kerberos issues on CentOS 7 and Samba 4 with SSSD

Simo simo at samba.org
Tue Jun 16 09:02:04 MDT 2015


On Tue, 2015-06-16 at 02:29 +0300, Alexander Bokovoy wrote:
> On Mon, Jun 08, 2015 at 12:14:41PM -0700, kvashishta wrote:
> > Team,
> > 
> > I am having issues getting samba to work with AD authentication using SSSD.
> > Here are the relevant configuration files and error logs:
> > 
> > /etc/sssd/sssd.conf
> > [sssd]
> > config_file_version = 2
> > domains = MYDOMAIN.COM
> > services = nss, pam, pac, ssh
> > 
> > # Uncomment and adjust if the default principal SHORTNAME$@REALM is not
> > available
> > # ldap_sasl_authid = host/client.ad.example.com at AD.EXAMPLE.COM
> > 
> > # Comment out if you prefer to user shortnames.
> > #use_fully_qualified_names = True
> > #ldap_idmap_range_size = 2000000000
> > 
> > #ldap_idmap_range_size = 2000000000
> > 
> > 
> > [domain/MYDOMAIN.COM]
> > ad_domain = MYDOMAIN.COM
> > krb5_realm = MYDOMAIN.COM
> > cache_credentials = True
> > id_provider = ad
> > auth_provider = krb5
> > krb5_server = server.MYDOMAIN.COM
> > krb5_ccachedir = /tmp
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = True
> > use_fully_qualified_names = False
> > fallback_homedir = /home/%d/%u
> > ldap_id_mapping = true
> > ldap_idmap_default_domain_sid = <my SID>
> > ldap_idmap_autorid_compat = True
> > ldap_max_id = 2000200000
> > ldap_idmap_range_size = 2000000000
> > access_provider = ad
> > 
> > -------------------------------------------------------------------------------------------------------------
> > 
> > cat /etc/krb5.conf
> > [logging]
> > 
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> > 
> > [libdefaults]
> > default_realm = MYDOMAIN.COM
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > forwardable = true
> > default_keytab_name = FILE:/etc/krb5.keytab
> > proxiable = true
> > fcc-mit-ticketflags = true
> > [realms]
> > MYDOMAIN.COM = {
> > kdc = SERVER1.MYDOMAIN.COM
> > admin_server = SERVER2.MYDOMAIN.COM
> > admin_server = SERVER1.MYDOMAIN.COM
> > admin_server = SERVER3.MYDOMAIN.COM
> > admin_server = SERVER4.MYDOMAIN.COM
> > }
> > 
> > [domain_realm]
> > .MYDOMAIN.COM = MYDOMAIN.COM
> > MYDOMAIN.COM = MYDOMAIN.COM
> > 
> > ---------------------------------------------------------------------
> > 
> > cat /etc/samba/smb.conf
> > [global]
> > workgroup = my
> > realm = MYDOMAIN.COM
> > netbios name = <SERVER NAME>
> > password server = *
> > server string = Samba Server Version %v
> > security =ADS
> > log file = /var/log/samba/log.%m
> > max log size = 5000
> > load printers = No
> > idmap config * : backend = tdb
> > passdb backend = tdbsam
> > guest account = nobody
> > log level = 4
> > local master = no
> > domain master = no
> > preferred master = no
> > # kerberos method = system keytab
> > kerberos method = dedicated keytab
> > dedicated keytab file = /etc/krb5.keytab
> > wins support = no
> > wins proxy = no
> > client signing = yes
> > client use spnego = yes
> > dns proxy = yes
> > name resolve order = wins bcast host lmhosts
> > #============================ Share Definitions
> > ==============================
> > 
> > [homes]
> > comment = Home Directories
> > browseable = no
> > writable = yes
> > valid users = <username>
> > path = /home/homes
> > [homes1]
> > comment = Home Directories
> > browseable = no
> > writable = yes
> > valid users = @"<ad group name>@mydomain.com"
> > path = /home/homes1
> > 
> > -----------------------------------------------------------------------------------------------
> > NOTE: I am using "ktutil" to generate the kerberos ticket and saving it in
> > /etc/krb5.keytab, ssh using an AD username to the server is working without
> > issue.
> > ------------------------------------------------------------------------------------------------
> Can you show content of your keytab?
> 
> 
> > 
> > This is the message I am getting in the samba logs:
> > 
> > [2015/06/08 14:16:22.436362, 1]
> > ../source3/librpc/crypto/gse.c:466(gse_get_server_auth_token)
> > gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may
> > provide more information: Wrong principal in request]
> > [2015/06/08 14:16:22.436445, 1]
> > ../auth/gensec/spnego.c:576(gensec_spnego_parse_negTokenInit)
> > SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> > [2015/06/08 14:16:22.436554, 2]
> > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
> > SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> Samba server expects a ticket to cifs/fqdn. Do you have cifs/fqdn in
> your /etc/krb5.keytab?
> 
> While for Windows all host-specific services have the same key (e.g.
> MACHINE$@REALM has host/fqdn, cifs/fqdn, ...), you still need to have
> keys for cifs/fqdn principal on Linux (or rather, non-Windows) side.

Actually, this is not completely true, it mostly depends on what
kerberos libraries you are using and what applications.

When using the MIT library, with most applications at most you need to
set 'ignore_acceptor_hostname true' in the [libdefaults] section in
krb5.conf.
Then an acceptor will try all keys in the keytab regardless of the name,
so only one entry will be needed.

Simo.


-- 
Simo Sorce



More information about the samba-technical mailing list