[Samba] Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?

Douglas E. Engert deengert at anl.gov
Thu Nov 5 09:09:42 MST 2009



Paul Sobey wrote:
> Good Morning,
> 
> We have a network of Solaris 10 machines authenticating and doing name 
> lookups via a Windows 2008 (SP2) domain using the Solaris ldap client 
> and self/gssapi credentials. Each machine has a machine account that is 
> prepared via a script with the following attributes:
> 
> userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT | 
> DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)
> msDS-SupportedEncryptionTypes: 23 (KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 
> | KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_DES_CBC_MD5 | 
> KERB_ENCTYPE_DES_CBC_CRC)
> 
> We would like to install a new Samba file server and have it play nicely 
> with this setup, using the system keytab, ideally taking a password from 
> the keytab or being able to control the password used in the joining 
> process.
> 
> Is there a prescribed/supported way to have Samba 'fit in' to an 
> existing setup like this?

This could be an issue with older Solaris systems supporting AES-128 but
not AES-256 because of policy.

http://docs.sun.com/app/docs/doc/816-4557/egric?a=view

says:
  "In releases prior to Solaris 10 8/07 release, the aes256-cts-hmac-sha1-96
   encryption type can be used with the Kerberos service if the unbundled Strong
   Cryptographic packages are installed."

See:
http://www.sun.com/software/solaris/security.jsp

> 
> We've tried running net ads join after the host keytab is created, and 
> note that the KVNO on the computer account increases, the 
> userAccountControl flag gets overwritten with DONT_REQ_PREAUTH (seems to 
> be needed for Solaris kinit -k), and the resulting keytab is unusable by 
> Solaris kinit:
> 
> before net ads join:
> 
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>   18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) HMAC/md5)
>   18 host/fqdn at REALM (ArcFour with HMAC/md5)
>   18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
>   18 host/fqdn at REALM (DES cbc mode with CRC-32)
> 
> kinit -k
> 
> Default principal: host/fqdn at REALM
> 
> Valid starting                  Expires                  Service principal
> 05/11/2009 11:46:16  05/11/2009 21:46:16 krbtgt/REALM at REALM
>         renew until 12/11/2009 11:46:16, Etype(skey, tkt): AES-256 CTS 
> mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
> 
> 
> after net ads join (Samba added entries are KVNO 19)
> 
>   18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
>   18 host/fqdn at REALM (ArcFour with HMAC/md5)
>   18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
>   18 host/fqdn at REALM (DES cbc mode with CRC-32)
>   19 host/fqdn at REALM (DES cbc mode with CRC-32)
>   19 host/fqdn at REALM (DES cbc mode with RSA-MD5)
>   19 host/fqdn at REALM (ArcFour with HMAC/md5)
>   19 host/HOST at REALM (DES cbc mode with CRC-32)
>   19 host/HOST at REALM (DES cbc mode with RSA-MD5)
>   19 host/HOST at REALM (ArcFour with HMAC/md5)
>   19 HOST$@REALM (DES cbc mode with CRC-32)
>   19 HOST$@REALM (DES cbc mode with RSA-MD5)
>   19 HOST$@REALM (ArcFour with HMAC/md5)
> 
> kinit -k
> 
> kinit(v5): Clients credentials have been revoked while getting initial 
> credentials
> 
> after removal of kvno 18 tickets with ktutil:
> 
> kinit(v5): Key table entry not found while getting initial credentials
> 
> 
> Should I just give up and use pam_winbind and nss_winbind, or is there a 
> way to make this work? Also, is there a way to make net ads join request 
> or write aes256 entries to the keytab? Our krb5.conf explicitly 
> specifies this as a permitted enc type.
> 
> Cheers,
> Paul
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the samba mailing list