kerberos issues on CentOS 7 and Samba 4 with SSSD

kvashishta kartik.unix at gmail.com
Mon Jun 8 13:14:41 MDT 2015


Team,

I am having issues getting samba to work with AD authentication using SSSD.
Here are the relevant configuration files and error logs:

/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = MYDOMAIN.COM
services = nss, pam, pac, ssh

# Uncomment and adjust if the default principal SHORTNAME$@REALM is not
available
# ldap_sasl_authid = host/client.ad.example.com at AD.EXAMPLE.COM

# Comment out if you prefer to user shortnames.
#use_fully_qualified_names = True
#ldap_idmap_range_size = 2000000000

#ldap_idmap_range_size = 2000000000


[domain/MYDOMAIN.COM]
ad_domain = MYDOMAIN.COM
krb5_realm = MYDOMAIN.COM
cache_credentials = True
id_provider = ad
auth_provider = krb5
krb5_server = server.MYDOMAIN.COM
krb5_ccachedir = /tmp
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
ldap_id_mapping = true
ldap_idmap_default_domain_sid = <my SID>
ldap_idmap_autorid_compat = True
ldap_max_id = 2000200000
ldap_idmap_range_size = 2000000000
access_provider = ad

-------------------------------------------------------------------------------------------------------------

cat /etc/krb5.conf
[logging]

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
proxiable = true
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.COM = {
kdc = SERVER1.MYDOMAIN.COM
admin_server = SERVER2.MYDOMAIN.COM
admin_server = SERVER1.MYDOMAIN.COM
admin_server = SERVER3.MYDOMAIN.COM
admin_server = SERVER4.MYDOMAIN.COM
}

[domain_realm]
.MYDOMAIN.COM = MYDOMAIN.COM
MYDOMAIN.COM = MYDOMAIN.COM

---------------------------------------------------------------------

cat /etc/samba/smb.conf
[global]
workgroup = my
realm = MYDOMAIN.COM
netbios name = <SERVER NAME>
password server = *
server string = Samba Server Version %v
security =ADS
log file = /var/log/samba/log.%m
max log size = 5000
load printers = No
idmap config * : backend = tdb
passdb backend = tdbsam
guest account = nobody
log level = 4
local master = no
domain master = no
preferred master = no
# kerberos method = system keytab
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
wins support = no
wins proxy = no
client signing = yes
client use spnego = yes
dns proxy = yes
name resolve order = wins bcast host lmhosts
#============================ Share Definitions
==============================

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = <username>
path = /home/homes
[homes1]
comment = Home Directories
browseable = no
writable = yes
valid users = @"<ad group name>@mydomain.com"
path = /home/homes1

-----------------------------------------------------------------------------------------------
NOTE: I am using "ktutil" to generate the kerberos ticket and saving it in
/etc/krb5.keytab, ssh using an AD username to the server is working without
issue.
------------------------------------------------------------------------------------------------

This is the message I am getting in the samba logs:

[2015/06/08 14:16:22.436362, 1]
../source3/librpc/crypto/gse.c:466(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may
provide more information: Wrong principal in request]
[2015/06/08 14:16:22.436445, 1]
../auth/gensec/spnego.c:576(gensec_spnego_parse_negTokenInit)
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2015/06/08 14:16:22.436554, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOGON_FAILURE

----------------------------------------------------------------------------------------------------

Google seraches did not suggest using ktutil to create a kerberos ticket,
but I had no choice as kinit was not creating a keytab file. Please excuse
my limited knowledge of kerberos.
So, ssh works w/o issue but samba does not.

As always all help will be appreciated. Regards,

Kartik Vashishta



--
View this message in context: http://samba.2283325.n4.nabble.com/kerberos-issues-on-CentOS-7-and-Samba-4-with-SSSD-tp4686954.html
Sent from the Samba - samba-technical mailing list archive at Nabble.com.


More information about the samba-technical mailing list