samba4 success/failure report...all's working despite kerberized ssh

Tue Feb 18 09:09:36 MST 2014

Dear George,

I've not try sssd but I do try nss-pam-ldapd or so call nslcd. 
Below are the guide I wrote while working on 4.1.2 & 3.

http://wiki.gentoo.org/wiki/Centralized_authentication_with_Samba_AD_/HOWTO

You can try method 2.

Hope that help...

> Georg Hopp <georg at steffers.org> 於 18/02/2014 10:25 PTG 寫道：
> 
> OK, here is some more information:
> 
> on mail a klist -k -t -e
> 
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- ----------------- ----------------------------------------------------=
> ----
>   1 02/18/14 11:58:05 mail$@WEIRD-WEB-WORKERS.ORG (des-cbc-crc)=20
>   1 02/18/14 11:58:05 mail$@WEIRD-WEB-WORKERS.ORG (des-cbc-md5)=20
>   1 02/18/14 11:58:05 mail$@WEIRD-WEB-WORKERS.ORG (arcfour-hmac)=20
>   1 02/18/14 11:58:11 MAIL$@WEIRD-WEB-WORKERS.ORG (des-cbc-crc)=20
>   1 02/18/14 11:58:11 MAIL$@WEIRD-WEB-WORKERS.ORG (des-cbc-md5)=20
>   1 02/18/14 11:58:11 MAIL$@WEIRD-WEB-WORKERS.ORG (arcfour-hmac)=20
>   1 02/18/14 11:58:23 host/mail at WEIRD-WEB-WORKERS.ORG (des-cbc-crc)=20
>   1 02/18/14 11:58:23 host/mail at WEIRD-WEB-WORKERS.ORG (des-cbc-md5)=20
>   1 02/18/14 11:58:23 host/mail at WEIRD-WEB-WORKERS.ORG (arcfour-hmac)=20
>   1 02/18/14 11:58:32 HOST/mail at WEIRD-WEB-WORKERS.ORG (des-cbc-crc)=20
>   1 02/18/14 11:58:32 HOST/mail at WEIRD-WEB-WORKERS.ORG (des-cbc-md5)=20
>   1 02/18/14 11:58:32 HOST/mail at WEIRD-WEB-WORKERS.ORG (arcfour-hmac)=20
>   1 02/18/14 11:58:43 host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.OR=
> G (des-cbc-crc)=20
>   1 02/18/14 11:58:43 host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.OR=
> G (des-cbc-md5)=20
>   1 02/18/14 11:58:43 host/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.OR=
> G (arcfour-hmac)=20
>   1 02/18/14 11:58:54 HOST/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.OR=
> G (des-cbc-crc)=20
>   1 02/18/14 11:58:54 HOST/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.OR=
> G (des-cbc-md5)=20
>   1 02/18/14 11:58:54 HOST/mail.weird-web-workers.org at WEIRD-WEB-WORKERS.OR=
> G (arcfour-hmac)=20
> 
> kvno host/mail.wierd-web-workers.org on mail:
> 
> host/mail.wierd-web-workers.org at WEIRD-WEB-WORKERS.ORG: kvno =3D 1
> 
> I started with the krb5.conf that was created during the samba=20
> domain provisioning but now it looks like this in both www and mail:
> 
> [libdefaults]
>    default_realm =3D WEIRD-WEB-WORKERS.ORG
>    default_keytab_name =3D FILE:/etc/krb5.keytab
>    dns_lookup_realm =3D false
>    dns_lookup_kdc =3D true
>    forwardable =3D true
>    proxiable =3D true
>    allow_wek_crypto =3D true
>    allow_weak_crypto =3D true
> 
> [realms]
>    WEIRD-WEB-WORKERS.ORG =3D {
>        kdc =3D samba.weird-web-workers.org 1 :88
>        default_domain =3D weird-web-workers.org
>    }
> 
> [logging]
>        default =3D FILE:/var/log/krb5libs.log
>        kdc =3D FILE:/var/log/krb5kdc.log
>        admin_server =3D FILE:/var/log/kadm5.log
> 
> 
> What I found curious is that the logfiles are not even created.
> 
> best regards
>   Georg Hopp
> 
>>> On Tue, Feb 18, 2014 at 01:41:57PM +0000, Georg Hopp wrote:
>>> Sorry, no it does not.
>> 
>> does
>> 
>> kvno host/mail.wierd-web-workers.org
>> 
>> return you the service ticket?
>> 
>> Can you send your krb5.conf?
>> 
>> bye,
>> Sumit
>> 
>>> 
>>>> On Tue, Feb 18, 2014 at 02:34:24PM +0100, Sumit Bose wrote:
>>>>> On Tue, Feb 18, 2014 at 01:13:53PM +0000, Georg Hopp wrote:
>>>>> Hi,
>>>>> 
>>>>> 
>>>>> And here the one of ssh -vvv -p 2222 mail:
>>>> 
>>>> does it work if you use the fully-qualified name of your mail server?
>>>> 
>>>> bye,
>>>> Sumit
>> 