[Samba] Samba PDC - Kerberised CIFS access
Shahid M Shaikh
shahid.shaikh at in.ibm.com
Wed Mar 11 11:09:45 GMT 2009
Hi All,
I have machine M1 hosting Samba PDC. It stores only user information.
I have machine M2 acting as KDC server.
I have machine M3 hosting CIFS shares and it joins into the domain hosted
by PDC M1.
I have machine M4 used as CIFS client.
On M2, I have added users and cifs/host service principals for M3. Also
added service principal in keytab file.
I have added all the user and service principals using des-cbc-crc
encryption triplet.
M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2.
I have configured M3's smb.conf file to accept kerberos keytab and also for
the kerberos realm.
realm = SONAS.COM
use kerberos keytab = yes
client use spnego = yes
>From M4, I do kinit <user> and then try to see exported shares from M3.
[root at sofsedun3 ~]# kinit domuser
Password for domuser at SONAS.COM:
[root at sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
[root at sofsedun3 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: domuser at SONAS.COM
Valid starting Expires Service principal
03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/SONAS.COM at SONAS.COM
renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
Enter domuser's password:
Anonymous login successful
Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
Sharename Type Comment
--------- ---- -------
share Disk test share
IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55)
Anonymous login successful
Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
Server Comment
--------- -------
Workgroup Master
--------- -------
It works with anonymous login. But when i try to use -k it fails. I tried
smbclient with -k and debug level 3. I get these on console.
[root at sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0
added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0
added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0
Client started (version 3.2.8-ctdb-55).
Connecting to 10.0.0.24 at port 445
Doing spnego session setup (blob length=111)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=cifs/sofsedun4.vsofs1.com at SONAS.COM
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
Thu, 12 Mar 2009 21:36:54 TLT
cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
[root at sofsedun3 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: domuser at SONAS.COM
Valid starting Expires Service principal
03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/SONAS.COM at SONAS.COM
renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
03/11/09 21:39:15 03/12/09 21:36:54 cifs/sofsedun4.vsofs1.com at SONAS.COM
renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
On M3, I have enabled smbd logs with debug level 10. The corresponding
errors for the above behavior are:
[2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361)
switch message SMBsesssetupX (pid 26858) conn 0x0
[2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
wct=12 flg2=0xc801
[2009/03/11 21:58:54, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
Doing spnego session setup
[2009/03/11 21:58:54, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 466
[2009/03/11 21:58:54, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
Decrypt integrity check failed
[2009/03/11 21:58:54, 3]
libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab
principals
[2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_verify_ticket(458)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2009/03/11 21:58:54, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2009/03/11 21:58:54, 3] smbd/process.c:smbd_process(2036)
receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/11 21:58:54, 3] smbd/connection.c:yield_connection(31)
Yielding connection to
[2009/03/11 21:58:54, 3] smbd/server.c:exit_server_common(958)
Server exit (normal exit)
In the above scenario, M1 and M2 are not aware about each other. That
means, M1 is not kerberos client.
I tried setting M1 as kerberos client as well. But the result was the same.
Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1.
I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos clients.
My queries are:
1. Is it a know issue with samba or kerberos?
2. Am I missing anything on configuration?
3. What should I do to make the above setup working?
Please feel free to ask for more information if the provided one is not
sufficient.
P.S.: I am copying my configuration files here for reference.
[root at sofsedun2 ~]# cat /etc/samba/smb.conf
# Samba Configuration file.
#
# ****************** WARNING ********************************
# The contents of this file should not be modified directly !
#
# The samba options are stored in the registry.
# Use the "net conf" command to add/modify samba options in the registry
# ***************************************************************
[global]
workgroup = VSOFS1.COM
server string = Samba/NT PDC
netbios name = sofsedun2
passdb backend = tdbsam
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
-d /nohome -s /bin/false "%u"
add user script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d
/nohome -s /bin/false "%u"
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
local master = Yes
wins support = Yes
cups options = raw
security = user
encrypt passwords = Yes
[netlogon]
path = /etc/samba/netlogon
writeable = no
write list = ntadmin
guest ok = no
[profiles]
path = /usr/smb/ntprofile
writeable = yes
create mask = 0600
directory mask = 0700
2. CIFS server smb.conf
[root at sofsedun4 ~]# cat /etc/samba/smb.conf
# Samba Configuration file.
#
# ****************** WARNING ********************************
# The contents of this file should not be modified directly !
#
# The samba options are stored in the registry.
# Use the "net conf" command to add/modify samba options in the registry
# ***************************************************************
[global]
workgroup = VSOFS1.COM
password server = sofsedun2
security = domain
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/sh
winbind use default domain = false
winbind offline logon = false
realm = SONAS.COM
use kerberos keytab = yes
client use spnego = yes
wins support = Yes
cups options = raw
log level = 3
log file = /var/log/samba/%m.log
[share]
comment = test share
path = /home/share
read only = no
public = yes
valid users = 'VSOFS1.COM\domuser' 'VSOFS1.COM\domadmin'
'VSOFS1.COM\domguest'
[root at sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
SONAS.COM = {
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
}
[root at sofsedun3 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SONAS.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
[realms]
VSOFS1.COM = {
kdc = sofsedutsm.VSOFS1.COM
}
SONAS.COM = {
kdc = sofsedutsm.VSOFS1.COM:88
admin_server = sofsedutsm.VSOFS1.COM:749
default_domain = VSOFS1.COM
}
[domain_realm]
.VSOFS1.COM = SONAS.COM
VSOFS1.COM = SONAS.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured to
use winbind for auth, account and passwords.
[root at sofsedun4 ~]# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
3 03/11/09 20:24:49 cifs/sofsedun2.vsofs1.com at SONAS.COM (DES cbc mode
with CRC-32)
3 03/11/09 20:25:05 host/sofsedun2.vsofs1.com at SONAS.COM (DES cbc mode
with CRC-32)
3 03/11/09 20:25:19 host/sofsedun4.vsofs1.com at SONAS.COM (DES cbc mode
with CRC-32)
3 03/11/09 20:25:36 cifs/sofsedun4.vsofs1.com at SONAS.COM (DES cbc mode
with CRC-32)
[root at sofsedun4 ~]#
Regards,
Shahid Shaikh.
More information about the samba
mailing list