[Samba] Kerberos and 2008 AD troubles

Robert LeBlanc robert at leblancnet.us
Wed May 6 16:11:25 GMT 2009 

I've been trying to get Kerberos to work for the last couple of days so
that we can use SSO. I can't seem to get past a roadblock and Google
doesn't seem to provide any answers. I've got Samba connected to the AD
and running. I can wbinfo everything and can login to the machine using
PAM with the pam_winbind modules just fine. I can get user tickets just
fine. When I try to get ssh between two AD joined machines to use
Kerberos, I get a Server not found in Kerberos database error. I've
noticed that /var/log/samba/log.winbinds shows:

 

2009/05/06 09:22:31,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)

  ads_krb5_mk_req: krb5_get_credentials failed for CAD1$@BYU (Cannot
resolve network address for KDC in requested realm)

[2009/05/06 09:22:31,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)

  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm

 

I can't run `kinit host/vi4debain$@BYU.LOCAL`
<mailto:host/vi4debain$@BYU.LOCAL%60>  or anything like it, all I get is
"kinit(v5): Client not found in Kerberos database while getting initial
credentials", I've tried all sorts of conbinations of the kinit command,
I've tried to create a winbind keytab file, but from what I've read that
is only used if using LDAP and not winbind. I've tweaked the
/etc/krb.conf file. I can't get rid of the error in log.winbindd to see
if that fixes the problem.

 

Summary:

/etc/resolve.conf: Specified AD domain and DCs as DNS servers

/etc/hosts: Specified the FQDN of the machine with the AD DNS name

/etc/krb5.conf: Added AD realm info

/etc/samba/smb.conf: All AD info entered correctly

Net ads join: OK

Wbinfo -u/g: Shows all users and groups in the domain

Pam_winbind: Allows users to login to the console or through SSH
(password)

/etc/ssh/sshd_conf: GSSAPIAuthentication yes

/etc/ssh/ssh_conf (on remote machine configured exactly the same):
GSSAPIAuthentication yes and GSSAPIDelegateCredentials no

Same error on Debain Lenny using Samba 3.2.5 and Debain Squeeze using
Samba 3.3.3

 

/etc/samba/smb.conf:

[global]                                                    

   workgroup = BYU

   realm = BYU.LOCAL

   preferred master = no

   server string = %h server

   dns proxy = no

debug level = 10

   log file = /var/log/samba/log.%m

   max log size = 1000

   syslog = 0

   panic action = /usr/share/samba/panic-action %d

   security = ADS

   encrypt passwords = true

   passdb backend = tdbsam

   obey pam restrictions = yes

   invalid users = root

   unix password sync = yes

   passwd program = /usr/bin/passwd %u

   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes

   load printers = no

   printing = bsd

   printcap name = /dev/null

   show add printer wizard = no

   disable spoolss = yes

  socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192

  allow trusted domains = No

  idmap backend = idmap_rid:BYU=10000-100000000

   idmap uid = 10000-100000000

   idmap gid = 10000-100000000

   winbind use default domain = yes

   winbind separator = +

   winbind enum groups = no

   winbind enum users = no

   winbind nested groups = yes

   template homedir = /home/%U

   template shell = /bin/bash

   winbind refresh tickets = yes

get quota command = /root/sambaquota.sh

[users]

   comment = Life Sciences user share

   browseable = yes

   path = /ls/users

   guest ok = no

   read only = no

   admin users = @lfsci-csr

   create mask = 0770

   directory mask = 0770

   force user = %S

   veto files = /.htaccess/ /.DAV/

[groups]

   comment = Life Sciences groups share

   browseable = yes

   path = /ls/groups

   guest ok = no

   read only = no

   admin users = lfsci-csr

   create mask = 0770

   directory mask = 0770

   veto files = /.htaccess/ /.DAV/

   dos filemode = yes

   posix locking = no

 

relevant part of /var/log/samba/log.winbindd:

[2009/05/06 09:22:31,  5]
winbindd/winbindd_cm.c:cm_prepare_connection(852)

  connecting to CAD1.byu.local from VI4DEBIAN with kerberos principal
[VI4DEBIAN$@BYU.LOCAL] and realm [BYU.LOCAL]

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(823)

  Doing spnego session setup (blob length=124)

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(850)

  got OID=1 2 840 48018 1 2 2

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(850)

  got OID=1 2 840 113554 1 2 2

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(850)

  got OID=1 2 840 113554 1 2 2 3

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(850)

  got OID=1 3 6 1 4 1 311 2 2 10

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(858)

  got principal=not_defined_in_RFC4178 at please_ignore

[2009/05/06 09:22:31, 10]
libads/kerberos.c:kerberos_kinit_password_ext(217)

  kerberos_kinit_password: as VI4DEBIAN$@BYU.LOCAL using
[MEMORY:cliconnect] as ccache and config [(null)]

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(899)

  cli_session_setup_spnego: got a bad server principal, trying to guess
...

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(927)

  cli_session_setup_spnego: guessed server principal=CAD1$@BYU

[2009/05/06 09:22:31,  2]
libsmb/cliconnect.c:cli_session_setup_kerberos(617)

  Doing kerberos session setup

[2009/05/06 09:22:31,  1] libsmb/clikrb5.c:ads_krb5_mk_req(686)

  ads_krb5_mk_req: krb5_get_credentials failed for CAD1$@BYU (Cannot
resolve network address for KDC in requested realm)

[2009/05/06 09:22:31,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(624)

  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm

[2009/05/06 09:22:31,  4]
winbindd/winbindd_cm.c:cm_prepare_connection(864)

  failed kerberos session setup with Cannot resolve network address for
KDC in requested realm

[2009/05/06 09:22:31,  5]
winbindd/winbindd_cm.c:cm_prepare_connection(880)

  connecting to CAD1.byu.local from VI4DEBIAN with username
[BYU]\[VI4DEBIAN$]

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(823)

  Doing spnego session setup (blob length=124)

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(850)

  got OID=1 2 840 48018 1 2 2

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(850)

  got OID=1 2 840 113554 1 2 2

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(850)

  got OID=1 2 840 113554 1 2 2 3

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(850)

  got OID=1 3 6 1 4 1 311 2 2 10

[2009/05/06 09:22:31,  3]
libsmb/cliconnect.c:cli_session_setup_spnego(858)

  got principal=not_defined_in_RFC4178 at please_ignore

 

If you need more info, please let me know.

 

Thanks,

 

Robert LeBlanc

Life Sciences Computer Support

Brigham Young University

leblanc at byu.edu

(801)422-1882

More information about the samba mailing list