[Samba] Samba PDC - Kerberised CIFS access
Eduardo Sachs
edu.sachs at gmail.com
Fri Mar 13 13:45:26 GMT 2009
More informations...
Example of procedure:
1 - M4 Access M3 with auth Kerberos:
M4# smbclient //M3/publico -k
OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls
. D 0 Wed Mar 11 21:04:19 2009
.. D 0 Wed Mar 11 21:04:19 2009
48444 blocks of size 262144. 36638 blocks available
smb: \> quit
2 - M3 Join Samba PDC:
M3# net join -U root
Enter root's password:
Joined domain _LOCAL_.
3 - M4 Access M3 with auth Kerberos fail.
M4# smbclient //M3/publico -k
cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
session setup failed: NT_STATUS_LOGON_FAILURE
4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client,
M3 is out of Domain Samba PDC because delete secrets.tdb:
M3# /var/lib/samba/secrets.tdb && /etc/init.d/samba restart
5 - M4 to back access M3 with auth Kerberos:
M4# smbclient //M3/publico -k
OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls
. D 0 Wed Mar 11 21:04:19 2009
.. D 0 Wed Mar 11 21:04:19 2009
48444 blocks of size 262144. 36638 blocks available
smb: \> quit
Thanks!
2009/3/13 Eduardo Sachs <edu.sachs at gmail.com>:
> Shahid,
>
> You used the command 'net join' to join in domain Samba PDC in M3?
>
> My problem is when I join the M3 in domain Samba PDC (M1) with the
> command 'net join', after this, I can not access the M3 using Kerberos
> authentication.
>
> Other description,
>
> Your error is [1]:
> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
> Decrypt integrity check failed
> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>
> My error is [23]:
> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
> Decrypt integrity check failed
> ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab
> principals
> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request)
>
> When I delete the file /var/lib/samba/secrets.tdb of M3 and restart
> Samba Client of M3, will be back to work authentication Kerberos in M3
> for my cifs client M4, but, is out of domain Samba PDC.
>
> But, the problem may be related.
>
> My english is terrible, sorry...
>
> Thanks!
>
>
> 2009/3/12 Eduardo Sachs <edu.sachs at gmail.com>:
>> Shahid,
>>
>> I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=5810
>>
>> The developers have not yet responded.
>>
>> Thanks!
>>
>> 2009/3/11 Shahid M Shaikh <shahid.shaikh at in.ibm.com>:
>>> Hi All,
>>>
>>> I have machine M1 hosting Samba PDC. It stores only user information.
>>> I have machine M2 acting as KDC server.
>>> I have machine M3 hosting CIFS shares and it joins into the domain hosted
>>> by PDC M1.
>>> I have machine M4 used as CIFS client.
>>>
>>> On M2, I have added users and cifs/host service principals for M3. Also
>>> added service principal in keytab file.
>>> I have added all the user and service principals using des-cbc-crc
>>> encryption triplet.
>>>
>>> M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2.
>>>
>>> I have configured M3's smb.conf file to accept kerberos keytab and also for
>>> the kerberos realm.
>>>
>>> realm = SONAS.COM
>>> use kerberos keytab = yes
>>> client use spnego = yes
>>>
>>>
>>> >From M4, I do kinit <user> and then try to see exported shares from M3.
>>>
>>> [root at sofsedun3 ~]# kinit domuser
>>> Password for domuser at SONAS.COM:
>>> [root at sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
>>> [root at sofsedun3 ~]# klist -e
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: domuser at SONAS.COM
>>>
>>> Valid starting Expires Service principal
>>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/SONAS.COM at SONAS.COM
>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
>>> CRC-32, DES cbc mode with CRC-32
>>>
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt0
>>> klist: You have no tickets cached
>>> [root at sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
>>> Enter domuser's password:
>>> Anonymous login successful
>>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
>>>
>>> Sharename Type Comment
>>> --------- ---- -------
>>> share Disk test share
>>> IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55)
>>> Anonymous login successful
>>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
>>>
>>> Server Comment
>>> --------- -------
>>>
>>> Workgroup Master
>>> --------- -------
>>>
>>> It works with anonymous login. But when i try to use -k it fails. I tried
>>> smbclient with -k and debug level 3. I get these on console.
>>>
>>> [root at sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k
>>> lp_load_ex: refreshing parameters
>>> Initialising global parameters
>>> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
>>> Processing section "[global]"
>>> added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0
>>> added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0
>>> added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0
>>> Client started (version 3.2.8-ctdb-55).
