[Samba] keytabs basics linux <=> AD ?

mathias dufresne infractory at gmail.com
Fri Jun 10 10:56:08 UTC 2016 

Not sure but it seems you have two realms: Kerberos realm
PRIVATE.AAA.PRIVATE.DOM + AD realm AAA.PRIVATE.DOM.

Client has default realm set to PRIVATE.AAA.PRIVATE.DOM which is not your
AD's realm and so you get:
gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may
provide more information: Server
cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM not found in
Kerberos

Just a lead, not I'm a kerberos expert and I'm not sure to have really
undestood you (I'm not a foreign language expert too :p)

Hoping this helps anyway,

mathias

2016-06-08 17:40 GMT+02:00 lejeczek <peljasz at yahoo.co.uk>:

> hi users
>
> a novice here hoping to grasp fundamentals soon
> I have a samba+sssd as a client to an AD - I have all the keytabs for a
> host(I think) but I noticed weird(to me at least) smbclient behavior.
> when I do:
> $ smbclient -L swir -U me at AAA.PRIVATE.DOM -k
> all works, clients sees local samba's shares, when I do:
> $ smbclient -L swir.private.aaa.private.dom -U pe243 at AAA.PRIVATE.DOM -k
> gss_init_sec_context failed with [Unspecified GSS failure. Minor code may
> provide more information: Server
> cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM not found in
> Kerberos database]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
> and to verify:
> $ klist -k /etc/krb5.swir.keytab -e
> Keytab name: FILE:/etc/krb5.swir.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (des-cbc-crc)
>    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (des-cbc-md5)
>    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (arcfour-hmac)
>    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM
> (aes256-cts-hmac-sha1-96)
>    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM
> (aes128-cts-hmac-sha1-96)
>    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (des-cbc-crc)
>    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (des-cbc-md5)
>    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (arcfour-hmac)
>    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM
> (aes256-cts-hmac-sha1-96)
>    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM
> (aes128-cts-hmac-sha1-96)
>
> and above keytab file samba uses in its config, and that keytab was
> generated on AD DS,
> What you can notice when I smbclient with FQDN(it's all one local host,
> smbclient is trying itself) is this:
>
> gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may
> provide more information: Server
> cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM not found in
> Kerberos
>
> @PRIVATE.AAA.PRIVATE.DOM # this part, I thought it should be AD domain,
> like: @AAA.PRIVATE.DOM
>
> why smbclient uses it's own realm?
> I should also say that, this linux is a client of two realms: first it's a
> freeIPA server that runs locally on this box and second, its local samba is
> a client of AD(win2k14)
> And my krb5.conf looks like this:
> --------------------------
> [libdefaults]
>  default_realm = PRIVATE.AAA.PRIVATE.DOM
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = yes
>  udp_preference_limit = 0
>  default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>  PRIVATE.AAA.PRIVATE.DOM = {
>   kdc = swir.private.aaa.private.dom:88
>   master_kdc = swir.private.aaa.private.dom:88
>   admin_server = swir.private.aaa.private.dom:749
>   default_domain = private.aaa.private.dom
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>  AAA.PRIVATE.DOM = {
>   kdc = win-srv.aaa.private.dom:88
>   domain_server = wins-rv1.aaa.private.dom:749
>   admin_server = win-srv1.private.aaa.private.dom
>  }
>
> [domain_realm]
>  .private.aaa.private.dom = PRIVATE.AAA.PRIVATE.DOM
>  private.aaa.private.dom = PRIVATE.AAA.PRIVATE.DOM
>
>  aaa.private.dom = AAA.PRIVATE.DOM
>  .aaa.private.dom = AAA.PRIVATE.DOM
> --------------------
> so PRIVATE.AAA.PRIVATE.DOM is own local freeIPA domain and AAA.PRIVATE.DOM
> is AD domain
> Also you can see dns-wise it is like this:
> IPA server(samba) is: swir.private.aaa.private.dom
> and AD with it's server is: win-srv.aaa.private.dom
>
> there is something mis-configured or/and I am confusing fundamentals. What
> am I doing wrong?
> many thanks
> L.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list