[Samba] Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?
Paul Sobey
buddha at the-annexe.net
Thu Nov 5 05:04:14 MST 2009
Good Morning,
We have a network of Solaris 10 machines authenticating and doing name
lookups via a Windows 2008 (SP2) domain using the Solaris ldap client and
self/gssapi credentials. Each machine has a machine account that is
prepared via a script with the following attributes:
userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT |
DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)
msDS-SupportedEncryptionTypes: 23 (KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 |
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_DES_CBC_MD5 |
KERB_ENCTYPE_DES_CBC_CRC)
We would like to install a new Samba file server and have it play nicely
with this setup, using the system keytab, ideally taking a password from
the keytab or being able to control the password used in the joining
process.
Is there a prescribed/supported way to have Samba 'fit in' to an existing
setup like this?
We've tried running net ads join after the host keytab is created, and
note that the KVNO on the computer account increases, the
userAccountControl flag gets overwritten with DONT_REQ_PREAUTH (seems to
be needed for Solaris kinit -k), and the resulting keytab is unusable by
Solaris kinit:
before net ads join:
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) HMAC/md5)
18 host/fqdn at REALM (ArcFour with HMAC/md5)
18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
18 host/fqdn at REALM (DES cbc mode with CRC-32)
kinit -k
Default principal: host/fqdn at REALM
Valid starting Expires Service principal
05/11/2009 11:46:16 05/11/2009 21:46:16
krbtgt/REALM at REALM
renew until 12/11/2009 11:46:16, Etype(skey, tkt): AES-256 CTS
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
after net ads join (Samba added entries are KVNO 19)
18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
18 host/fqdn at REALM (ArcFour with HMAC/md5)
18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
18 host/fqdn at REALM (DES cbc mode with CRC-32)
19 host/fqdn at REALM (DES cbc mode with CRC-32)
19 host/fqdn at REALM (DES cbc mode with RSA-MD5)
19 host/fqdn at REALM (ArcFour with HMAC/md5)
19 host/HOST at REALM (DES cbc mode with CRC-32)
19 host/HOST at REALM (DES cbc mode with RSA-MD5)
19 host/HOST at REALM (ArcFour with HMAC/md5)
19 HOST$@REALM (DES cbc mode with CRC-32)
19 HOST$@REALM (DES cbc mode with RSA-MD5)
19 HOST$@REALM (ArcFour with HMAC/md5)
kinit -k
kinit(v5): Clients credentials have been revoked while getting initial
credentials
after removal of kvno 18 tickets with ktutil:
kinit(v5): Key table entry not found while getting initial credentials
Should I just give up and use pam_winbind and nss_winbind, or is there a
way to make this work? Also, is there a way to make net ads join request
or write aes256 entries to the keytab? Our krb5.conf explicitly specifies
this as a permitted enc type.
Cheers,
Paul
More information about the samba
mailing list