[Samba] Kerberos and 2008 AD troubles
Robert LeBlanc
robert at leblancnet.us
Mon May 18 23:35:34 GMT 2009
Ok, setting up from scratch work perfectly with both FQDN and the short
name. I did not need to specify the AD DNS servers either. Thanks for all
the help.
Robert
On Mon, May 18, 2009 at 3:30 PM, Robert LeBlanc <robert at leblancnet.us>wrote:
> Sorry to take so long to get back with you, but I've finally got it working
> between two computers if I use their FQDN. Is there any way to use the short
> name (i.e. instead of computer.domain.local, just use computer)?
>
> I think DHCP was fouling me up with this, so I edited /etc/hosts and made
> sue the correct FQDN was in there. I edited /etc/dhcp/dhclient.conf and
> added the following two lines:
>
> supersede domain-name "domain.local domain.com";
> supersede domain-name-servers 10.x.x.1, 10.x.x.2;
>
> and ran dhclient to update and check /etc/resolv.conf. I then joined the
> computer again to the domain (twice as the first time always seems to give
> me a kerberos error). I then ran
>
> net ads keytab create
>
> to create a keytab file for Kerberos. Now that I know it works, I'm going
> to set it up again from scratch to make sure I can replicate it and document
> it and to see what configurations I can get away with not doing (it would be
> nice to not have to override the DNS for laptops, the .com DNS has entries
> for the .local).
>
> If I can just get it to work with the FQDN, i will be VERY happy.
>
> Thanks,
> Robert LeBlanc
>
>
>
>
> On Thu, May 7, 2009 at 12:17 PM, Robert Foreman <robert.foreman at gmail.com>wrote:
>
>> If kinit is not working then I'm pretty sure Kerberos is not actually
>> working. You will probably want to double check the contents of your
>> krb5.conf file. If resolve.conf is using your domain controllers for name
>> resolution then the krb5.conf file is about the only thing you need
>> configured in order to test kinit.
>>
>> I use dns lookup for realm and kdc and my krb5.conf file looks something
>> like this:
>>
>> ===============================
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = DOMAIN.LOCAL
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>>
>> [domain_realm]
>> .domain.local = DOMAIN.LOCAL
>> domain.local = DOMAIN.LOCAL
>>
>> [kdc]
>> profile = /var/kerberos/krb5kdc/kdc.conf
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> validate = true
>> }
>> ===================================
>>
>> And you will probably find that you DO want the keytab file, but it's not
>> necessary for testing the kinit command.
>>
>> I recommend the following value in your smb.conf:
>>
>> use kerberos keytab = Yes
>>
>> That should pull the keytab file automatically when using the net ads join
>> command. There were previous issues with that not working for w2k8, but I
>> believe that has been resolved.
>>
>> You will also probably want to use the krb5_auth = yes and
>> krb5_ccache_type = FILE options in your pam_winbind configuration. Those can
>> be set in the pam config files, or in RHEL systems in
>> /etc/security/pam_winbind.conf. If you used the authconfig tool it probably
>> set the krb5_auth option, but not the cache_type. Without the cache_type it
>> will use Kerberos for authentication, but you won't get a Kerberos token
>> which is used for the next ssh connection to another host.
>>
>> You will also want the following in your ssh_config file
>>
>> GSSAPIAuthentication yes
>> GSSAPIDelegateCredentials yes
>>
>> and the following in your sshd_config file.
>>
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>> UsePAM yes
>>
>> It took me a while to sort out Kerberos SSO with winbnd also, but it's
>> been great ever since. Good luck!
