[Samba] Kerberos and 2008 AD troubles
Robert LeBlanc
robert at leblancnet.us
Mon May 18 21:30:24 GMT 2009
Sorry to take so long to get back with you, but I've finally got it working
between two computers if I use their FQDN. Is there any way to use the short
name (i.e. instead of computer.domain.local, just use computer)?
I think DHCP was fouling me up with this, so I edited /etc/hosts and made
sue the correct FQDN was in there. I edited /etc/dhcp/dhclient.conf and
added the following two lines:
supersede domain-name "domain.local domain.com";
supersede domain-name-servers 10.x.x.1, 10.x.x.2;
and ran dhclient to update and check /etc/resolv.conf. I then joined the
computer again to the domain (twice as the first time always seems to give
me a kerberos error). I then ran
net ads keytab create
to create a keytab file for Kerberos. Now that I know it works, I'm going to
set it up again from scratch to make sure I can replicate it and document it
and to see what configurations I can get away with not doing (it would be
nice to not have to override the DNS for laptops, the .com DNS has entries
for the .local).
If I can just get it to work with the FQDN, i will be VERY happy.
Thanks,
Robert LeBlanc
On Thu, May 7, 2009 at 12:17 PM, Robert Foreman <robert.foreman at gmail.com>wrote:
> If kinit is not working then I'm pretty sure Kerberos is not actually
> working. You will probably want to double check the contents of your
> krb5.conf file. If resolve.conf is using your domain controllers for name
> resolution then the krb5.conf file is about the only thing you need
> configured in order to test kinit.
>
> I use dns lookup for realm and kdc and my krb5.conf file looks something
> like this:
>
> ===============================
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
> [domain_realm]
> .domain.local = DOMAIN.LOCAL
> domain.local = DOMAIN.LOCAL
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> validate = true
> }
> ===================================
>
> And you will probably find that you DO want the keytab file, but it's not
> necessary for testing the kinit command.
>
> I recommend the following value in your smb.conf:
>
> use kerberos keytab = Yes
>
> That should pull the keytab file automatically when using the net ads join
> command. There were previous issues with that not working for w2k8, but I
> believe that has been resolved.
>
> You will also probably want to use the krb5_auth = yes and krb5_ccache_type
> = FILE options in your pam_winbind configuration. Those can be set in the
> pam config files, or in RHEL systems in /etc/security/pam_winbind.conf. If
> you used the authconfig tool it probably set the krb5_auth option, but not
> the cache_type. Without the cache_type it will use Kerberos for
> authentication, but you won't get a Kerberos token which is used for the
> next ssh connection to another host.
>
> You will also want the following in your ssh_config file
>
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
>
> and the following in your sshd_config file.
>
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> UsePAM yes
>
> It took me a while to sort out Kerberos SSO with winbnd also, but it's been
> great ever since. Good luck!
>
> On Wed, May 6, 2009 at 12:11 PM, Robert LeBlanc <robert at leblancnet.us>wrote:
>
>> I've been trying to get Kerberos to work for the last couple of days so
>> that we can use SSO. I can't seem to get past a roadblock and Google
>> doesn't seem to provide any answers. I've got Samba connected to the AD
>> and running. I can wbinfo everything and can login to the machine using
>> PAM with the pam_winbind modules just fine. I can get user tickets just
>> fine. When I try to get ssh between two AD joined machines to use
>> Kerberos, I get a Server not found in Kerberos database error. I've
>> noticed that /var/log/samba/log.winbinds shows:
>>
>>
>>
>> 2009/05/06 09:22:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
>>
>> ads_krb5_mk_req: krb5_get_credentials failed for CAD1$@BYU (Cannot
>> resolve network address for KDC in requested realm)
>>
>> [2009/05/06 09:22:31, 1]
>> libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>>
>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
>> resolve network address for KDC in requested realm
>>
>>
>>
>> I can't run `kinit host/vi4debain$@BYU.LOCAL`
>> <mailto:host/vi4debain$@BYU.LOCAL%60> or anything like it, all I get is
>> "kinit(v5): Client not found in Kerberos database while getting initial
>> credentials", I've tried all sorts of conbinations of the kinit command,
>> I've tried to create a winbind keytab file, but from what I've read that
>> is only used if using LDAP and not winbind. I've tweaked the
>> /etc/krb.conf file. I can't get rid of the error in log.winbindd to see
>> if that fixes the problem.
