samba3upgrade: named tkey configuration issue

Adam Tauno Williams awilliam at whitemice.org
Thu Nov 10 09:33:47 MST 2011 

On Thu, 2011-11-10 at 11:23 -0500, Adam Tauno Williams wrote:
> On Thu, 2011-11-10 at 10:26 -0500, Adam Tauno Williams wrote:
> > On Thu, 2011-11-10 at 08:31 -0500, Adam Tauno Williams wrote:
> > > Once the above files are installed, your Samba4 server will be ready to
> > > use
> > > Server Role:           domain controller
> > > Hostname:              BARBEL
> > > NetBIOS Domain:        BACKBONE
> > > DNS Domain:            micore.us
> > > DOMAIN SID:            S-1-5-21-2037442776-3290224752-88127236
> > > Admin password:        None
> > > Importing WINS database
> > > Importing Account policy
> > > Importing idmap database
> > > Cannot open idmap database, Ignoring: [Errno 2] No such file or
> > > directory
> > > Ignoring unknown parameter "server role"
> > > Importing groups
> > > Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-514,
> > > groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> > > Group already exists sid=S-1-5-32-544, groupname=Administrators
> > > existing_groupname=Administrators, Ignoring.
> > > Group already exists sid=S-1-5-32-550, groupname=Print Operators
> > > existing_groupname=Print Operators, Ignoring.
> > > Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-512,
> > > groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
> > > Importing users
> > 
> > Version 4.0.0alpha18-GIT-22ddbb5
> > 
> > Up till now, if I got to this point, I've always been able to "kinit
> > administrator at MICORE.US", but after this provisioning it is failing with
> > a preauthenticate error.
> > 
> > barbel:~/samba-master #  host -t SRV _kerberos._udp.micore.us.
> > _kerberos._udp.micore.us has SRV record 0 100 88 BARBEL.micore.us.
> > barbel:~/samba-master # host -t A barbel.micore.us.
> > barbel.micore.us has address 10.66.77.1
> > barbel:~/samba-master # kinit administrator at MICORE.US
> > Password for administrator at MICORE.US: 
> > kinit: Preauthentication failed while getting initial credentials
> 
> In general something seems to be going wrong with Kerberos now.  Not
> only can I not authenticate as a user but I can't configure Bind to use
> TKEY's or it fails with a -
> 
> Nov 10 10:46:53 barbel named[26621]: automatic empty zone:
> A.E.F.IP6.ARPA
> Nov 10 10:46:53 barbel named[26621]: automatic empty zone:
> B.E.F.IP6.ARPA
> Nov 10 10:46:53 barbel named[26621]: automatic empty zone:
> 8.B.D.0.1.0.0.2.IP6.ARPA
> Nov 10 10:46:53 barbel named[26621]: configuring TKEY: failure
> Nov 10 10:46:53 barbel named[26621]: loading configuration: failure
> Nov 10 10:46:53 barbel named[26621]: exiting (due to fatal error)

Digging into named I see -

10-Nov-2011 11:27:23.281 res 0x7fe4905de198: create
10-Nov-2011 11:27:23.282 dns_requestmgr_create
10-Nov-2011 11:27:23.282 dns_requestmgr_create: 0x7fe4905e01c8
10-Nov-2011 11:27:23.282 dns_requestmgr_whenshutdown
10-Nov-2011 11:27:23.282 dispatch 0x7fe496e9e220: detach: refcount 2
10-Nov-2011 11:27:23.282 acquiring credentials for DNS/micore.us
10-Nov-2011 11:27:23.283 failed to acquire accept credentials for
DNS/micore.us: GSSAPI error: Major = Unspecified GSS failure.  Minor
code may provide more information, Minor = Key table entry not found.
10-Nov-2011 11:27:23.283 configuring TKEY: failure
10-Nov-2011 11:27:23.283 client @0x7fe496bdaca0: udprecv
10-Nov-2011 11:27:23.283 socket 0x7fe4968fc010: socket_recv: event
0x7fe496857148 -> task 0x7fe4968df7a0
10-Nov-2011 11:27:23.283 client @0x7fe496bdcfc0: udprecv
10-Nov-2011 11:27:23.283 socket 0x7fe4968fc010: socket_recv: event
0x7fe496816148 -> task 0x7fe4968df850
10-Nov-2011 11:27:23.283 client @0x7fe496c1e390: accept
10-Nov-2011 11:27:23.283 client @0x7fe496c1fef0: udprecv

In the keytab file I see -

barbel:/opt/s4/private # klist  -k dns.keytab -e
Keytab name: WRFILE:dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 DNS/barbel.micore.us at MICORE.US (DES cbc mode with CRC-32) 
   1 dns-BARBEL at MICORE.US (DES cbc mode with CRC-32) 
   1 DNS/barbel.micore.us at MICORE.US (DES cbc mode with RSA-MD5) 
   1 dns-BARBEL at MICORE.US (DES cbc mode with RSA-MD5) 
   1 DNS/barbel.micore.us at MICORE.US (ArcFour with HMAC/md5) 
   1 dns-BARBEL at MICORE.US (ArcFour with HMAC/md5) 
   1 DNS/barbel.micore.us at MICORE.US (AES-128 CTS mode with 96-bit SHA-1
HMAC) 
   1 dns-BARBEL at MICORE.US (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
   1 DNS/barbel.micore.us at MICORE.US (AES-256 CTS mode with 96-bit SHA-1
HMAC) 
   1 dns-BARBEL at MICORE.US (AES-256 CTS mode with 96-bit SHA-1 HMAC) 

- so there doesn't appear to be an entry for just "DNS/micore.us".

> That is if I have
> options {
>        ....
>         tkey-gssapi-credential "DNS/micore.us";
>         tkey-domain "MICORE.US";
> } in /etc/named.conf


If I change it to -
  
  tkey-gssapi-credential "DNS/barbel.micore.us";

- then named starts.  But I'm not sure if that is correct.

> In /etc/sysconfig/named I have -
> 
> KEYTAB_FILE="/opt/s4/private/dns.keytab"
> KRB5_KTNAME="/opt/s4/private/dns.keytab"
> export KEYTAB_FILE
> export KRB5_KTNAME
> 
> - and dns.keytab is owned by named:named as I have always have had.
I

More information about the samba-technical mailing list