[Samba] problems with kerberos on Solaris 10

Alexandr Miasnikov asp at pskov.mts.ru
Tue Jul 31 07:27:38 GMT 2007


sorry for big posting
direct me please on my errors


samba 3.0.25b
kerberos heimdal 0.8.1-p2


# kinit adminuser
adminuser at USR.NW.MTS.RU's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: adminuser at USR.NW.MTS.RU

   Issued           Expires          Principal
Jul 31 11:22:18  Jul 31 21:22:18  krbtgt/USR.NW.MTS.RU at USR.NW.MTS.RU


# net -d 3 ads join ads -U adminuser
[2007/07/31 11:07:47, 3] param/loadparm.c:lp_load(5024)
   lp_load: refreshing parameters
[2007/07/31 11:07:47, 3] param/loadparm.c:init_globals(1424)
   Initialising global parameters
[2007/07/31 11:07:47, 3] param/params.c:pm_process(572)
   params.c:pm_process() - Processing configuration file 
"/usr/local/etc/samba/smb.conf"
[2007/07/31 11:07:47, 3] param/loadparm.c:do_section(3763)
   Processing section "[global]"
[2007/07/31 11:07:47, 2] lib/interface.c:add_interface(81)
   added interface ip=10.7.5.2 bcast=10.7.5.255 nmask=255.255.255.0
[2007/07/31 11:07:47, 3] libsmb/namequery.c:get_dc_list(1489)
   get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/07/31 11:07:47, 3] libads/ldap.c:ads_connect(394)
   Connected to LDAP server 10.7.5.20
[2007/07/31 11:07:47, 3] libsmb/namequery.c:get_dc_list(1489)
   get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/07/31 11:07:47, 3] libsmb/namequery.c:get_dc_list(1489)
   get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
adminuser's password:
[2007/07/31 11:07:50, 3] libsmb/namequery.c:get_dc_list(1489)
   get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/07/31 11:07:50, 3] libads/ldap.c:ads_connect(394)
   Connected to LDAP server 10.7.5.20
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
   ads_sasl_spnego_bind: got server principal name = dcpsk1$@USR.NW.MTS.RU
[2007/07/31 11:07:50, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
   ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2007/07/31 11:07:52, 0] libads/kerberos.c:ads_kinit_password(228)
   kerberos_kinit_password adminuser at USR.NW.MTS.RU failed: 
Preauthentication failed
[2007/07/31 11:07:52, 1] utils/net_ads.c:net_ads_join(1470)
   error on ads_startup: Preauthentication failed
Failed to join domain: Logon failure
[2007/07/31 11:07:52, 2] utils/net.c:main(1032)
   return code = -1


===================================
with samba-3.0.24 everething is OK.
===================================

with other kerberos - MIT, native Solaris packages - the same situation


comiling:
CONFIGURE_ARGS=--enable-pie                    \
         --localstatedir=/var                    \
         --with-privatedir=/var/samba            \
         --with-lockdir=/var/samba               \
         --with-piddir=/var/run                  \
         --with-configdir=${PREFIX}/etc/samba    \
         --with-logfilebase=/var/log/samba       \
         --with-readline --with-libiconv         \
         --with-ldap --with-ads --with-krb5      \
         --with-pam --with-pam_smbpass           \
         --with-quotas --without-utmp            \
         --with-libmsrpc --with-libsmbclient     \
         --with-libsmbsharemodes                 \
         --with-acl-support --with-aio-support   \
         --with-sendfile-support --with-winbind  \
         --without-python                        \
         --with-shared-modules=idmap_rid,idmap_ad


smb.conf:
use kerberos keytab = True

# unix shell

template homedir = /export/home/%U
template shell = /bin/sh

winbind nested groups = yes

security = ads
password server = 10.7.5.20
realm = USR.NW.MTS.RU
workgroup = USR

client use spnego = yes
server string =
os level = 10

domain master = no
preferred master = no
domain logons = no

ntlm auth = no
lanman auth = no
client NTLMv2 auth = yes

wins support = no
wins proxy = no

winbind enum groups = yes
winbind enum users = yes
winbind cache time = 3600
winbind use default domain = Yes
winbind nested groups = yes

allow trusted domains =  No
idmap uid = 2000-100000000
idmap gid = 2000-100000000

idmap backend = rid:"USR=2000-100000000"
nt acl support = yes

socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY
use sendfile = Yes
null passwords = Yes
deadtime = 60




kerberos heimdal 0.8.1-p2

krb5.conf
[libdefaults]
         default_keytab_name = FILE:/usr/local/etc/krb5/krb5.conf
         default_realm = USR.NW.MTS.RU
         dns_lookup_realm = false
         dns_lookup_kdc = false
         default_tkt_enctypes = des-cbc-md5 des-cbc-crc
         default_tgs_enctypes = des-cbc-md5 des-cbc-crc
         verify_ap_req_nofail = false

[realms]
         USR.NW.MTS.RU = {
                 kdc = dcpsk1.usr.nw.mts.ru:88
                 admin_server = dcpsk1.usr.nw.mts.ru:749
                 kpasswd_server = dcpsk1.usr.nw.mts.ru:464
                 kpasswd_protocol = SET_CHANGE
                 default_domain = pskov.mts.ru
         }

[domain_realm]
         usr.nw.mts.ru = USR.NW.MTS.RU
         .usr.nw.mts.ru = USR.NW.MTS.RU
         pskov.mts.ru = USR.NW.MTS.RU
         .pskov.mts.ru = USR.NW.MTS.RU

[logging]
         default = FILE:/var/krb5/kdc.log
         kdc = FILE:/var/krb5/kdc.log
         kdc_rotate = {


[appdefaults]
         kinit = {
                 renewable = true
                 forwardable= true
         }






-- 



More information about the samba mailing list