[Samba] Samba PDC - Kerberised CIFS access
Shahid M Shaikh
shahid.shaikh at in.ibm.com
Fri Mar 13 16:01:13 GMT 2009
Hi Eduardo,
Thanks much for all the information you have shared with us regarding the
samba issue.
I used net rpc join command to join into the domain hosted by M1.
I was able to join to the domain successfully.
Regards,
Shahid Shaikh.
Eduardo Sachs
<edu.sachs at gmail.
com> To
Shahid M Shaikh/India/IBM at IBMIN
13-03-09 07:19 PM cc
samba at lists.samba.org, Christian M
Ambach
<christian.ambach at de.ibm.com>,
Volker.Lendecke at sernet.de, Mathias
Dietz <MDIETZ at de.ibm.com>, Ujjwal
Lanjewar/India/IBM at IBMIN, Michael
Diederich <diederich at de.ibm.com>,
Pankaj S Zanwar/India/IBM at IBMIN
Subject
Re: [Samba] Samba PDC - Kerberised
CIFS access
I so sorry for many emails, but, is necessary:
In my case, the Samba 3.0.x does not cause this problem, only in Samba
3.2.x and 3.3.X.
Thanks!
2009/3/13 Eduardo Sachs <edu.sachs at gmail.com>:
> More informations...
>
> Example of procedure:
>
> 1 - M4 Access M3 with auth Kerberos:
> M4# smbclient //M3/publico -k
> OS=[Unix] Server=[Samba 3.2.5]
> smb: \> ls
> . D 0 Wed Mar 11 21:04:19 2009
> .. D 0 Wed Mar 11 21:04:19 2009
>
> 48444 blocks of size 262144. 36638 blocks available
> smb: \> quit
>
> 2 - M3 Join Samba PDC:
> M3# net join -U root
> Enter root's password:
> Joined domain _LOCAL_.
>
> 3 - M4 Access M3 with auth Kerberos fail.
> M4# smbclient //M3/publico -k
> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client,
> M3 is out of Domain Samba PDC because delete secrets.tdb:
> M3# /var/lib/samba/secrets.tdb && /etc/init.d/samba restart
>
> 5 - M4 to back access M3 with auth Kerberos:
> M4# smbclient //M3/publico -k
> OS=[Unix] Server=[Samba 3.2.5]
> smb: \> ls
> . D 0 Wed Mar 11 21:04:19 2009
> .. D 0 Wed Mar 11 21:04:19 2009
>
> 48444 blocks of size 262144. 36638 blocks available
> smb: \> quit
>
> Thanks!
>
> 2009/3/13 Eduardo Sachs <edu.sachs at gmail.com>:
>> Shahid,
>>
>> You used the command 'net join' to join in domain Samba PDC in M3?
>>
>> My problem is when I join the M3 in domain Samba PDC (M1) with the
>> command 'net join', after this, I can not access the M3 using Kerberos
>> authentication.
>>
>> Other description,
>>
>> Your error is [1]:
>> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
>> Decrypt integrity check failed
>> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab
principals
>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>>
>> My error is [23]:
>> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
>> Decrypt integrity check failed
>> ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab
>> principals
>> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
request)
>>
>> When I delete the file /var/lib/samba/secrets.tdb of M3 and restart
>> Samba Client of M3, will be back to work authentication Kerberos in M3
>> for my cifs client M4, but, is out of domain Samba PDC.
>>
>> But, the problem may be related.
>>
>> My english is terrible, sorry...
>>
>> Thanks!
>>
>>
>> 2009/3/12 Eduardo Sachs <edu.sachs at gmail.com>:
>>> Shahid,
>>>
>>> I have same problem, but, I use Domain Heimdal Kerberos, look this bug
ticket:
>>>
>>> https://bugzilla.samba.org/show_bug.cgi?id=5810
>>>
>>> The developers have not yet responded.
>>>
>>> Thanks!
>>>
>>> 2009/3/11 Shahid M Shaikh <shahid.shaikh at in.ibm.com>:
>>>> Hi All,
>>>>
>>>> I have machine M1 hosting Samba PDC. It stores only user information.
