>>>>> I have machine M4 used as CIFS client.
>>>>>
>>>>> On M2, I have added users and cifs/host service principals for M3.
> Also
>>>>> added service principal in keytab file.
>>>>> I have added all the user and service principals using des-cbc-crc
>>>>> encryption triplet.
>>>>>
>>>>> M3 and M4 are KDC clients. I have scped the keytab file on M3 from
M2.
>>>>>
>>>>> I have configured M3's smb.conf file to accept kerberos keytab and
> also for
>>>>> the kerberos realm.
>>>>>
>>>>> realm = SONAS.COM
>>>>> use kerberos keytab = yes
>>>>> client use spnego = yes
>>>>>
>>>>>
>>>>> >From M4, I do kinit <user> and then try to see exported shares from
> M3.
>>>>>
>>>>> [root at sofsedun3 ~]# kinit domuser
>>>>> Password for domuser at SONAS.COM:
>>>>> [root at sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
>>>>> [root at sofsedun3 ~]# klist -e
>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>> Default principal: domuser at SONAS.COM
>>>>>
>>>>> Valid starting Expires Service principal
>>>>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/SONAS.COM at SONAS.COM
>>>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode
> with
>>>>> CRC-32, DES cbc mode with CRC-32
>>>>>
>>>>>
>>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>>> klist: You have no tickets cached
>>>>> [root at sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
>>>>> Enter domuser's password:
>>>>> Anonymous login successful
>>>>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
>>>>>
>>>>> Sharename Type Comment
>>>>> --------- ---- -------
>>>>> share Disk test share
>>>>> IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55)
>>>>> Anonymous login successful
>>>>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
>>>>>
>>>>> Server Comment
>>>>> --------- -------
>>>>>
>>>>> Workgroup Master
>>>>> --------- -------
>>>>>
>>>>> It works with anonymous login. But when i try to use -k it fails. I
> tried
>>>>> smbclient with -k and debug level 3. I get these on console.
>>>>>
>>>>> [root at sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k
>>>>> lp_load_ex: refreshing parameters
>>>>> Initialising global parameters
>>>>> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
>>>>> Processing section "[global]"
>>>>> added interface eth0 ip=10.0.0.23 bcast=10.0.0.255
> netmask=255.255.255.0
>>>>> added interface eth1 ip=10.0.1.23 bcast=10.0.1.255
> netmask=255.255.255.0
>>>>> added interface eth2 ip=10.0.2.23 bcast=10.0.2.255
> netmask=255.255.255.0
>>>>> Client started (version 3.2.8-ctdb-55).
>>>>> Connecting to 10.0.0.24 at port 445
>>>>> Doing spnego session setup (blob length=111)
>>>>> got OID=1 2 840 113554 1 2 2
>>>>> got OID=1 2 840 48018 1 2 2
>>>>> got OID=1 3 6 1 4 1 311 2 2 10
>>>>> got principal=cifs/sofsedun4.vsofs1.com at SONAS.COM
>>>>> Doing kerberos session setup
>>>>> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0]
> expiration
>>>>> Thu, 12 Mar 2009 21:36:54 TLT
>>>>> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
>>>>> SPNEGO login failed: Logon failure
>>>>> session setup failed: NT_STATUS_LOGON_FAILURE
>>>>> [root at sofsedun3 ~]# klist -e
>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>> Default principal: domuser at SONAS.COM
>>>>>
>>>>> Valid starting Expires Service principal
>>>>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/SONAS.COM at SONAS.COM
>>>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode
> with
>>>>> CRC-32, DES cbc mode with CRC-32
>>>>> 03/11/09 21:39:15 03/12/09
> 21:36:54 cifs/sofsedun4.vsofs1.com at SONAS.COM
>>>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode
> with
>>>>> CRC-32, DES cbc mode with CRC-32
>>>>>
>>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>>> klist: You have no tickets cached
>>>>>
>>>>>
>>>>> On M3, I have enabled smbd logs with debug level 10. The
corresponding
>>>>> errors for the above behavior are:
>>>>>
>>>>> [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361)
>>>>> switch message SMBsesssetupX (pid 26858) conn 0x0
>>>>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324)
>>>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>> [2009/03/11 21:58:54, 3]
smbd/sesssetup.c:reply_sesssetup_and_X(1409)
