[kerberos-discuss] [cifs-discuss] SS7000 CIFS User unknown or invalid user

Natalie Li Tue, 16 Jun 2009 15:17:52 -0700
Wrong krb alias.  Resending ...

Natalie Li wrote:
> Solaris Kerberos team,
>
> Why are we seeing the following message when running kinit to acquire 
> a TGT ticket for the Administrator?
>
> kinit(v5):  no ktkt_warnd warning possible
>
> Any idea as to why kinit would fail for the host service after a 
> successful domain join?
>
> fw02-2009Q2# kinit -kV host/fw02-2009Q2.fishworks.com
> kinit(v5): Preauthentication failed while getting initial credentials
>
> Malcolm, could you please rejoin your system to see if the problem 
> goes away?
>
> Thanks,
>
> Natalie
>
> Malcolm Gibbs wrote:
>> Thanks Natalie,
>>
>> Here is the output from those commands:
>>
>> fw02-2009Q2# idmap show -cv malcolm at fishworks.com
>> winname:malcolm at fishworks.com -> uid:60001
>> Error:  No AD servers
>>
>> fw02-2009Q2# kinit Administrator
>> Password for Administrator at FISHWORKS.COM:
>> kinit(v5):  no ktkt_warnd warning possible
>>
>> fw02-2009Q2# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator at FISHWORKS.COM
>>
>> Valid starting                Expires                Service principal
>> 06/16/09 21:36:04  06/17/09 07:36:08  krbtgt/FISHWORKS.COM at FISHWORKS.COM
>>         renew until 06/23/09 21:36:04
>>
>> fw02-2009Q2# idmap show -cv malcolm at fishworks.com
>> winname:malcolm at fishworks.com -> uid:60001
>> Error:  No AD servers
>>
>> fw02-2009Q2# idmap show -cv administrator at fishworks.com
>> winname:administrator at fishworks.com -> uid:60001
>> Error:  No AD servers
>>
>>
>> Thanks
>> Malcolm
>>
>>
>>
>> From: Natalie.Li at Sun.COM [mailto:Natalie.Li at Sun.COM] Sent: Wednesday, 
>> 17 June 2009 3:25 AM
>> To: Malcolm Gibbs
>> Subject: Re: [cifs-discuss] SS7000 CIFS User unknown or invalid user
>>
>> What the output from:
>>
>> kinit Administrator
>> klist
>>
>> Natalie
>>
>> Malcolm Gibbs wrote: Hi Natalie,
>>
>> Attached is the output from cifs-gendiag. Note this is the SS7000
>> Appliance Kit running under Virtual Box. Note I get this working
>> perfectly using OpenSolaris 2009.06 against the same Windows 2008 AD
>> server.
>>
>> Here is the other output
>> fw02-2009Q2# klist /var/run/idmap/ccache
>> klist: No credentials cache file found (ticket cache
>> FILE:/var/run/idmap/ccache)
>>
>>
>> fw02-2009Q2# klist -ke
>> Keytab name: FILE:/var/krb5/krb5.keytab
>> KVNO Principal
>> ----
>> ------------------------------------------------------------------------
>> -- 
>>    2 host/fw02-2009Q2.fishworks.com at FISHWORKS.COM (AES-256 CTS mode with
>> 96-bit SHA-1 HMAC)
>>    2 host/fw02-2009Q2.fishworks.com at FISHWORKS.COM (AES-128 CTS mode with
>> 96-bit SHA-1 HMAC)
>>    2 host/fw02-2009Q2.fishworks.com at FISHWORKS.COM (ArcFour with
>> HMAC/md5)
>>    2 host/fw02-2009Q2.fishworks.com at FISHWORKS.COM (DES cbc mode with
>> CRC-32)
>>    2 host/fw02-2009Q2.fishworks.com at FISHWORKS.COM (DES cbc mode with
>> RSA-MD5)
>>    2 nfs/fw02-2009Q2.fishworks.com at FISHWORKS.COM (AES-256 CTS mode with
>> 96-bit SHA-1 HMAC)
>>    2 nfs/fw02-2009Q2.fishworks.com at FISHWORKS.COM (AES-128 CTS mode with
>> 96-bit SHA-1 HMAC)