>>
>>
>>
>> Summary:
>>
>> /etc/resolve.conf: Specified AD domain and DCs as DNS servers
>>
>> /etc/hosts: Specified the FQDN of the machine with the AD DNS name
>>
>> /etc/krb5.conf: Added AD realm info
>>
>> /etc/samba/smb.conf: All AD info entered correctly
>>
>> Net ads join: OK
>>
>> Wbinfo -u/g: Shows all users and groups in the domain
>>
>> Pam_winbind: Allows users to login to the console or through SSH
>> (password)
>>
>> /etc/ssh/sshd_conf: GSSAPIAuthentication yes
>>
>> /etc/ssh/ssh_conf (on remote machine configured exactly the same):
>> GSSAPIAuthentication yes and GSSAPIDelegateCredentials no
>>
>> Same error on Debain Lenny using Samba 3.2.5 and Debain Squeeze using
>> Samba 3.3.3
>>
>>
>>
>> /etc/samba/smb.conf:
>>
>> [global]
>>
>> workgroup = BYU
>>
>> realm = BYU.LOCAL
>>
>> preferred master = no
>>
>> server string = %h server
>>
>> dns proxy = no
>>
>> debug level = 10
>>
>> log file = /var/log/samba/log.%m
>>
>> max log size = 1000
>>
>> syslog = 0
>>
>> panic action = /usr/share/samba/panic-action %d
>>
>> security = ADS
>>
>> encrypt passwords = true
>>
>> passdb backend = tdbsam
>>
>> obey pam restrictions = yes
>>
>> invalid users = root
>>
>> unix password sync = yes
>>
>> passwd program = /usr/bin/passwd %u
>>
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>
>> pam password change = yes
>>
>> load printers = no
>>
>> printing = bsd
>>
>> printcap name = /dev/null
>>
>> show add printer wizard = no
>>
>> disable spoolss = yes
>>
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
>> SO_SNDBUF=8192
>>
>> allow trusted domains = No
>>
>> idmap backend = idmap_rid:BYU=10000-100000000
>>
>> idmap uid = 10000-100000000
>>
>> idmap gid = 10000-100000000
>>
>> winbind use default domain = yes
>>
>> winbind separator = +
>>
>> winbind enum groups = no
>>
>> winbind enum users = no
>>
>> winbind nested groups = yes
>>
>> template homedir = /home/%U
>>
>> template shell = /bin/bash
>>
>> winbind refresh tickets = yes
>>
>> get quota command = /root/sambaquota.sh
>>
>> [users]
>>
>> comment = Life Sciences user share
>>
>> browseable = yes
>>
>> path = /ls/users
>>
>> guest ok = no
>>
>> read only = no
>>
>> admin users = @lfsci-csr
>>
>> create mask = 0770
>>
>> directory mask = 0770
>>
>> force user = %S
>>
>> veto files = /.htaccess/ /.DAV/
>>
>> [groups]
>>
>> comment = Life Sciences groups share
>>
>> browseable = yes
>>
>> path = /ls/groups
>>
>> guest ok = no
>>
>> read only = no
>>
>> admin users = lfsci-csr
>>
>> create mask = 0770
>>
>> directory mask = 0770
>>
>> veto files = /.htaccess/ /.DAV/
>>
>> dos filemode = yes
>>
>> posix locking = no
>>
>>
>>
>> relevant part of /var/log/samba/log.winbindd:
>>
>> [2009/05/06 09:22:31, 5]
>> winbindd/winbindd_cm.c:cm_prepare_connection(852)
>>
>> connecting to CAD1.byu.local from VI4DEBIAN with kerberos principal
>> [VI4DEBIAN$@BYU.LOCAL] and realm [BYU.LOCAL]
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(823)
>>
>> Doing spnego session setup (blob length=124)
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>
>> got OID=1 2 840 48018 1 2 2
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>
>> got OID=1 2 840 113554 1 2 2
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>
>> got OID=1 2 840 113554 1 2 2 3
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>
>> got OID=1 3 6 1 4 1 311 2 2 10
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(858)
>>
>> got principal=not_defined_in_RFC4178 at please_ignore
>>
>> [2009/05/06 09:22:31, 10]
>> libads/kerberos.c:kerberos_kinit_password_ext(217)
>>
>> kerberos_kinit_password: as VI4DEBIAN$@BYU.LOCAL using
>> [MEMORY:cliconnect] as ccache and config [(null)]
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(899)
>>
>> cli_session_setup_spnego: got a bad server principal, trying to guess
>> ...
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(927)
>>
>> cli_session_setup_spnego: guessed server principal=CAD1$@BYU
>>
>> [2009/05/06 09:22:31, 2]
>> libsmb/cliconnect.c:cli_session_setup_kerberos(617)
>>
>> Doing kerberos session setup
>>
>> [2009/05/06 09:22:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
>>
>> ads_krb5_mk_req: krb5_get_credentials failed for CAD1$@BYU (Cannot
>> resolve network address for KDC in requested realm)
>>
>> [2009/05/06 09:22:31, 1]
>> libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>>
>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
>> resolve network address for KDC in requested realm
>>
>> [2009/05/06 09:22:31, 4]
>> winbindd/winbindd_cm.c:cm_prepare_connection(864)
>>
>> failed kerberos session setup with Cannot resolve network address for
>> KDC in requested realm
>>
>> [2009/05/06 09:22:31, 5]
>> winbindd/winbindd_cm.c:cm_prepare_connection(880)
>>
>> connecting to CAD1.byu.local from VI4DEBIAN with username
>> [BYU]\[VI4DEBIAN$]
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(823)
>>
>> Doing spnego session setup (blob length=124)
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>
>> got OID=1 2 840 48018 1 2 2
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>
>> got OID=1 2 840 113554 1 2 2
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>
>> got OID=1 2 840 113554 1 2 2 3
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>
>> got OID=1 3 6 1 4 1 311 2 2 10
>>
>> [2009/05/06 09:22:31, 3]
>> libsmb/cliconnect.c:cli_session_setup_spnego(858)
>>
>> got principal=not_defined_in_RFC4178 at please_ignore
>>
>>
>>
>> If you need more info, please let me know.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Robert LeBlanc
>>
>> Life Sciences Computer Support
>>
>> Brigham Young University
>>
>> leblanc at byu.edu
>>
>> (801)422-1882
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list