>>
>> On Wed, May 6, 2009 at 12:11 PM, Robert LeBlanc <robert at leblancnet.us>wrote:
>>
>>> I've been trying to get Kerberos to work for the last couple of days so
>>> that we can use SSO. I can't seem to get past a roadblock and Google
>>> doesn't seem to provide any answers. I've got Samba connected to the AD
>>> and running. I can wbinfo everything and can login to the machine using
>>> PAM with the pam_winbind modules just fine. I can get user tickets just
>>> fine. When I try to get ssh between two AD joined machines to use
>>> Kerberos, I get a Server not found in Kerberos database error. I've
>>> noticed that /var/log/samba/log.winbinds shows:
>>>
>>>
>>>
>>> 2009/05/06 09:22:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
>>>
>>> ads_krb5_mk_req: krb5_get_credentials failed for CAD1$@BYU (Cannot
>>> resolve network address for KDC in requested realm)
>>>
>>> [2009/05/06 09:22:31, 1]
>>> libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>>>
>>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
>>> resolve network address for KDC in requested realm
>>>
>>>
>>>
>>> I can't run `kinit host/vi4debain$@BYU.LOCAL`
>>> <mailto:host/vi4debain$@BYU.LOCAL%60> or anything like it, all I get is
>>> "kinit(v5): Client not found in Kerberos database while getting initial
>>> credentials", I've tried all sorts of conbinations of the kinit command,
>>> I've tried to create a winbind keytab file, but from what I've read that
>>> is only used if using LDAP and not winbind. I've tweaked the
>>> /etc/krb.conf file. I can't get rid of the error in log.winbindd to see
>>> if that fixes the problem.
>>>
>>>
>>>
>>> Summary:
>>>
>>> /etc/resolve.conf: Specified AD domain and DCs as DNS servers
>>>
>>> /etc/hosts: Specified the FQDN of the machine with the AD DNS name
>>>
>>> /etc/krb5.conf: Added AD realm info
>>>
>>> /etc/samba/smb.conf: All AD info entered correctly
>>>
>>> Net ads join: OK
>>>
>>> Wbinfo -u/g: Shows all users and groups in the domain
>>>
>>> Pam_winbind: Allows users to login to the console or through SSH
>>> (password)
>>>
>>> /etc/ssh/sshd_conf: GSSAPIAuthentication yes
>>>
>>> /etc/ssh/ssh_conf (on remote machine configured exactly the same):
>>> GSSAPIAuthentication yes and GSSAPIDelegateCredentials no
>>>
>>> Same error on Debain Lenny using Samba 3.2.5 and Debain Squeeze using
>>> Samba 3.3.3
>>>
>>>
>>>
>>> /etc/samba/smb.conf:
>>>
>>> [global]
>>>
>>> workgroup = BYU
>>>
>>> realm = BYU.LOCAL
>>>
>>> preferred master = no
>>>
>>> server string = %h server
>>>
>>> dns proxy = no
>>>
>>> debug level = 10
>>>
>>> log file = /var/log/samba/log.%m
>>>
>>> max log size = 1000
>>>
>>> syslog = 0
>>>
>>> panic action = /usr/share/samba/panic-action %d
>>>
>>> security = ADS
>>>
>>> encrypt passwords = true
>>>
>>> passdb backend = tdbsam
>>>
>>> obey pam restrictions = yes
>>>
>>> invalid users = root
>>>
>>> unix password sync = yes
>>>
>>> passwd program = /usr/bin/passwd %u
>>>
>>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>
>>> pam password change = yes
>>>
>>> load printers = no
>>>
>>> printing = bsd
>>>
>>> printcap name = /dev/null
>>>
>>> show add printer wizard = no
>>>
>>> disable spoolss = yes
>>>
>>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
>>> SO_SNDBUF=8192
>>>
>>> allow trusted domains = No
>>>
>>> idmap backend = idmap_rid:BYU=10000-100000000
>>>
>>> idmap uid = 10000-100000000
>>>
>>> idmap gid = 10000-100000000
>>>
>>> winbind use default domain = yes
>>>
>>> winbind separator = +
>>>
>>> winbind enum groups = no
>>>
>>> winbind enum users = no
>>>
>>> winbind nested groups = yes
>>>
>>> template homedir = /home/%U
>>>
>>> template shell = /bin/bash
>>>
>>> winbind refresh tickets = yes
>>>
>>> get quota command = /root/sambaquota.sh
>>>
>>> [users]
>>>
>>> comment = Life Sciences user share
>>>
