[Samba] samba and kerberos tickets

Nico De Ranter nico at sonycom.com
Fri Aug 20 06:43:38 MDT 2010 

Hi,

I'm running a mixed linux/Windows network with authentication done using
Active Directory.  The Linux clients use Samba/Winbind for
authentication (with help from the list, thanks!).  I've setup smb.conf
such that doing 'net ads join -Uadministrator' populates
my /etc/krb5.keytab (see configuration files below).

klist shows me a nice set of principals from /etc/krb5.keytab

klist -k /etc/krb5.keytab 
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/ubuntu.sonytel.be at EDEN.SONYTEL.BE
   2 host/ubuntu.sonytel.be at EDEN.SONYTEL.BE
   2 host/ubuntu.sonytel.be at EDEN.SONYTEL.BE
   2 host/ubuntu at EDEN.SONYTEL.BE
   2 host/ubuntu at EDEN.SONYTEL.BE
   2 host/ubuntu at EDEN.SONYTEL.BE
   2 UBUNTU$@EDEN.SONYTEL.BE
   2 UBUNTU$@EDEN.SONYTEL.BE
   2 UBUNTU$@EDEN.SONYTEL.BE

If I look on the AD server using ADSI edit I see the following values in
the servicePrincipalName field for the clients Computer object:

HOST/UBUNTU
HOST/ubuntu.sonytel.be

However when I try to use any of the principals using 'kinit -k
principalname' I get:

kinit  host/ubuntu.sonytel.be at EDEN.SONYTEL.BE
kinit: Client not found in Kerberos database while getting initial
credentials

Why doesn't this work?

The reason why I'm asking is because I'm also trying to get NFSv4 with
kerberos going, however when I try to mount a remote filesystem I see
the following error messages and the mount gets a permission denied:

handling krb5 upcall
Full hostname for 'linux2-install.sonytel.be' is
'linux2-install.sonytel.be'
Full hostname for 'ubuntu.sonytel.be' is 'ubuntu.sonytel.be'
Key table entry not found while getting keytab entry for
'root/ubuntu.sonytel.be at EDEN.SONYTEL.BE'
Key table entry not found while getting keytab entry for
'nfs/ubuntu.sonytel.be at EDEN.SONYTEL.BE'
Success getting keytab entry for
'host/ubuntu.sonytel.be at EDEN.SONYTEL.BE'
WARNING: Client not found in Kerberos database while getting initial
ticket for principal 'host/ubuntu.sonytel.be at EDEN.SONYTEL.BE' using
keytab 'WRFILE:/etc/krb5.keytab'
ERROR: No credentials found for connection to server
linux2-install.sonytel.be
doing error downcall
destroying client clnt19

Any idea what might be wrong?

Nico

---------------------------------------------------------------------------



==== /etc/samba/smb.conf
[global]
   server string = %h server (Samba, Ubuntu)

   wide links = yes
   unix extensions = no
   server signing = mandatory
   security = ads
   workgroup = EDEN
   realm = EDEN.SONYTEL.BE
   kerberos method = secrets and keytab
   dedicated keytab file = /etc/krb5.keytab
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   pam password change = yes
   map to guest = bad user
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   idmap backend = ad
   idmap config EDEN:backend = ad
   idmap config EDEN:default = yes
   idmap config EDEN:schema_mode = rfc2307
   idmap config EDEN:range = 999-999999
   winbind nss info = rfc2307
   winbind enum groups = yes
   winbind enum users = yes
   winbind use default domain = yes
   winbind offline logon = true
   winbind refresh tickets = true
   usershare allow guests = no

==== /etc/krb5.conf
[libdefaults]
	default_realm = EDEN.SONYTEL.BE
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	fcc-mit-ticketflags = true

[realms]
	EDEN.SONYTEL.BE = {
		kdc = deus.eden.sonytel.be
		admin_server = deus.eden.sonytel.be
	}

[domain_realm]
	.eden.sonytel.be = EDEN.SONYTEL.BE
	eden.sonytel.be = EDEN.SONYTEL.BE
	.sonytel.be = EDEN.SONYTEL.BE
	sonytel.be = EDEN.SONYTEL.BE

[login]
	krb4_convert = true
	krb4_get_tickets = false


====== environment

Linux clients: Ubuntu 9.10 or 10.04 
running Samba 3.4.x
Windows server: 2008 R2


-- 
With kind regards

Nico De Ranter
Senior System Administrator
Techsoft Centre

Technology and Software Centre Europe
The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium

Phone:    +32 (0)2 700 8641
Fax:          +32 (0)2 700 8622
E-mail:    nico.deranter at eu.sony.com

A division of Sony Europe (Belgium) N.V.
VAT BE 0413.825.160 - RPR Brussels
Fortis - BIC GEBABEBB - IBAN BE41293037680010

More information about the samba mailing list