delegated credentials on samba4
Andrew Bartlett
abartlet at samba.org
Sat Sep 22 00:23:55 GMT 2007
On Fri, 2007-09-21 at 15:27 +0100, Amin Azez wrote:
> I'm doing some work to add some generic caching and traffic optimization
> to the cifs proxy vfs I hope will be accepted as part of samba4.
This certainly sounds interesting. In the final delivery, we might want
to have this a separate module, with vfs_cifs and vfs_cifs_cache both
using some common code.
> I have non-delgated proxying working, this message describes some
> difficulty I am experiencing in getting delegated mode to work as
> described in source/ntvfs/cifs/README.
>
> I'm developing on a Centos-5 system, samba4 built and installed OK.
> I have ntp running on all the servers involved.
>
>
> I follow the instructions at:
> http://wiki.samba.org/index.php/Samba4/HOWTO
>
> and successfully followed step 4 to provision samba4 in an existing
> windows 2003 domain:
>
> ./setup/provision --realm=home.ufomechanic.net --domain=UFO --adminpass=XXX
I clearly need to fix some of these instructions, because for the domain
member case, it just doesn't make sense.
In short, set --realm=membername --domain=membername (becuse we are just
trying to create the internal SAM database).
In the smb.conf, set 'server role = member server'
> I wasn't able to completely follow these instructions:
>
> Please install the zone located in
> /usr/local/samba/private/home.ufomechanic.net.zone into your DNS server.
> A sample BIND configuration snippit is at
> /usr/local/samba/private/named.conf
>
> because the named.conf line
> tkey-gssapi-credential "DNS/home.ufomechanic.net";
> causes bind9 to give the error:
>
> Sep 21 14:41:43 localhost named[19606]: configuring TKEY: not implemented
Yeah, I will improve the instructions. This feature is not implemented
in all but the most recent BIND version, and in any case, you should not
do this for a member server.
> And so I went without using the local nameserver, but had resolv.conf
> pointing to the domain controller I am trying to join.
> I mention this in case it is a cause or symptom of my problems; possibly
> related to:
>
> (
>
> Server claims it's principal name is
> ufomechanicw200$@WAKEFIELD.UFOMECHANIC.NET
> Starting GENSEC submechanism gssapi_krb5
> kinit for Administrator at UFO failed (Cannot contact any KDC for requested
> realm: unable to reach any KDC in realm UFO)
> Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for
> requested realm
> Cannot reach a KDC we require to contact
> cifs at ufomechanicw200.wakefield.ufomechanic.net
> Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
> Starting GENSEC submechanism ntlmssp
> signing_good: signing negotiated but not required and peer
> isn't sending correct signatures. Turning off.
> Shutdown SMB signing
>
> )
>
> anyway, I then do:
>
> # net join UFO BDC -U Administrator
This you don't want to do, as you are not a BDC.
Try 'net join UFO -U administrator', we don't want to be a Domain
Controller.
> Under the windows 2003 AD administration tools, I set cfs proxy to be
> trusted for delegation.
Good.
> Notes:
> When I start smbd, I note this error:
>
> Name registration conflict from 192.168.0.7 for UFO<1b> with ip
> 223.1.1.128 - rcode 6
> Error registering UFO<1b> with 192.168.0.139 on interface 192.168.0.255
> - NT_STATUS_CONFLICTING_ADDRESSES
>
> 192.168.0.7 is the windows 2003 domain controller for which I want to
> make the samba4 machine also an active directory server (bdc in old
> terms?) and trusted for delegation.
>
> 192.168.0.139 is the samba4 server.
>
> I guess the provision command I ran must have made a distinct domain
> instead of replicating from the existing domain of the same name,
Samba4 is not yet able to act as a second domain controller in a windows
domain, but should act as a member server, once you manage the correct
configuration. Let's work together to set that up, and fix up the
documentation.
In short:
./provision --realm=cifsproxy --domain=cifsproxy
fix up smb.conf to be:
[global]
workgroup = UFO
realm = home.ufomechanic.net
server role = member server
...
Then run
net join UFO
Then set 'trusted for delegation'
Then set your /etc/krb5.conf like (the critical one being for the UFO
domain, which being short isn't in DNS)
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
HOME.UFOMECHANIC.NET = {
kdc = 192.168.0.7:88
default_domain = home.ufomechanic.net
}
home.ufomechanic.net = {
kdc = 192.168.0.7:88
default_domain = home.ufomechanic.net
}
UFO = {
kdc = 192.168.0.7:88
default_domain = home.ufomechanic.net
}
I hope this helps. I'll make it a task for the next week to have a sane
member-server provision and join process.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070922/54a55ea4/attachment.bin
More information about the samba-technical
mailing list