[Samba] keytabs basics linux <=> AD ?

lejeczek peljasz at yahoo.co.uk
Wed Jun 8 15:40:48 UTC 2016 

hi users

a novice here hoping to grasp fundamentals soon
I have a samba+sssd as a client to an AD - I have all the 
keytabs for a host(I think) but I noticed weird(to me at 
least) smbclient behavior.
when I do:
$ smbclient -L swir -U me at AAA.PRIVATE.DOM -k
all works, clients sees local samba's shares, when I do:
$ smbclient -L swir.private.aaa.private.dom -U 
pe243 at AAA.PRIVATE.DOM -k
gss_init_sec_context failed with [Unspecified GSS failure. 
Minor code may provide more information: Server 
cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM 
not found in Kerberos database]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: 
NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR

and to verify:
$ klist -k /etc/krb5.swir.keytab -e
Keytab name: FILE:/etc/krb5.swir.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(des-cbc-crc)
    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(des-cbc-md5)
    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(arcfour-hmac)
    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(aes256-cts-hmac-sha1-96)
    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(aes128-cts-hmac-sha1-96)
    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(des-cbc-crc)
    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(des-cbc-md5)
    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(arcfour-hmac)
    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(aes256-cts-hmac-sha1-96)
    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(aes128-cts-hmac-sha1-96)

and above keytab file samba uses in its config, and that 
keytab was generated on AD DS,
What you can notice when I smbclient with FQDN(it's all one 
local host, smbclient is trying itself) is this:

gss_init_sec_context failed with [Unspecified GSS failure.  
Minor code may provide more information: Server 
cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM 
not found in Kerberos

@PRIVATE.AAA.PRIVATE.DOM # this part, I thought it should be 
AD domain, like: @AAA.PRIVATE.DOM

why smbclient uses it's own realm?
I should also say that, this linux is a client of two 
realms: first it's a freeIPA server that runs locally on 
this box and second, its local samba is a client of AD(win2k14)
And my krb5.conf looks like this:
--------------------------
[libdefaults]
  default_realm = PRIVATE.AAA.PRIVATE.DOM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  PRIVATE.AAA.PRIVATE.DOM = {
   kdc = swir.private.aaa.private.dom:88
   master_kdc = swir.private.aaa.private.dom:88
   admin_server = swir.private.aaa.private.dom:749
   default_domain = private.aaa.private.dom
   pkinit_anchors = FILE:/etc/ipa/ca.crt
}
  AAA.PRIVATE.DOM = {
   kdc = win-srv.aaa.private.dom:88
   domain_server = wins-rv1.aaa.private.dom:749
   admin_server = win-srv1.private.aaa.private.dom
  }

[domain_realm]
  .private.aaa.private.dom = PRIVATE.AAA.PRIVATE.DOM
  private.aaa.private.dom = PRIVATE.AAA.PRIVATE.DOM

  aaa.private.dom = AAA.PRIVATE.DOM
  .aaa.private.dom = AAA.PRIVATE.DOM
--------------------
so PRIVATE.AAA.PRIVATE.DOM is own local freeIPA domain and 
AAA.PRIVATE.DOM is AD domain
Also you can see dns-wise it is like this:
IPA server(samba) is: swir.private.aaa.private.dom
and AD with it's server is: win-srv.aaa.private.dom

there is something mis-configured or/and I am confusing 
fundamentals. What am I doing wrong?
many thanks
L.

More information about the samba mailing list