[Samba] net ads join's generated keytab and solaris
christian.mchugh at NAU.EDU
Wed Jun 14 17:31:13 GMT 2006
Hey all. I am working on getting solaris 10 and 9 clients authenticating to
active directory. We have a test setup with windows 2003 r2 and the unix
fields filled out. All was going well with a combination of pam_krb5 and
nss_ldap and ldap mappings, including working automouting of home directories.
This included orginally, set up instructions from microsoft where they said to
create a user account, assign a password, and generate a keytab to transfer to
the unix host to import. This process also went well.
This changed when we tried to use a newer samba and share = domain. Which
required samba to join active directory. This played with our keytab settings
as it tried to create another machine account. We decided it would be easier
to let samba handle the joining and managing of the krb5.keytab file as it did
it more "properly" anyway. Now we can't seem to get ssh authentication working
again. kinit username works as does kpasswd. We can run net ads keytab
commands and net ads changetrustpw fine, but when we try to do what worked
before, ssh username at localhost we now get the error "Key table entry not
found". We have spent considerable time messing with the local hostname
changing it from FQDN to short and whatnot, but to no avail. They keytab also
appears to have entries for both, so I don't understand this error. DNS works
in both directions for this host, and like I said when creating a keytab from
a user account on windows, manually, this process works.
If I run something like "kinit -k host/mundi at TESTAUTH.NETWORK" I get a
preauthentication failed message. If insted of the mundi I make that fully
quallified I get the client not found in kerberos database error.
I should also mention in order to get this far I had to add supported_enctypes
= des-cbc-md5 and various other lines to krb5.conf to only allow that encoding
as solaris does not allow many types. This successfuly limited my keytab down
to only those enc types. I also added to smb.conf use kerberos keytab = yes,
to have a unified system domain join, ie ssh and samba would both be
preauthenicated from the machine account samba created.
Attached are possibly helpful log and config files.
In short, how can I get ssh authentication working again?
Northern Arizona University
More information about the samba