[Samba] Samba PDC - Kerberised CIFS access
Eduardo Sachs
edu.sachs at gmail.com
Fri Mar 13 13:22:43 GMT 2009
Shahid,
You used the command 'net join' to join in domain Samba PDC in M3?
My problem is when I join the M3 in domain Samba PDC (M1) with the
command 'net join', after this, I can not access the M3 using Kerberos
authentication.
Other description,
Your error is [1]:
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
Decrypt integrity check failed
ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
My error is [23]:
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab
principals
ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request)
When I delete the file /var/lib/samba/secrets.tdb of M3 and restart
Samba Client of M3, will be back to work authentication Kerberos in M3
for my cifs client M4, but, is out of domain Samba PDC.
But, the problem may be related.
My english is terrible, sorry...
Thanks!
2009/3/12 Eduardo Sachs <edu.sachs at gmail.com>:
> Shahid,
>
> I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket:
>
> https://bugzilla.samba.org/show_bug.cgi?id=5810
>
> The developers have not yet responded.
>
> Thanks!
>
> 2009/3/11 Shahid M Shaikh <shahid.shaikh at in.ibm.com>:
>> Hi All,
>>
>> I have machine M1 hosting Samba PDC. It stores only user information.
>> I have machine M2 acting as KDC server.
>> I have machine M3 hosting CIFS shares and it joins into the domain hosted
>> by PDC M1.
>> I have machine M4 used as CIFS client.
>>
>> On M2, I have added users and cifs/host service principals for M3. Also
>> added service principal in keytab file.
>> I have added all the user and service principals using des-cbc-crc
>> encryption triplet.
>>
>> M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2.
>>
>> I have configured M3's smb.conf file to accept kerberos keytab and also for
>> the kerberos realm.
>>
>> realm = SONAS.COM
>> use kerberos keytab = yes
>> client use spnego = yes
>>
>>
>> >From M4, I do kinit <user> and then try to see exported shares from M3.
>>
>> [root at sofsedun3 ~]# kinit domuser
>> Password for domuser at SONAS.COM:
>> [root at sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
>> [root at sofsedun3 ~]# klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: domuser at SONAS.COM
>>
>> Valid starting Expires Service principal
>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/SONAS.COM at SONAS.COM
>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
>> CRC-32, DES cbc mode with CRC-32
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> [root at sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
>> Enter domuser's password:
>> Anonymous login successful
>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
>>
>> Sharename Type Comment
>> --------- ---- -------
>> share Disk test share
>> IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55)
>> Anonymous login successful
>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
>>
>> Server Comment
>> --------- -------
>>
>> Workgroup Master
>> --------- -------
>>
>> It works with anonymous login. But when i try to use -k it fails. I tried
>> smbclient with -k and debug level 3. I get these on console.
>>
>> [root at sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
>> Processing section "[global]"
>> added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0
>> added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0
>> added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0
>> Client started (version 3.2.8-ctdb-55).
>> Connecting to 10.0.0.24 at port 445
>> Doing spnego session setup (blob length=111)
>> got OID=1 2 840 113554 1 2 2
>> got OID=1 2 840 48018 1 2 2
>> got OID=1 3 6 1 4 1 311 2 2 10
>> got principal=cifs/sofsedun4.vsofs1.com at SONAS.COM
>> Doing kerberos session setup
>> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
>> Thu, 12 Mar 2009 21:36:54 TLT
>> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
>> SPNEGO login failed: Logon failure
>> session setup failed: NT_STATUS_LOGON_FAILURE
>> [root at sofsedun3 ~]# klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: domuser at SONAS.COM
>>
>> Valid starting Expires Service principal
>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/SONAS.COM at SONAS.COM
>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
>> CRC-32, DES cbc mode with CRC-32
>> 03/11/09 21:39:15 03/12/09 21:36:54 cifs/sofsedun4.vsofs1.com at SONAS.COM
>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
>> CRC-32, DES cbc mode with CRC-32
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>>
>>
>> On M3, I have enabled smbd logs with debug level 10. The corresponding
>> errors for the above behavior are:
>>
>> [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361)
>> switch message SMBsesssetupX (pid 26858) conn 0x0
>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
>> wct=12 flg2=0xc801
>> [2009/03/11 21:58:54, 3]
>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
>> Doing spnego session setup
>> [2009/03/11 21:58:54, 3]
>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
>> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
>> [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
>> reply_spnego_negotiate: Got secblob of size 466
>> [2009/03/11 21:58:54, 3]
>> libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
>> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
>> Decrypt integrity check failed
>> [2009/03/11 21:58:54, 3]
>> libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
>> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab
>> principals
>> [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_verify_ticket(458)
>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>> [2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>> [2009/03/11 21:58:54, 3] smbd/error.c:error_packet_set(61)
>> error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
>> NT_STATUS_LOGON_FAILURE
>> [2009/03/11 21:58:54, 3] smbd/process.c:smbd_process(2036)
>> receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2009/03/11 21:58:54, 3] smbd/connection.c:yield_connection(31)
>> Yielding connection to
>> [2009/03/11 21:58:54, 3] smbd/server.c:exit_server_common(958)
>> Server exit (normal exit)
>>
>>
>>
>> In the above scenario, M1 and M2 are not aware about each other. That
>> means, M1 is not kerberos client.