>>>>> wct=12 flg2=0xc801
>>>>> [2009/03/11 21:58:54, 3]
>>>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
>>>>> Doing spnego session setup
>>>>> [2009/03/11 21:58:54, 3]
>>>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
>>>>> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
>>>>> [2009/03/11 21:58:54, 3]
smbd/sesssetup.c:reply_spnego_negotiate(800)
>>>>> reply_spnego_negotiate: Got secblob of size 466
>>>>> [2009/03/11 21:58:54, 3]
>>>>> libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
>>>>> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
>>>>> Decrypt integrity check failed
>>>>> [2009/03/11 21:58:54, 3]
>>>>> libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
>>>>> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched
keytab
>>>>> principals
>>>>> [2009/03/11 21:58:54, 3]
> libads/kerberos_verify.c:ads_verify_ticket(458)
>>>>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption
type)
>>>>> [2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
>>>>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>>>>> [2009/03/11 21:58:54, 3] smbd/error.c:error_packet_set(61)
>>>>> error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
>>>>> NT_STATUS_LOGON_FAILURE
>>>>> [2009/03/11 21:58:54, 3] smbd/process.c:smbd_process(2036)
>>>>> receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
>>>>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324)
>>>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>> [2009/03/11 21:58:54, 3] smbd/connection.c:yield_connection(31)
>>>>> Yielding connection to
>>>>> [2009/03/11 21:58:54, 3] smbd/server.c:exit_server_common(958)
>>>>> Server exit (normal exit)
>>>>>
>>>>>
>>>>>
>>>>> In the above scenario, M1 and M2 are not aware about each other. That
>>>>> means, M1 is not kerberos client.
>>>>> I tried setting M1 as kerberos client as well. But the result was the
> same.
>>>>>
>>>>> Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1.
>>>>> I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos
> clients.
>>>>>
>>>>>
>>>>> My queries are:
>>>>> 1. Is it a know issue with samba or kerberos?
>>>>> 2. Am I missing anything on configuration?
>>>>> 3. What should I do to make the above setup working?
>>>>>
>>>>>
>>>>> Please feel free to ask for more information if the provided one is
> not
>>>>> sufficient.
>>>>>
>>>>>
>>>>> P.S.: I am copying my configuration files here for reference.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> [root at sofsedun2 ~]# cat /etc/samba/smb.conf
>>>>> # Samba Configuration file.
>>>>> #
>>>>> # ****************** WARNING ********************************
>>>>> # The contents of this file should not be modified directly !
>>>>> #
>>>>> # The samba options are stored in the registry.
>>>>> # Use the "net conf" command to add/modify samba options in the
> registry
>>>>> # ***************************************************************
>>>>> [global]
>>>>> workgroup = VSOFS1.COM
>>>>> server string = Samba/NT PDC
>>>>> netbios name = sofsedun2
>>>>> passdb backend = tdbsam
>>>>> log level = 3
>>>>> log file = /var/log/samba/%m.log
>>>>> max log size = 50
>>>>> delete user script = /usr/sbin/userdel "%u"
>>>>> add group script = /usr/sbin/groupadd "%g"
>>>>> delete group script = /usr/sbin/groupdel "%g"
>>>>> delete user from group script = /usr/sbin/userdel "%u" "%g"
>>>>> add machine script = /usr/sbin/useradd -n -c "Workstation
(%u)"
> -M
>>>>> -d /nohome -s /bin/false "%u"
>>>>> add user script = /usr/sbin/useradd -n -c "Workstation (%u)"
-M
> -d
>>>>> /nohome -s /bin/false "%u"
>>>>> domain logons = Yes
>>>>> os level = 64
>>>>> preferred master = Yes
>>>>> domain master = Yes
>>>>> local master = Yes
>>>>> wins support = Yes
>>>>> cups options = raw
>>>>> security = user
>>>>> encrypt passwords = Yes
>>>>> [netlogon]
>>>>> path = /etc/samba/netlogon
>>>>> writeable = no
>>>>> write list = ntadmin
>>>>> guest ok = no
>>>>> [profiles]
>>>>> path = /usr/smb/ntprofile
>>>>> writeable = yes
>>>>> create mask = 0600
>>>>> directory mask = 0700
>>>>>
>>>>>
>>>>>
>>>>> 2. CIFS server smb.conf
>>>>> [root at sofsedun4 ~]# cat /etc/samba/smb.conf
>>>>> # Samba Configuration file.