>>>> I have machine M2 acting as KDC server.
>>>> I have machine M3 hosting CIFS shares and it joins into the domain
hosted
>>>> by PDC M1.
>>>> I have machine M4 used as CIFS client.
>>>>
>>>> On M2, I have added users and cifs/host service principals for M3.
Also
>>>> added service principal in keytab file.
>>>> I have added all the user and service principals using des-cbc-crc
>>>> encryption triplet.
>>>>
>>>> M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2.
>>>>
>>>> I have configured M3's smb.conf file to accept kerberos keytab and
also for
>>>> the kerberos realm.
>>>>
>>>> realm = SONAS.COM
>>>> use kerberos keytab = yes
>>>> client use spnego = yes
>>>>
>>>>
>>>> >From M4, I do kinit <user> and then try to see exported shares from
M3.
>>>>
>>>> [root at sofsedun3 ~]# kinit domuser
>>>> Password for domuser at SONAS.COM:
>>>> [root at sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
>>>> [root at sofsedun3 ~]# klist -e
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: domuser at SONAS.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/SONAS.COM at SONAS.COM
>>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode
with
>>>> CRC-32, DES cbc mode with CRC-32
>>>>
>>>>
>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>> klist: You have no tickets cached
>>>> [root at sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
>>>> Enter domuser's password:
>>>> Anonymous login successful
>>>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
>>>>
>>>> Sharename Type Comment
>>>> --------- ---- -------
>>>> share Disk test share
>>>> IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55)
>>>> Anonymous login successful
>>>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
>>>>
>>>> Server Comment
>>>> --------- -------
>>>>
>>>> Workgroup Master
>>>> --------- -------
>>>>
>>>> It works with anonymous login. But when i try to use -k it fails. I
tried
>>>> smbclient with -k and debug level 3. I get these on console.
>>>>
>>>> [root at sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k
>>>> lp_load_ex: refreshing parameters
>>>> Initialising global parameters
>>>> params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
>>>> Processing section "[global]"
>>>> added interface eth0 ip=10.0.0.23 bcast=10.0.0.255
netmask=255.255.255.0
>>>> added interface eth1 ip=10.0.1.23 bcast=10.0.1.255
netmask=255.255.255.0
>>>> added interface eth2 ip=10.0.2.23 bcast=10.0.2.255
netmask=255.255.255.0
>>>> Client started (version 3.2.8-ctdb-55).
>>>> Connecting to 10.0.0.24 at port 445
>>>> Doing spnego session setup (blob length=111)
>>>> got OID=1 2 840 113554 1 2 2
>>>> got OID=1 2 840 48018 1 2 2
>>>> got OID=1 3 6 1 4 1 311 2 2 10
>>>> got principal=cifs/sofsedun4.vsofs1.com at SONAS.COM
>>>> Doing kerberos session setup
>>>> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0]
expiration
>>>> Thu, 12 Mar 2009 21:36:54 TLT
>>>> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
>>>> SPNEGO login failed: Logon failure
>>>> session setup failed: NT_STATUS_LOGON_FAILURE
>>>> [root at sofsedun3 ~]# klist -e
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: domuser at SONAS.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/SONAS.COM at SONAS.COM
>>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode
with
>>>> CRC-32, DES cbc mode with CRC-32
>>>> 03/11/09 21:39:15 03/12/09
21:36:54 cifs/sofsedun4.vsofs1.com at SONAS.COM
>>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode
with
>>>> CRC-32, DES cbc mode with CRC-32
>>>>
>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>> klist: You have no tickets cached
>>>>
>>>>
>>>> On M3, I have enabled smbd logs with debug level 10. The corresponding
>>>> errors for the above behavior are:
>>>>
>>>> [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361)
>>>> switch message SMBsesssetupX (pid 26858) conn 0x0
>>>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324)
>>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>> [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
>>>> wct=12 flg2=0xc801
>>>> [2009/03/11 21:58:54, 3]