>>> Connecting to 10.0.0.24 at port 445
>>> Doing spnego session setup (blob length=111)
>>> got OID=1 2 840 113554 1 2 2
>>> got OID=1 2 840 48018 1 2 2
>>> got OID=1 3 6 1 4 1 311 2 2 10
>>> got principal=cifs/sofsedun4.vsofs1.com at SONAS.COM
>>> Doing kerberos session setup
>>> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
>>> Thu, 12 Mar 2009 21:36:54 TLT
>>> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
>>> SPNEGO login failed: Logon failure
>>> session setup failed: NT_STATUS_LOGON_FAILURE
>>> [root at sofsedun3 ~]# klist -e
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: domuser at SONAS.COM
>>>
>>> Valid starting Expires Service principal
>>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/SONAS.COM at SONAS.COM
>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
>>> CRC-32, DES cbc mode with CRC-32
>>> 03/11/09 21:39:15 03/12/09 21:36:54 cifs/sofsedun4.vsofs1.com at SONAS.COM
>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
>>> CRC-32, DES cbc mode with CRC-32
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt0
>>> klist: You have no tickets cached
>>>
>>>
>>> On M3, I have enabled smbd logs with debug level 10. The corresponding
>>> errors for the above behavior are:
>>>
>>> [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361)
>>> switch message SMBsesssetupX (pid 26858) conn 0x0
>>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324)
>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>> [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
>>> wct=12 flg2=0xc801
>>> [2009/03/11 21:58:54, 3]
>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
>>> Doing spnego session setup
>>> [2009/03/11 21:58:54, 3]
>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
>>> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
>>> [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
>>> reply_spnego_negotiate: Got secblob of size 466
>>> [2009/03/11 21:58:54, 3]
>>> libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
>>> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
>>> Decrypt integrity check failed
>>> [2009/03/11 21:58:54, 3]
>>> libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
>>> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab
>>> principals
>>> [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_verify_ticket(458)
>>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>>> [2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
>>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>>> [2009/03/11 21:58:54, 3] smbd/error.c:error_packet_set(61)
>>> error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
>>> NT_STATUS_LOGON_FAILURE
>>> [2009/03/11 21:58:54, 3] smbd/process.c:smbd_process(2036)
>>> receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
>>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324)
>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>> [2009/03/11 21:58:54, 3] smbd/connection.c:yield_connection(31)
>>> Yielding connection to
>>> [2009/03/11 21:58:54, 3] smbd/server.c:exit_server_common(958)
>>> Server exit (normal exit)
>>>
>>>
>>>
>>> In the above scenario, M1 and M2 are not aware about each other. That
>>> means, M1 is not kerberos client.
>>> I tried setting M1 as kerberos client as well. But the result was the same.
>>>
>>> Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1.
>>> I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos clients.
>>>
>>>
>>> My queries are:
>>> 1. Is it a know issue with samba or kerberos?
>>> 2. Am I missing anything on configuration?
>>> 3. What should I do to make the above setup working?
>>>
>>>
>>> Please feel free to ask for more information if the provided one is not
>>> sufficient.
>>>
>>>
>>> P.S.: I am copying my configuration files here for reference.
>>>
>>>
>>>
>>>
>>> [root at sofsedun2 ~]# cat /etc/samba/smb.conf
>>> # Samba Configuration file.
>>> #
>>> # ****************** WARNING ********************************
>>> # The contents of this file should not be modified directly !
>>> #
>>> # The samba options are stored in the registry.
>>> # Use the "net conf" command to add/modify samba options in the registry
>>> # ***************************************************************
>>> [global]
>>> workgroup = VSOFS1.COM
>>> server string = Samba/NT PDC
>>> netbios name = sofsedun2
>>> passdb backend = tdbsam
>>> log level = 3
>>> log file = /var/log/samba/%m.log
>>> max log size = 50
>>> delete user script = /usr/sbin/userdel "%u"
>>> add group script = /usr/sbin/groupadd "%g"
>>> delete group script = /usr/sbin/groupdel "%g"
>>> delete user from group script = /usr/sbin/userdel "%u" "%g"
>>> add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
>>> -d /nohome -s /bin/false "%u"
>>> add user script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d
>>> /nohome -s /bin/false "%u"
>>> domain logons = Yes
>>> os level = 64
>>> preferred master = Yes
>>> domain master = Yes
>>> local master = Yes
>>> wins support = Yes
>>> cups options = raw
>>> security = user
>>> encrypt passwords = Yes
>>> [netlogon]
>>> path = /etc/samba/netlogon
>>> writeable = no
>>> write list = ntadmin
>>> guest ok = no
>>> [profiles]
>>> path = /usr/smb/ntprofile
>>> writeable = yes
>>> create mask = 0600
>>> directory mask = 0700
>>>
>>>
>>>
>>> 2. CIFS server smb.conf
>>> [root at sofsedun4 ~]# cat /etc/samba/smb.conf
>>> # Samba Configuration file.
