delegated credentials on samba4

Andrew Bartlett abartlet at samba.org
Sat Sep 22 00:23:55 GMT 2007


On Fri, 2007-09-21 at 15:27 +0100, Amin Azez wrote:
> I'm doing some work to add some generic caching and traffic optimization
> to the cifs proxy vfs I hope will be accepted as part of samba4.

This certainly sounds interesting.  In the final delivery, we might want
to have this a separate module, with vfs_cifs and vfs_cifs_cache both
using some common code. 

> I have non-delgated proxying working, this message describes some
> difficulty I am experiencing in getting delegated mode to work as
> described in source/ntvfs/cifs/README.
> 
> I'm developing on a Centos-5 system, samba4 built and installed OK.
> I have ntp running on all the servers involved.
> 
> 
> I follow the instructions at:
> http://wiki.samba.org/index.php/Samba4/HOWTO
> 
> and successfully followed step 4 to provision samba4 in an existing
> windows 2003 domain:
> 
>  ./setup/provision --realm=home.ufomechanic.net --domain=UFO --adminpass=XXX

I clearly need to fix some of these instructions, because for the domain
member case, it just doesn't make sense.   

In short, set --realm=membername --domain=membername (becuse we are just
trying to create the internal SAM database).

In the smb.conf, set 'server role = member server'

> I wasn't able to completely follow these instructions:
> 
> Please install the zone located in
> /usr/local/samba/private/home.ufomechanic.net.zone into your DNS server.
>  A sample BIND configuration snippit is at
> /usr/local/samba/private/named.conf
> 
> because the named.conf line
> tkey-gssapi-credential "DNS/home.ufomechanic.net";
> causes bind9 to give the error:
> 
> Sep 21 14:41:43 localhost named[19606]: configuring TKEY: not implemented

Yeah, I will improve the instructions.  This feature is not implemented
in all but the most recent BIND version, and in any case, you should not
do this for a member server.  

> And so I went without using the local nameserver, but had resolv.conf
> pointing to the domain controller I am trying to join.
> I mention this in case it is a cause or symptom of my problems; possibly
> related to:
> 
> (
> 
> Server claims it's principal name is
> ufomechanicw200$@WAKEFIELD.UFOMECHANIC.NET
> Starting GENSEC submechanism gssapi_krb5
> kinit for Administrator at UFO failed (Cannot contact any KDC for requested
> realm: unable to reach any KDC in realm UFO)
> Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for
> requested realm
> Cannot reach a KDC we require to contact
> cifs at ufomechanicw200.wakefield.ufomechanic.net
> Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
> Starting GENSEC submechanism ntlmssp
> signing_good: signing negotiated but not required and peer
> isn't sending correct signatures. Turning off.
> Shutdown SMB signing
> 
> )
> 
> anyway, I then do:
> 
> # net join UFO BDC -U Administrator

This you don't want to do, as you are not a BDC. 

Try 'net join UFO -U administrator', we don't want to be a Domain
Controller.

> Under the windows 2003 AD administration tools, I set cfs proxy to be
> trusted for delegation.

Good.

> Notes:
> When I start smbd, I note this error:
> 
> Name registration conflict from 192.168.0.7 for UFO<1b> with ip
> 223.1.1.128 - rcode 6
> Error registering UFO<1b> with 192.168.0.139 on interface 192.168.0.255
> - NT_STATUS_CONFLICTING_ADDRESSES
> 
> 192.168.0.7 is the windows 2003 domain controller for which I want to
> make the samba4 machine also an active directory server (bdc in old
> terms?) and trusted for delegation.
> 
> 192.168.0.139 is the samba4 server.
> 
> I guess the provision command I ran must have made a distinct domain
> instead of replicating from the existing domain of the same name,

Samba4 is not yet able to act as a second domain controller in a windows
domain, but should act as a member server, once you manage the correct
configuration.  Let's work together to set that up, and fix up the
documentation. 

In short:

./provision --realm=cifsproxy --domain=cifsproxy

fix up smb.conf to be:

[global]
workgroup = UFO
realm = home.ufomechanic.net
server role = member server
...

Then run
net join UFO

Then set 'trusted for delegation'

Then set your /etc/krb5.conf like (the critical one being for the UFO
domain, which being short isn't in DNS)

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 HOME.UFOMECHANIC.NET = {
  kdc = 192.168.0.7:88
  default_domain = home.ufomechanic.net
 }
 home.ufomechanic.net = {
  kdc = 192.168.0.7:88
  default_domain = home.ufomechanic.net
 }
 UFO = {
  kdc = 192.168.0.7:88
  default_domain = home.ufomechanic.net
 }

I hope this helps.  I'll make it a task for the next week to have a sane
member-server provision and join process. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070922/54a55ea4/attachment.bin


More information about the samba-technical mailing list