[Samba] Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?
Douglas E. Engert
deengert at anl.gov
Thu Nov 5 09:09:42 MST 2009
Paul Sobey wrote:
> Good Morning,
>
> We have a network of Solaris 10 machines authenticating and doing name
> lookups via a Windows 2008 (SP2) domain using the Solaris ldap client
> and self/gssapi credentials. Each machine has a machine account that is
> prepared via a script with the following attributes:
>
> userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT |
> DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)
> msDS-SupportedEncryptionTypes: 23 (KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
> | KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_DES_CBC_MD5 |
> KERB_ENCTYPE_DES_CBC_CRC)
>
> We would like to install a new Samba file server and have it play nicely
> with this setup, using the system keytab, ideally taking a password from
> the keytab or being able to control the password used in the joining
> process.
>
> Is there a prescribed/supported way to have Samba 'fit in' to an
> existing setup like this?
This could be an issue with older Solaris systems supporting AES-128 but
not AES-256 because of policy.
http://docs.sun.com/app/docs/doc/816-4557/egric?a=view
says:
"In releases prior to Solaris 10 8/07 release, the aes256-cts-hmac-sha1-96
encryption type can be used with the Kerberos service if the unbundled Strong
Cryptographic packages are installed."
See:
http://www.sun.com/software/solaris/security.jsp
>
> We've tried running net ads join after the host keytab is created, and
> note that the KVNO on the computer account increases, the
> userAccountControl flag gets overwritten with DONT_REQ_PREAUTH (seems to
> be needed for Solaris kinit -k), and the resulting keytab is unusable by
> Solaris kinit:
>
> before net ads join:
>
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) HMAC/md5)
> 18 host/fqdn at REALM (ArcFour with HMAC/md5)
> 18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
> 18 host/fqdn at REALM (DES cbc mode with CRC-32)
>
> kinit -k
>
> Default principal: host/fqdn at REALM
>
> Valid starting Expires Service principal
> 05/11/2009 11:46:16 05/11/2009 21:46:16 krbtgt/REALM at REALM
> renew until 12/11/2009 11:46:16, Etype(skey, tkt): AES-256 CTS
> mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
>
>
> after net ads join (Samba added entries are KVNO 19)
>
> 18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
> 18 host/fqdn at REALM (ArcFour with HMAC/md5)
> 18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
> 18 host/fqdn at REALM (DES cbc mode with CRC-32)
> 19 host/fqdn at REALM (DES cbc mode with CRC-32)
> 19 host/fqdn at REALM (DES cbc mode with RSA-MD5)
> 19 host/fqdn at REALM (ArcFour with HMAC/md5)
> 19 host/HOST at REALM (DES cbc mode with CRC-32)
> 19 host/HOST at REALM (DES cbc mode with RSA-MD5)
> 19 host/HOST at REALM (ArcFour with HMAC/md5)
> 19 HOST$@REALM (DES cbc mode with CRC-32)
> 19 HOST$@REALM (DES cbc mode with RSA-MD5)
> 19 HOST$@REALM (ArcFour with HMAC/md5)
>
> kinit -k
>
> kinit(v5): Clients credentials have been revoked while getting initial
> credentials
>
> after removal of kvno 18 tickets with ktutil:
>
> kinit(v5): Key table entry not found while getting initial credentials
>
>
> Should I just give up and use pam_winbind and nss_winbind, or is there a
> way to make this work? Also, is there a way to make net ads join request
> or write aes256 entries to the keytab? Our krb5.conf explicitly
> specifies this as a permitted enc type.
>
> Cheers,
> Paul
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the samba
mailing list