>>> #
>>> # ****************** WARNING ********************************
>>> # The contents of this file should not be modified directly !
>>> #
>>> # The samba options are stored in the registry.
>>> # Use the "net conf" command to add/modify samba options in the registry
>>> # ***************************************************************
>>> [global]
>>> workgroup = VSOFS1.COM
>>> password server = sofsedun2
>>> security = domain
>>> idmap uid = 16777216-33554431
>>> idmap gid = 16777216-33554431
>>> template shell = /bin/sh
>>> winbind use default domain = false
>>> winbind offline logon = false
>>> realm = SONAS.COM
>>> use kerberos keytab = yes
>>> client use spnego = yes
>>> wins support = Yes
>>> cups options = raw
>>> log level = 3
>>> log file = /var/log/samba/%m.log
>>> [share]
>>> comment = test share
>>> path = /home/share
>>> read only = no
>>> public = yes
>>> valid users = 'VSOFS1.COM\domuser' 'VSOFS1.COM\domadmin'
>>> 'VSOFS1.COM\domguest'
>>>
>>>
>>>
>>>
>>> [root at sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf
>>> [kdcdefaults]
>>> v4_mode = nopreauth
>>> kdc_tcp_ports = 88
>>>
>>> [realms]
>>> SONAS.COM = {
>>> #master_key_type = des3-hmac-sha1
>>> acl_file = /var/kerberos/krb5kdc/kadm5.acl
>>> dict_file = /usr/share/dict/words
>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
>>> des-cbc-crc:afs3
>>> }
>>>
>>>
>>>
>>> [root at sofsedun3 ~]# cat /etc/krb5.conf
>>> [logging]
>>> default = FILE:/var/log/krb5libs.log
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmind.log
>>>
>>> [libdefaults]
>>> default_realm = SONAS.COM
>>> dns_lookup_realm = true
>>> dns_lookup_kdc = true
>>> ticket_lifetime = 24h
>>> forwardable = yes
>>> default_tkt_enctypes = des-cbc-crc des-cbc-md5
>>> default_tgs_enctypes = des-cbc-crc des-cbc-md5
>>>
>>> [realms]
>>> VSOFS1.COM = {
>>> kdc = sofsedutsm.VSOFS1.COM
>>> }
>>> SONAS.COM = {
>>> kdc = sofsedutsm.VSOFS1.COM:88
>>> admin_server = sofsedutsm.VSOFS1.COM:749
>>> default_domain = VSOFS1.COM
>>> }
>>>
>>> [domain_realm]
>>> .VSOFS1.COM = SONAS.COM
>>> VSOFS1.COM = SONAS.COM
>>>
>>> [appdefaults]
>>> pam = {
>>> debug = false
>>> ticket_lifetime = 36000
>>> renew_lifetime = 36000
>>> forwardable = true
>>> krb4_convert = false
>>> }
>>>
>>>
>>> 5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured to
>>> use winbind for auth, account and passwords.
>>>
>>>
>>>
>>> [root at sofsedun4 ~]# klist -kte
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Timestamp Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>> 3 03/11/09 20:24:49 cifs/sofsedun2.vsofs1.com at SONAS.COM (DES cbc mode
>>> with CRC-32)
>>> 3 03/11/09 20:25:05 host/sofsedun2.vsofs1.com at SONAS.COM (DES cbc mode
>>> with CRC-32)
>>> 3 03/11/09 20:25:19 host/sofsedun4.vsofs1.com at SONAS.COM (DES cbc mode
>>> with CRC-32)
>>> 3 03/11/09 20:25:36 cifs/sofsedun4.vsofs1.com at SONAS.COM (DES cbc mode
>>> with CRC-32)
>>> [root at sofsedun4 ~]#
>>>
>>>
>>> Regards,
>>> Shahid Shaikh.
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>
More information about the samba
mailing list