>>>>> #
>>>>> # ****************** WARNING ********************************
>>>>> # The contents of this file should not be modified directly !
>>>>> #
>>>>> # The samba options are stored in the registry.
>>>>> # Use the "net conf" command to add/modify samba options in the
> registry
>>>>> # ***************************************************************
>>>>> [global]
>>>>> workgroup = VSOFS1.COM
>>>>> password server = sofsedun2
>>>>> security = domain
>>>>> idmap uid = 16777216-33554431
>>>>> idmap gid = 16777216-33554431
>>>>> template shell = /bin/sh
>>>>> winbind use default domain = false
>>>>> winbind offline logon = false
>>>>> realm = SONAS.COM
>>>>> use kerberos keytab = yes
>>>>> client use spnego = yes
>>>>> wins support = Yes
>>>>> cups options = raw
>>>>> log level = 3
>>>>> log file = /var/log/samba/%m.log
>>>>> [share]
>>>>> comment = test share
>>>>> path = /home/share
>>>>> read only = no
>>>>> public = yes
>>>>> valid users = 'VSOFS1.COM\domuser' 'VSOFS1.COM\domadmin'
>>>>> 'VSOFS1.COM\domguest'
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> [root at sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf
>>>>> [kdcdefaults]
>>>>> v4_mode = nopreauth
>>>>> kdc_tcp_ports = 88
>>>>>
>>>>> [realms]
>>>>> SONAS.COM = {
>>>>> #master_key_type = des3-hmac-sha1
>>>>> acl_file = /var/kerberos/krb5kdc/kadm5.acl
>>>>> dict_file = /usr/share/dict/words
>>>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>>>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>>>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
> des-cbc-crc:v4
>>>>> des-cbc-crc:afs3
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> [root at sofsedun3 ~]# cat /etc/krb5.conf
>>>>> [logging]
>>>>> default = FILE:/var/log/krb5libs.log
>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = SONAS.COM
>>>>> dns_lookup_realm = true
>>>>> dns_lookup_kdc = true
>>>>> ticket_lifetime = 24h
>>>>> forwardable = yes
>>>>> default_tkt_enctypes = des-cbc-crc des-cbc-md5
>>>>> default_tgs_enctypes = des-cbc-crc des-cbc-md5
>>>>>
>>>>> [realms]
>>>>> VSOFS1.COM = {
>>>>> kdc = sofsedutsm.VSOFS1.COM
>>>>> }
>>>>> SONAS.COM = {
>>>>> kdc = sofsedutsm.VSOFS1.COM:88
>>>>> admin_server = sofsedutsm.VSOFS1.COM:749
>>>>> default_domain = VSOFS1.COM
>>>>> }
>>>>>
>>>>> [domain_realm]
>>>>> .VSOFS1.COM = SONAS.COM
>>>>> VSOFS1.COM = SONAS.COM
>>>>>
>>>>> [appdefaults]
>>>>> pam = {
>>>>> debug = false
>>>>> ticket_lifetime = 36000
>>>>> renew_lifetime = 36000
>>>>> forwardable = true
>>>>> krb4_convert = false
>>>>> }
>>>>>
>>>>>
>>>>> 5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured
> to
>>>>> use winbind for auth, account and passwords.
>>>>>
>>>>>
>>>>>
>>>>> [root at sofsedun4 ~]# klist -kte
>>>>> Keytab name: FILE:/etc/krb5.keytab
>>>>> KVNO Timestamp Principal
>>>>> ---- -----------------
>>>>> --------------------------------------------------------
>>>>> 3 03/11/09 20:24:49 cifs/sofsedun2.vsofs1.com at SONAS.COM (DES cbc
> mode
>>>>> with CRC-32)
>>>>> 3 03/11/09 20:25:05 host/sofsedun2.vsofs1.com at SONAS.COM (DES cbc
> mode
>>>>> with CRC-32)
>>>>> 3 03/11/09 20:25:19 host/sofsedun4.vsofs1.com at SONAS.COM (DES cbc
> mode
>>>>> with CRC-32)
>>>>> 3 03/11/09 20:25:36 cifs/sofsedun4.vsofs1.com at SONAS.COM (DES cbc
> mode
>>>>> with CRC-32)
>>>>> [root at sofsedun4 ~]#
>>>>>
>>>>>
>>>>> Regards,
>>>>> Shahid Shaikh.
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>
>>>
>>
>
>
>
More information about the samba
mailing list