kerberos issues on CentOS 7 and Samba 4 with SSSD

Alexander Bokovoy ab at samba.org
Mon Jun 15 17:29:23 MDT 2015


On Mon, Jun 08, 2015 at 12:14:41PM -0700, kvashishta wrote:
> Team,
> 
> I am having issues getting samba to work with AD authentication using SSSD.
> Here are the relevant configuration files and error logs:
> 
> /etc/sssd/sssd.conf
> [sssd]
> config_file_version = 2
> domains = MYDOMAIN.COM
> services = nss, pam, pac, ssh
> 
> # Uncomment and adjust if the default principal SHORTNAME$@REALM is not
> available
> # ldap_sasl_authid = host/client.ad.example.com at AD.EXAMPLE.COM
> 
> # Comment out if you prefer to user shortnames.
> #use_fully_qualified_names = True
> #ldap_idmap_range_size = 2000000000
> 
> #ldap_idmap_range_size = 2000000000
> 
> 
> [domain/MYDOMAIN.COM]
> ad_domain = MYDOMAIN.COM
> krb5_realm = MYDOMAIN.COM
> cache_credentials = True
> id_provider = ad
> auth_provider = krb5
> krb5_server = server.MYDOMAIN.COM
> krb5_ccachedir = /tmp
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> use_fully_qualified_names = False
> fallback_homedir = /home/%d/%u
> ldap_id_mapping = true
> ldap_idmap_default_domain_sid = <my SID>
> ldap_idmap_autorid_compat = True
> ldap_max_id = 2000200000
> ldap_idmap_range_size = 2000000000
> access_provider = ad
> 
> -------------------------------------------------------------------------------------------------------------
> 
> cat /etc/krb5.conf
> [logging]
> 
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> default_realm = MYDOMAIN.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> default_keytab_name = FILE:/etc/krb5.keytab
> proxiable = true
> fcc-mit-ticketflags = true
> [realms]
> MYDOMAIN.COM = {
> kdc = SERVER1.MYDOMAIN.COM
> admin_server = SERVER2.MYDOMAIN.COM
> admin_server = SERVER1.MYDOMAIN.COM
> admin_server = SERVER3.MYDOMAIN.COM
> admin_server = SERVER4.MYDOMAIN.COM
> }
> 
> [domain_realm]
> .MYDOMAIN.COM = MYDOMAIN.COM
> MYDOMAIN.COM = MYDOMAIN.COM
> 
> ---------------------------------------------------------------------
> 
> cat /etc/samba/smb.conf
> [global]
> workgroup = my
> realm = MYDOMAIN.COM
> netbios name = <SERVER NAME>
> password server = *
> server string = Samba Server Version %v
> security =ADS
> log file = /var/log/samba/log.%m
> max log size = 5000
> load printers = No
> idmap config * : backend = tdb
> passdb backend = tdbsam
> guest account = nobody
> log level = 4
> local master = no
> domain master = no
> preferred master = no
> # kerberos method = system keytab
> kerberos method = dedicated keytab
> dedicated keytab file = /etc/krb5.keytab
> wins support = no
> wins proxy = no
> client signing = yes
> client use spnego = yes
> dns proxy = yes
> name resolve order = wins bcast host lmhosts
> #============================ Share Definitions
> ==============================
> 
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> valid users = <username>
> path = /home/homes
> [homes1]
> comment = Home Directories
> browseable = no
> writable = yes
> valid users = @"<ad group name>@mydomain.com"
> path = /home/homes1
> 
> -----------------------------------------------------------------------------------------------
> NOTE: I am using "ktutil" to generate the kerberos ticket and saving it in
> /etc/krb5.keytab, ssh using an AD username to the server is working without
> issue.
> ------------------------------------------------------------------------------------------------
Can you show content of your keytab?


> 
> This is the message I am getting in the samba logs:
> 
> [2015/06/08 14:16:22.436362, 1]
> ../source3/librpc/crypto/gse.c:466(gse_get_server_auth_token)
> gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may
> provide more information: Wrong principal in request]
> [2015/06/08 14:16:22.436445, 1]
> ../auth/gensec/spnego.c:576(gensec_spnego_parse_negTokenInit)
> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> [2015/06/08 14:16:22.436554, 2]
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Samba server expects a ticket to cifs/fqdn. Do you have cifs/fqdn in
your /etc/krb5.keytab?

While for Windows all host-specific services have the same key (e.g.
MACHINE$@REALM has host/fqdn, cifs/fqdn, ...), you still need to have
keys for cifs/fqdn principal on Linux (or rather, non-Windows) side.

-- 
/ Alexander Bokovoy


More information about the samba-technical mailing list