>>> browseable = yes
>>>
>>> path = /ls/users
>>>
>>> guest ok = no
>>>
>>> read only = no
>>>
>>> admin users = @lfsci-csr
>>>
>>> create mask = 0770
>>>
>>> directory mask = 0770
>>>
>>> force user = %S
>>>
>>> veto files = /.htaccess/ /.DAV/
>>>
>>> [groups]
>>>
>>> comment = Life Sciences groups share
>>>
>>> browseable = yes
>>>
>>> path = /ls/groups
>>>
>>> guest ok = no
>>>
>>> read only = no
>>>
>>> admin users = lfsci-csr
>>>
>>> create mask = 0770
>>>
>>> directory mask = 0770
>>>
>>> veto files = /.htaccess/ /.DAV/
>>>
>>> dos filemode = yes
>>>
>>> posix locking = no
>>>
>>>
>>>
>>> relevant part of /var/log/samba/log.winbindd:
>>>
>>> [2009/05/06 09:22:31, 5]
>>> winbindd/winbindd_cm.c:cm_prepare_connection(852)
>>>
>>> connecting to CAD1.byu.local from VI4DEBIAN with kerberos principal
>>> [VI4DEBIAN$@BYU.LOCAL] and realm [BYU.LOCAL]
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(823)
>>>
>>> Doing spnego session setup (blob length=124)
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>>
>>> got OID=1 2 840 48018 1 2 2
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>>
>>> got OID=1 2 840 113554 1 2 2
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>>
>>> got OID=1 2 840 113554 1 2 2 3
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>>
>>> got OID=1 3 6 1 4 1 311 2 2 10
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(858)
>>>
>>> got principal=not_defined_in_RFC4178 at please_ignore
>>>
>>> [2009/05/06 09:22:31, 10]
>>> libads/kerberos.c:kerberos_kinit_password_ext(217)
>>>
>>> kerberos_kinit_password: as VI4DEBIAN$@BYU.LOCAL using
>>> [MEMORY:cliconnect] as ccache and config [(null)]
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(899)
>>>
>>> cli_session_setup_spnego: got a bad server principal, trying to guess
>>> ...
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(927)
>>>
>>> cli_session_setup_spnego: guessed server principal=CAD1$@BYU
>>>
>>> [2009/05/06 09:22:31, 2]
>>> libsmb/cliconnect.c:cli_session_setup_kerberos(617)
>>>
>>> Doing kerberos session setup
>>>
>>> [2009/05/06 09:22:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686)
>>>
>>> ads_krb5_mk_req: krb5_get_credentials failed for CAD1$@BYU (Cannot
>>> resolve network address for KDC in requested realm)
>>>
>>> [2009/05/06 09:22:31, 1]
>>> libsmb/cliconnect.c:cli_session_setup_kerberos(624)
>>>
>>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
>>> resolve network address for KDC in requested realm
>>>
>>> [2009/05/06 09:22:31, 4]
>>> winbindd/winbindd_cm.c:cm_prepare_connection(864)
>>>
>>> failed kerberos session setup with Cannot resolve network address for
>>> KDC in requested realm
>>>
>>> [2009/05/06 09:22:31, 5]
>>> winbindd/winbindd_cm.c:cm_prepare_connection(880)
>>>
>>> connecting to CAD1.byu.local from VI4DEBIAN with username
>>> [BYU]\[VI4DEBIAN$]
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(823)
>>>
>>> Doing spnego session setup (blob length=124)
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>>
>>> got OID=1 2 840 48018 1 2 2
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>>
>>> got OID=1 2 840 113554 1 2 2
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>>
>>> got OID=1 2 840 113554 1 2 2 3
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(850)
>>>
>>> got OID=1 3 6 1 4 1 311 2 2 10
>>>
>>> [2009/05/06 09:22:31, 3]
>>> libsmb/cliconnect.c:cli_session_setup_spnego(858)
>>>
>>> got principal=not_defined_in_RFC4178 at please_ignore
>>>
>>>
>>>
>>> If you need more info, please let me know.
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Robert LeBlanc
>>>
>>> Life Sciences Computer Support
>>>
>>> Brigham Young University
>>>
>>> leblanc at byu.edu
>>>
>>> (801)422-1882
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>
More information about the samba
mailing list