sysvol replication between ntvfs and s3fs

Daniele Dario d.dario76 at gmail.com
Mon Sep 24 02:40:54 MDT 2012 

Hi Matthieu,

On Fri, 2012-09-21 at 20:29 -0700, Matthieu Patou wrote:
> On 09/21/2012 02:27 AM, Daniele Dario wrote:
> > Hi Matthew,
> >
> > On Wed, 2012-09-19 at 09:05 -0700, Matthieu Patou wrote:
> >> On 09/19/2012 07:18 AM, Daniele Dario wrote:
> >>> Hi Matthiew and samba team,
> >>> I'm looking if it is possible to sync sysvol partition between my two
> >>> samba4 DCs and I found your "sync_dc" script.
> >>>
> >>> Would rsync -X -u -a work also if one DC is working with NTVFS while the
> >>> other uses S3FS?
> >> Yes it should work more or less you'll need also the -A to preserve unix
> >> acls as well as s3fs use them.
> >>
> >> Still the biggest issue that you'll face is that the uid for Windows
> >> users can be differents and so the unix acls won't be correct but there
> >> is nothing we can do in the short term.
> >>
> >>
> >>> Sorry if the question is stupid but I've read that there are differences
> >>> between the two implementations and that moving from NTVFS to S3FS
> >>> requires to use the sysvolreset command to apply right ACLs.
> >>>
> >>> Thanks,
> >>> Daniele.
> >>>
> >> Matthieu.
> >>
> > I'm trying to use the sync_dc script but I'm stuck at the rsync point:
> > from man rsync I see that the line
> >
> > rsync -X -A -u -a $dc_account_name\$@${dc}.${domain}:$SYSVOL $STAGING
> >
> >        * will access via remote shell (don't need rsyncd on the other
> >          side)
> >        * will use $dc_account_name\$ as the user which has to
> >          authenticate on the ${dc}.${domain} host
> >
> > How does rsync authenticate the given account (eg. KDC01$) on the other
> > DC? I thought it would use the kerberos ticket got by kinit but trying
> > to replicate on the shell the commands I get
> >
> > [root at kdc01:~/tmp]# export KRB5CCNAME=/tmp/sync.$$
> > [root at kdc01:~/tmp]# kinit -k -t /usr/local/samba/private/secrets.keytab
> > KDC01$
> > [root at kdc01:~/tmp]# klist -l
> >    Name                        Cache name      Expires
> > KDC01$@SAITELITALIA.LOCAL   /tmp/krb5cc_0   Sep 21 20:44:52
> > [root at kdc01:~/tmp]# rsync -X -A -u -a KDC01
> > $@kdc02.saitelitalia.local:/usr/local/samba/var/locks/sysvol .
> > Warning: Permanently added the ECDSA host key for IP address
> > '192.168.12.2' to the list of known hosts.
> > KDC01$@kdc02.saitelitalia.local's password:
> >
> > I don't know the KDC01$ password and I think that that account is the
> > machine account which is present in the domain not on the host so I
> > guess it should not authenticate in this way.
> You have to make kerberized ssh work first for domain account.
> 
> 

I know this is not the place to discuss about kerberos+ssh problems but
maybe you can help to get it working.

I used samba-tool domain exportkeytab /etc/krb5.conf and than I started
a new sshd with /usr/sbin/sshd -p 10002 -ddd to see what happen when I
try to connect from the other DC:

[root at kdc01:~]# /usr/sbin/sshd -p 10002 -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 811
debug2: parse_server_config: config /etc/ssh/sshd_config len 811
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:11 setting
HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:12 setting
HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:13 setting
HostKey /etc/ssh/ssh_host_ecdsa_key
debug3: /etc/ssh/sshd_config:15 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:18 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:19 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:22 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:23 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:26 setting LoginGraceTime 120
debug3: /etc/ssh/sshd_config:27 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:28 setting StrictModes yes
debug3: /etc/ssh/sshd_config:30 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:31 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:35 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:37 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:39 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:44 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:48 setting ChallengeResponseAuthentication
no
debug3: /etc/ssh/sshd_config:54 setting KerberosAuthentication yes
debug3: /etc/ssh/sshd_config:56 setting KerberosOrLocalPasswd yes
debug3: /etc/ssh/sshd_config:57 setting KerberosTicketCleanup yes
debug3: /etc/ssh/sshd_config:60 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:61 setting GSSAPICleanupCredentials yes
debug3: /etc/ssh/sshd_config:63 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:64 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:65 setting PrintMotd no
debug3: /etc/ssh/sshd_config:66 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:67 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:74 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:76 setting Subsystem
sftp /usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:87 setting UsePAM yes
debug1: sshd version OpenSSH_5.8p1 Debian-1ubuntu3
...

When I try to connect from the other DC:

Connection from 192.168.12.2 port 58294
debug1: Client protocol version 2.0; client software version
OpenSSH_5.8p1 Debian-1ubuntu3
debug1: match: OpenSSH_5.8p1 Debian-1ubuntu3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 15889
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 103:65534
debug1: permanently_set_uid: 103/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
...
debug1: userauth-request for user KDC02$ service ssh-connection method
none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 7
debug3: monitor_read: checking request 7
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 192.168.12.2.
debug2: parse_server_config: config reprocess config len 811
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 8
debug3: mm_request_receive entering
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 8
debug2: monitor_read: 7 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for KDC02$
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 50
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 50
debug1: PAM: initializing for "KDC02$"
debug1: PAM: setting PAM_RHOST to "kdc02.saitelitalia.local"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 50 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=, role=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user KDC02$ service ssh-connection method
gssapi-with-mic
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_send entering: type 38
debug3: mm_request_receive_expect entering: type 39
debug3: mm_request_receive entering
debug3: monitor_read: checking request 38
debug1: Unspecified GSS failure.  Minor code may provide more
information
Key table entry not found

debug3: mm_request_send entering: type 39
debug3: mm_request_receive entering
debug1: userauth-request for user KDC02$ service ssh-connection method
gssapi-with-mic
debug1: attempt 2 failures 0
debug2: input_userauth_request: try method gssapi-with-mic
debug1: userauth-request for user KDC02$ service ssh-connection method
gssapi-with-mic
debug1: attempt 3 failures 0
debug2: input_userauth_request: try method gssapi-with-mic

So the problem seems to be that the it can't find the Key
in /etc/krb5.keytab but the keytab contains:

[root at kdc01:~]# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type                     Principal                  Aliases
  1  des-cbc-crc              KDC01$@SAITELITALIA.LOCAL  
  1  des-cbc-md5              KDC01$@SAITELITALIA.LOCAL  
  1  arcfour-hmac-md5         KDC01$@SAITELITALIA.LOCAL  
  1  des-cbc-crc              KDC02$@SAITELITALIA.LOCAL  
  1  des-cbc-md5              KDC02$@SAITELITALIA.LOCAL  
  1  aes128-cts-hmac-sha1-96  KDC02$@SAITELITALIA.LOCAL  
  1  aes256-cts-hmac-sha1-96  KDC02$@SAITELITALIA.LOCAL  
  1  arcfour-hmac-md5         KDC02$@SAITELITALIA.LOCAL  

>From the other side I see:

[root at kdc02:~]# ssh -vvv -p 10002 KDC02\$@kdc01.saitelitalia.local
OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to kdc01.saitelitalia.local [192.168.12.5] port
10002.
debug1: Connection established.
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey

which ends asking the password for KDC02$

Do you have any suggestion to help me solve the issue?

Thanks,
Daniele.

More information about the samba-technical mailing list