>> I tried setting M1 as kerberos client as well. But the result was the same.
>>
>> Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1.
>> I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos clients.
>>
>>
>> My queries are:
>> 1. Is it a know issue with samba or kerberos?
>> 2. Am I missing anything on configuration?
>> 3. What should I do to make the above setup working?
>>
>>
>> Please feel free to ask for more information if the provided one is not
>> sufficient.
>>
>>
>> P.S.: I am copying my configuration files here for reference.
>>
>>
>>
>>
>> [root at sofsedun2 ~]# cat /etc/samba/smb.conf
>> # Samba Configuration file.
>> #
>> # ****************** WARNING ********************************
>> # The contents of this file should not be modified directly !
>> #
>> # The samba options are stored in the registry.
>> # Use the "net conf" command to add/modify samba options in the registry
>> # ***************************************************************
>> [global]
>> workgroup = VSOFS1.COM
>> server string = Samba/NT PDC
>> netbios name = sofsedun2
>> passdb backend = tdbsam
>> log level = 3
>> log file = /var/log/samba/%m.log
>> max log size = 50
>> delete user script = /usr/sbin/userdel "%u"
>> add group script = /usr/sbin/groupadd "%g"
>> delete group script = /usr/sbin/groupdel "%g"
>> delete user from group script = /usr/sbin/userdel "%u" "%g"
>> add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
>> -d /nohome -s /bin/false "%u"
>> add user script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d
>> /nohome -s /bin/false "%u"
>> domain logons = Yes
>> os level = 64
>> preferred master = Yes
>> domain master = Yes
>> local master = Yes
>> wins support = Yes
>> cups options = raw
>> security = user
>> encrypt passwords = Yes
>> [netlogon]
>> path = /etc/samba/netlogon
>> writeable = no
>> write list = ntadmin
>> guest ok = no
>> [profiles]
>> path = /usr/smb/ntprofile
>> writeable = yes
>> create mask = 0600
>> directory mask = 0700
>>
>>
>>
>> 2. CIFS server smb.conf
>> [root at sofsedun4 ~]# cat /etc/samba/smb.conf
>> # Samba Configuration file.
>> #
>> # ****************** WARNING ********************************
>> # The contents of this file should not be modified directly !
>> #
>> # The samba options are stored in the registry.
>> # Use the "net conf" command to add/modify samba options in the registry
>> # ***************************************************************
>> [global]
>> workgroup = VSOFS1.COM
>> password server = sofsedun2
>> security = domain
>> idmap uid = 16777216-33554431
>> idmap gid = 16777216-33554431
>> template shell = /bin/sh
>> winbind use default domain = false
>> winbind offline logon = false
>> realm = SONAS.COM
>> use kerberos keytab = yes
>> client use spnego = yes
>> wins support = Yes
>> cups options = raw
>> log level = 3
>> log file = /var/log/samba/%m.log
>> [share]
>> comment = test share
>> path = /home/share
>> read only = no
>> public = yes
>> valid users = 'VSOFS1.COM\domuser' 'VSOFS1.COM\domadmin'
>> 'VSOFS1.COM\domguest'
>>
>>
>>
>>
>> [root at sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf
>> [kdcdefaults]
>> v4_mode = nopreauth
>> kdc_tcp_ports = 88
>>
>> [realms]
>> SONAS.COM = {
>> #master_key_type = des3-hmac-sha1
>> acl_file = /var/kerberos/krb5kdc/kadm5.acl
>> dict_file = /usr/share/dict/words
>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
>> des-cbc-crc:afs3
>> }
>>
>>
>>
>> [root at sofsedun3 ~]# cat /etc/krb5.conf
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = SONAS.COM
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>> default_tkt_enctypes = des-cbc-crc des-cbc-md5
>> default_tgs_enctypes = des-cbc-crc des-cbc-md5
>>
>> [realms]
>> VSOFS1.COM = {
>> kdc = sofsedutsm.VSOFS1.COM
>> }
>> SONAS.COM = {
>> kdc = sofsedutsm.VSOFS1.COM:88
>> admin_server = sofsedutsm.VSOFS1.COM:749
>> default_domain = VSOFS1.COM
>> }
>>
>> [domain_realm]
>> .VSOFS1.COM = SONAS.COM
>> VSOFS1.COM = SONAS.COM
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>>
>> 5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured to
>> use winbind for auth, account and passwords.
>>
>>
>>
>> [root at sofsedun4 ~]# klist -kte
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Timestamp Principal
>> ---- -----------------
>> --------------------------------------------------------
>> 3 03/11/09 20:24:49 cifs/sofsedun2.vsofs1.com at SONAS.COM (DES cbc mode
>> with CRC-32)
>> 3 03/11/09 20:25:05 host/sofsedun2.vsofs1.com at SONAS.COM (DES cbc mode
>> with CRC-32)
>> 3 03/11/09 20:25:19 host/sofsedun4.vsofs1.com at SONAS.COM (DES cbc mode
>> with CRC-32)
>> 3 03/11/09 20:25:36 cifs/sofsedun4.vsofs1.com at SONAS.COM (DES cbc mode
>> with CRC-32)
>> [root at sofsedun4 ~]#
>>
>>
>> Regards,
>> Shahid Shaikh.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list