kerberos issues on CentOS 7 and Samba 4 with SSSD

Kartik Vashishta kartik.unix at gmail.com
Tue Jun 16 09:33:29 MDT 2015


Team,

I got this working. I had to create a keytab, /etc/krb5.keytab using
ktutil. Will this persist for months/years? Or do I need to recreate the
keytab file after every so often. Also is there a better way to accomplish
this, what about kinit, kinit does not seem to create a keytab file. Thanks
for your consideration. Regards,

Kartik Vashishta

On Tue, Jun 16, 2015 at 10:02 AM, Simo <simo at samba.org> wrote:

> On Tue, 2015-06-16 at 02:29 +0300, Alexander Bokovoy wrote:
> > On Mon, Jun 08, 2015 at 12:14:41PM -0700, kvashishta wrote:
> > > Team,
> > >
> > > I am having issues getting samba to work with AD authentication using
> SSSD.
> > > Here are the relevant configuration files and error logs:
> > >
> > > /etc/sssd/sssd.conf
> > > [sssd]
> > > config_file_version = 2
> > > domains = MYDOMAIN.COM
> > > services = nss, pam, pac, ssh
> > >
> > > # Uncomment and adjust if the default principal SHORTNAME$@REALM is not
> > > available
> > > # ldap_sasl_authid = host/client.ad.example.com at AD.EXAMPLE.COM
> > >
> > > # Comment out if you prefer to user shortnames.
> > > #use_fully_qualified_names = True
> > > #ldap_idmap_range_size = 2000000000
> > >
> > > #ldap_idmap_range_size = 2000000000
> > >
> > >
> > > [domain/MYDOMAIN.COM]
> > > ad_domain = MYDOMAIN.COM
> > > krb5_realm = MYDOMAIN.COM
> > > cache_credentials = True
> > > id_provider = ad
> > > auth_provider = krb5
> > > krb5_server = server.MYDOMAIN.COM
> > > krb5_ccachedir = /tmp
> > > krb5_store_password_if_offline = True
> > > default_shell = /bin/bash
> > > ldap_id_mapping = True
> > > use_fully_qualified_names = False
> > > fallback_homedir = /home/%d/%u
> > > ldap_id_mapping = true
> > > ldap_idmap_default_domain_sid = <my SID>
> > > ldap_idmap_autorid_compat = True
> > > ldap_max_id = 2000200000
> > > ldap_idmap_range_size = 2000000000
> > > access_provider = ad
> > >
> > >
> -------------------------------------------------------------------------------------------------------------
> > >
> > > cat /etc/krb5.conf
> > > [logging]
> > >
> > > default = FILE:/var/log/krb5libs.log
> > > kdc = FILE:/var/log/krb5kdc.log
> > > admin_server = FILE:/var/log/kadmind.log
> > >
> > > [libdefaults]
> > > default_realm = MYDOMAIN.COM
> > > dns_lookup_realm = true
> > > dns_lookup_kdc = true
> > > ticket_lifetime = 24h
> > > renew_lifetime = 7d
> > > forwardable = true
> > > default_keytab_name = FILE:/etc/krb5.keytab
> > > proxiable = true
> > > fcc-mit-ticketflags = true
> > > [realms]
> > > MYDOMAIN.COM = {
> > > kdc = SERVER1.MYDOMAIN.COM
> > > admin_server = SERVER2.MYDOMAIN.COM
> > > admin_server = SERVER1.MYDOMAIN.COM
> > > admin_server = SERVER3.MYDOMAIN.COM
> > > admin_server = SERVER4.MYDOMAIN.COM
> > > }
> > >
> > > [domain_realm]
> > > .MYDOMAIN.COM = MYDOMAIN.COM
> > > MYDOMAIN.COM = MYDOMAIN.COM
> > >
> > > ---------------------------------------------------------------------
> > >
> > > cat /etc/samba/smb.conf
> > > [global]
> > > workgroup = my
> > > realm = MYDOMAIN.COM
> > > netbios name = <SERVER NAME>
> > > password server = *
> > > server string = Samba Server Version %v
> > > security =ADS
> > > log file = /var/log/samba/log.%m
> > > max log size = 5000
> > > load printers = No
> > > idmap config * : backend = tdb
> > > passdb backend = tdbsam
> > > guest account = nobody
> > > log level = 4
> > > local master = no
> > > domain master = no
> > > preferred master = no
> > > # kerberos method = system keytab
> > > kerberos method = dedicated keytab
> > > dedicated keytab file = /etc/krb5.keytab
> > > wins support = no
> > > wins proxy = no
> > > client signing = yes
> > > client use spnego = yes
> > > dns proxy = yes
> > > name resolve order = wins bcast host lmhosts
> > > #============================ Share Definitions
> > > ==============================
> > >
> > > [homes]
> > > comment = Home Directories
> > > browseable = no
> > > writable = yes
> > > valid users = <username>
> > > path = /home/homes
> > > [homes1]
> > > comment = Home Directories
> > > browseable = no
> > > writable = yes
> > > valid users = @"<ad group name>@mydomain.com"
> > > path = /home/homes1
> > >
> > >
> -----------------------------------------------------------------------------------------------
> > > NOTE: I am using "ktutil" to generate the kerberos ticket and saving
> it in
> > > /etc/krb5.keytab, ssh using an AD username to the server is working
> without
> > > issue.
> > >
> ------------------------------------------------------------------------------------------------
> > Can you show content of your keytab?
> >
> >
> > >
> > > This is the message I am getting in the samba logs:
> > >
> > > [2015/06/08 14:16:22.436362, 1]
> > > ../source3/librpc/crypto/gse.c:466(gse_get_server_auth_token)
> > > gss_accept_sec_context failed with [Unspecified GSS failure. Minor
> code may
> > > provide more information: Wrong principal in request]
> > > [2015/06/08 14:16:22.436445, 1]
> > > ../auth/gensec/spnego.c:576(gensec_spnego_parse_negTokenInit)
> > > SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> > > [2015/06/08 14:16:22.436554, 2]
> > > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
> > > SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> > Samba server expects a ticket to cifs/fqdn. Do you have cifs/fqdn in
> > your /etc/krb5.keytab?
> >
> > While for Windows all host-specific services have the same key (e.g.
> > MACHINE$@REALM has host/fqdn, cifs/fqdn, ...), you still need to have
> > keys for cifs/fqdn principal on Linux (or rather, non-Windows) side.
>
> Actually, this is not completely true, it mostly depends on what
> kerberos libraries you are using and what applications.
>
> When using the MIT library, with most applications at most you need to
> set 'ignore_acceptor_hostname true' in the [libdefaults] section in
> krb5.conf.
> Then an acceptor will try all keys in the keytab regardless of the name,
> so only one entry will be needed.
>
> Simo.
>
>
> --
> Simo Sorce
>
>


More information about the samba-technical mailing list