[Samba] openindiana GSSAPI failure to samba 4.6.6

Greg Dickie greg at justaguy.ca
Tue Aug 1 21:03:16 UTC 2017


thanks ;-)

On Tue, Aug 1, 2017 at 6:05 AM, mathias dufresne <infractory at gmail.com>
wrote:

>
>
> 2017-07-31 17:41 GMT+02:00 Greg Dickie via samba <samba at lists.samba.org>:
>
>> Hey guys,
>>
>>  Thanks for the ideas. I made life easier for myself and just replaced the
>> SunOS (illumos) implementation with real samba. That works very well so
>> we're all good. Is it just me or is kerberos complicated?
>>
>
> At first, no it is not you : )
> But after a while (and thanks to en.wikipedia.org) it can become quite
> clear and almost simple.
>
>
>>
>> Thanks,
>> Greg
>>
>> On Mon, Jul 31, 2017 at 8:25 AM, L.P.H. van Belle via samba <
>> samba at lists.samba.org> wrote:
>>
>> > Hai,
>> >
>> > You have 3 places to look where you keytab can be found.
>> >
>> > When kerberos method is set to "dedicated keytab" see the parameter.
>> >  dedicated keytab file = /where/your/krb5.keytab is configured.
>> >
>> > The system default keytab ( on my debian system ) /etc/krb5.keytab
>> > Yours might be in :  /etc/krb5/krb5.keytab
>> >
>> > The samba keytab if  "dedicated keytab file"  is not used.
>> > ( on my debian system )
>> > /var/lib/samba/private/secret.keytab
>> >
>> > And check them all
>> > klist -ke /var/lib/samba/private/secret.keytab
>> > klist -ke /etc/krb5/krb5.keytab
>> >
>> >
>> >
>> > Greetz,
>> >
>> > Louis
>> >
>> > > -----Oorspronkelijk bericht-----
>> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> > > mathias dufresne via samba
>> > > Verzonden: maandag 31 juli 2017 10:59
>> > > Aan: Greg Dickie
>> > > CC: samba
>> > > Onderwerp: Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
>> > >
>> > > 2017-07-28 15:20 GMT+02:00 Greg Dickie via samba
>> > > <samba at lists.samba.org>:
>> > >
>> > > > Hi,
>> > > >
>> > > >  We recently updated our AD servers to 4.6.6 and one of the things
>> > > > that stopped working was our zfs server running illumos. The idmap
>> > > > daemon is trying to bind to ldap using sasl/GSSAPI and is
>> > > failing with
>> > > >
>> > > > additional info: SASL(-1): generic failure: GSSAPI Error:
>> > > Unspecified
>> > > > GSS failure.  Minor code may provide more information (Client not
>> > > > found in Kerberos database)
>> > > >
>> > > > I think this is usually caused by DNS inconsistencies but everthing
>> > > > looks fine and it was working before the upgrade.
>> > > >
>> > > > klist shows tickets
>> > > >
>> > >
>> > > I don't think this is relevant: for what I feel to have
>> > > understood Samba generates its own tickets somewhere but not
>> > > in /tmp, not available with klist.
>> > (Client not found in Kerberos database)
>> >
>> > >
>> > >
>> > > > and doing and ldapsearch on the command line using GSSAPI seems to
>> > > > work fine.
>> > > >
>> > >
>> > > That's a good point... until you are using same account and
>> > > keytab as Samba.
>> > >
>> > >
>> > > >
>> > > > Has anyone encountered this? Any idea how to debug?
>> > > >
>> > >
>> > > No.
>> > > But machine accounts have a password and this password is
>> > > supposed to change in MS AD. I'm not sure it is changing with
>> > > Samba AD but it could as Samba means to reproduce MS AD behavior.
>> > >
>> > > No idea about illumos but the klist you mentioned as the
>> > > ldapsearch using the ticket of that klist have to be tested
>> > > using the very same account used by illumos and the same
>> > > keytab if any.
>> > >
>> > > You could check that account to see it was modified since the
>> > > update you mentioned (pwdLastSet, whenChanged).
>> > >
>> > > No idea if this could help, just a try...
>> > >
>> > >
>> > > >
>> > > > Thanks,
>> > > > Greg
>> > > >
>> > > > --
>> > > >
>> > > >
>> > > > Greg Dickie
>> > > > just a guy
>> > > > 514-983-5400
>> > > > --
>> > > > To unsubscribe from this list go to the following URL and read the
>> > > > instructions:  https://lists.samba.org/mailman/options/samba
>> > > --
>> > > To unsubscribe from this list go to the following URL and read the
>> > > instructions:  https://lists.samba.org/mailman/options/samba
>> > >
>> >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>>
>>
>>
>> --
>>
>>
>> Greg Dickie
>> just a guy
>> 514-983-5400
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


-- 


Greg Dickie
just a guy
514-983-5400


More information about the samba mailing list