>>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
>>>> Doing spnego session setup
>>>> [2009/03/11 21:58:54, 3]
>>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
>>>> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
>>>> [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
>>>> reply_spnego_negotiate: Got secblob of size 466
>>>> [2009/03/11 21:58:54, 3]
>>>> libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
>>>> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
>>>> Decrypt integrity check failed
>>>> [2009/03/11 21:58:54, 3]
>>>> libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
>>>> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab
>>>> principals
>>>> [2009/03/11 21:58:54, 3]
libads/kerberos_verify.c:ads_verify_ticket(458)
>>>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
>>>> [2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
>>>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>>>> [2009/03/11 21:58:54, 3] smbd/error.c:error_packet_set(61)
>>>> error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
>>>> NT_STATUS_LOGON_FAILURE
>>>> [2009/03/11 21:58:54, 3] smbd/process.c:smbd_process(2036)
>>>> receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
>>>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324)
>>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>> [2009/03/11 21:58:54, 3] smbd/connection.c:yield_connection(31)
>>>> Yielding connection to
>>>> [2009/03/11 21:58:54, 3] smbd/server.c:exit_server_common(958)
>>>> Server exit (normal exit)
>>>>
>>>>
>>>>
>>>> In the above scenario, M1 and M2 are not aware about each other. That
>>>> means, M1 is not kerberos client.
>>>> I tried setting M1 as kerberos client as well. But the result was the
same.
>>>>
>>>> Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1.
>>>> I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos
clients.
>>>>
>>>>
>>>> My queries are:
>>>> 1. Is it a know issue with samba or kerberos?
>>>> 2. Am I missing anything on configuration?
>>>> 3. What should I do to make the above setup working?
>>>>
>>>>
>>>> Please feel free to ask for more information if the provided one is
not
>>>> sufficient.
>>>>
>>>>
>>>> P.S.: I am copying my configuration files here for reference.
>>>>
>>>>
>>>>
>>>>
>>>> [root at sofsedun2 ~]# cat /etc/samba/smb.conf
>>>> # Samba Configuration file.
>>>> #
>>>> # ****************** WARNING ********************************
>>>> # The contents of this file should not be modified directly !
>>>> #
>>>> # The samba options are stored in the registry.
>>>> # Use the "net conf" command to add/modify samba options in the
registry
>>>> # ***************************************************************
>>>> [global]
>>>> workgroup = VSOFS1.COM
>>>> server string = Samba/NT PDC
>>>> netbios name = sofsedun2
>>>> passdb backend = tdbsam
>>>> log level = 3
>>>> log file = /var/log/samba/%m.log
>>>> max log size = 50
>>>> delete user script = /usr/sbin/userdel "%u"
>>>> add group script = /usr/sbin/groupadd "%g"
>>>> delete group script = /usr/sbin/groupdel "%g"
>>>> delete user from group script = /usr/sbin/userdel "%u" "%g"
>>>> add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
-M
>>>> -d /nohome -s /bin/false "%u"
>>>> add user script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
-d
>>>> /nohome -s /bin/false "%u"
>>>> domain logons = Yes
>>>> os level = 64
>>>> preferred master = Yes
>>>> domain master = Yes
>>>> local master = Yes
>>>> wins support = Yes
>>>> cups options = raw
>>>> security = user
>>>> encrypt passwords = Yes
>>>> [netlogon]
>>>> path = /etc/samba/netlogon
>>>> writeable = no
>>>> write list = ntadmin
>>>> guest ok = no
>>>> [profiles]
>>>> path = /usr/smb/ntprofile
>>>> writeable = yes
>>>> create mask = 0600
>>>> directory mask = 0700
>>>>
>>>>
>>>>
>>>> 2. CIFS server smb.conf
>>>> [root at sofsedun4 ~]# cat /etc/samba/smb.conf
>>>> # Samba Configuration file.
>>>> #
>>>> # ****************** WARNING ********************************
>>>> # The contents of this file should not be modified directly !
>>>> #
>>>> # The samba options are stored in the registry.
