[Samba] Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?

Paul Sobey buddha at the-annexe.net
Thu Nov 5 05:04:14 MST 2009


Good Morning,

We have a network of Solaris 10 machines authenticating and doing name 
lookups via a Windows 2008 (SP2) domain using the Solaris ldap client and 
self/gssapi credentials. Each machine has a machine account that is 
prepared via a script with the following attributes:

userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT | 
DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)
msDS-SupportedEncryptionTypes: 23 (KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 | 
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_DES_CBC_MD5 | 
KERB_ENCTYPE_DES_CBC_CRC)

We would like to install a new Samba file server and have it play nicely 
with this setup, using the system keytab, ideally taking a password from 
the keytab or being able to control the password used in the joining 
process.

Is there a prescribed/supported way to have Samba 'fit in' to an existing 
setup like this?

We've tried running net ads join after the host keytab is created, and 
note that the KVNO on the computer account increases, the 
userAccountControl flag gets overwritten with DONT_REQ_PREAUTH (seems to 
be needed for Solaris kinit -k), and the resulting keytab is unusable by 
Solaris kinit:

before net ads join:

Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) HMAC/md5)
   18 host/fqdn at REALM (ArcFour with HMAC/md5)
   18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
   18 host/fqdn at REALM (DES cbc mode with CRC-32)

kinit -k

Default principal: host/fqdn at REALM

Valid starting                  Expires                  Service principal
05/11/2009 11:46:16  05/11/2009 21:46:16 
krbtgt/REALM at REALM
         renew until 12/11/2009 11:46:16, Etype(skey, tkt): AES-256 CTS 
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC


after net ads join (Samba added entries are KVNO 19)

   18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   18 host/fqdn at REALM (ArcFour with HMAC/md5)
   18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
   18 host/fqdn at REALM (DES cbc mode with CRC-32)
   19 host/fqdn at REALM (DES cbc mode with CRC-32)
   19 host/fqdn at REALM (DES cbc mode with RSA-MD5)
   19 host/fqdn at REALM (ArcFour with HMAC/md5)
   19 host/HOST at REALM (DES cbc mode with CRC-32)
   19 host/HOST at REALM (DES cbc mode with RSA-MD5)
   19 host/HOST at REALM (ArcFour with HMAC/md5)
   19 HOST$@REALM (DES cbc mode with CRC-32)
   19 HOST$@REALM (DES cbc mode with RSA-MD5)
   19 HOST$@REALM (ArcFour with HMAC/md5)

kinit -k

kinit(v5): Clients credentials have been revoked while getting initial 
credentials

after removal of kvno 18 tickets with ktutil:

kinit(v5): Key table entry not found while getting initial credentials


Should I just give up and use pam_winbind and nss_winbind, or is there a 
way to make this work? Also, is there a way to make net ads join request 
or write aes256 entries to the keytab? Our krb5.conf explicitly specifies 
this as a permitted enc type.

Cheers,
Paul



More information about the samba mailing list