>>>> # Use the "net conf" command to add/modify samba options in the
registry
>>>> # ***************************************************************
>>>> [global]
>>>> workgroup = VSOFS1.COM
>>>> password server = sofsedun2
>>>> security = domain
>>>> idmap uid = 16777216-33554431
>>>> idmap gid = 16777216-33554431
>>>> template shell = /bin/sh
>>>> winbind use default domain = false
>>>> winbind offline logon = false
>>>> realm = SONAS.COM
>>>> use kerberos keytab = yes
>>>> client use spnego = yes
>>>> wins support = Yes
>>>> cups options = raw
>>>> log level = 3
>>>> log file = /var/log/samba/%m.log
>>>> [share]
>>>> comment = test share
>>>> path = /home/share
>>>> read only = no
>>>> public = yes
>>>> valid users = 'VSOFS1.COM\domuser' 'VSOFS1.COM\domadmin'
>>>> 'VSOFS1.COM\domguest'
>>>>
>>>>
>>>>
>>>>
>>>> [root at sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf
>>>> [kdcdefaults]
>>>> v4_mode = nopreauth
>>>> kdc_tcp_ports = 88
>>>>
>>>> [realms]
>>>> SONAS.COM = {
>>>> #master_key_type = des3-hmac-sha1
>>>> acl_file = /var/kerberos/krb5kdc/kadm5.acl
>>>> dict_file = /usr/share/dict/words
>>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
des-cbc-crc:v4
>>>> des-cbc-crc:afs3
>>>> }
>>>>
>>>>
>>>>
>>>> [root at sofsedun3 ~]# cat /etc/krb5.conf
>>>> [logging]
>>>> default = FILE:/var/log/krb5libs.log
>>>> kdc = FILE:/var/log/krb5kdc.log
>>>> admin_server = FILE:/var/log/kadmind.log
>>>>
>>>> [libdefaults]
>>>> default_realm = SONAS.COM
>>>> dns_lookup_realm = true
>>>> dns_lookup_kdc = true
>>>> ticket_lifetime = 24h
>>>> forwardable = yes
>>>> default_tkt_enctypes = des-cbc-crc des-cbc-md5
>>>> default_tgs_enctypes = des-cbc-crc des-cbc-md5
>>>>
>>>> [realms]
>>>> VSOFS1.COM = {
>>>> kdc = sofsedutsm.VSOFS1.COM
>>>> }
>>>> SONAS.COM = {
>>>> kdc = sofsedutsm.VSOFS1.COM:88
>>>> admin_server = sofsedutsm.VSOFS1.COM:749
>>>> default_domain = VSOFS1.COM
>>>> }
>>>>
>>>> [domain_realm]
>>>> .VSOFS1.COM = SONAS.COM
>>>> VSOFS1.COM = SONAS.COM
>>>>
>>>> [appdefaults]
>>>> pam = {
>>>> debug = false
>>>> ticket_lifetime = 36000
>>>> renew_lifetime = 36000
>>>> forwardable = true
>>>> krb4_convert = false
>>>> }
>>>>
>>>>
>>>> 5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured
to
>>>> use winbind for auth, account and passwords.
>>>>
>>>>
>>>>
>>>> [root at sofsedun4 ~]# klist -kte
>>>> Keytab name: FILE:/etc/krb5.keytab
>>>> KVNO Timestamp Principal
>>>> ---- -----------------
>>>> --------------------------------------------------------
>>>> 3 03/11/09 20:24:49 cifs/sofsedun2.vsofs1.com at SONAS.COM (DES cbc
mode
>>>> with CRC-32)
>>>> 3 03/11/09 20:25:05 host/sofsedun2.vsofs1.com at SONAS.COM (DES cbc
mode
>>>> with CRC-32)
>>>> 3 03/11/09 20:25:19 host/sofsedun4.vsofs1.com at SONAS.COM (DES cbc
mode
>>>> with CRC-32)
>>>> 3 03/11/09 20:25:36 cifs/sofsedun4.vsofs1.com at SONAS.COM (DES cbc
mode
>>>> with CRC-32)
>>>> [root at sofsedun4 ~]#
>>>>
>>>>
>>>> Regards,
>>>> Shahid Shaikh.
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>
>
More information about the samba
mailing list