>>    2 nfs/fw02-2009Q2.fishworks.com at FISHWORKS.COM (ArcFour with HMAC/md5)
>>    2 nfs/fw02-2009Q2.fishworks.com at FISHWORKS.COM (DES cbc mode with
>> CRC-32)
>>    2 nfs/fw02-2009Q2.fishworks.com at FISHWORKS.COM (DES cbc mode with
>> RSA-MD5)
>>    2 HTTP/fw02-2009Q2.fishworks.com at FISHWORKS.COM (AES-256 CTS mode with
>> 96-bit SHA-1 HMAC)
>>    2 HTTP/fw02-2009Q2.fishworks.com at FISHWORKS.COM (AES-128 CTS mode with
>> 96-bit SHA-1 HMAC)
>>    2 HTTP/fw02-2009Q2.fishworks.com at FISHWORKS.COM (ArcFour with
>> HMAC/md5)
>>    2 HTTP/fw02-2009Q2.fishworks.com at FISHWORKS.COM (DES cbc mode with
>> CRC-32)
>>    2 HTTP/fw02-2009Q2.fishworks.com at FISHWORKS.COM (DES cbc mode with
>> RSA-MD5)
>>    2 root/fw02-2009Q2.fishworks.com at FISHWORKS.COM (AES-256 CTS mode with
>> 96-bit SHA-1 HMAC)
>>    2 root/fw02-2009Q2.fishworks.com at FISHWORKS.COM (AES-128 CTS mode with
>> 96-bit SHA-1 HMAC)
>>    2 root/fw02-2009Q2.fishworks.com at FISHWORKS.COM (ArcFour with
>> HMAC/md5)
>>    2 root/fw02-2009Q2.fishworks.com at FISHWORKS.COM (DES cbc mode with
>> CRC-32)
>>    2 root/fw02-2009Q2.fishworks.com at FISHWORKS.COM (DES cbc mode with
>> RSA-MD5)
>>
>>
>> fw02-2009Q2# kinit -kV host/fw02-2009Q2.fishworks.com
>> kinit(v5): Preauthentication failed while getting initial credentials
>>
>> Thanks for any help
>> Malcolm
>>
>>
>> -----Original Message-----
>> From: Natalie.Li at Sun.COM [mailto:Natalie.Li at Sun.COM] Sent: Tuesday, 
>> 16 June 2009 7:12 AM
>> To: Malcolm Gibbs
>> Cc: cifs-discuss at opensolaris.org
>> Subject: Re: [cifs-discuss] SS7000 CIFS User unknown or invalid user
>>
>> It would be useful if you could provide the output from:
>>
>> http://opensolaris.org/os/project/cifs-server/files/cifs-gendiag
>>
>>   fw02-2009Q2# klist -5
>> klist: No credentials cache file found (ticket cache
>>     FILE:/tmp/krb5cc_0) What's "-5"?
>> If you to see the idmap ccache, you should run `klist 
>> /var/run/idmap/ccache`.
>>
>> Let's verify your Kerberos setup on your Solaris system. Please run 
>> the following commands:
>>
>> (1) klist
>> bash-3.2# klist -ke
>> Keytab name: FILE:/etc/krb5/krb5.keytab
>> KVNO Principal
>> ---- 
>> ------------------------------------------------------------------------
>> -- 
>> 6 HOST/pb-49.w2k3r2.com at W2K3R2.COM (ArcFour with HMAC/md5)
>> 6 HOST/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with CRC-32)
>> 6 HOST/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with RSA-MD5)
>> 6 host/pb-49.w2k3r2.com at W2K3R2.COM (ArcFour with HMAC/md5)
>> 6 host/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with CRC-32)
>> 6 host/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with RSA-MD5)
>> 6 nfs/pb-49.w2k3r2.com at W2K3R2.COM (ArcFour with HMAC/md5)
>> 6 nfs/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with CRC-32)
>> 6 nfs/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with RSA-MD5)
>> 6 HTTP/pb-49.w2k3r2.com at W2K3R2.COM (ArcFour with HMAC/md5)
>> 6 HTTP/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with CRC-32)
>> 6 HTTP/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with RSA-MD5)
>> 6 root/pb-49.w2k3r2.com at W2K3R2.COM (ArcFour with HMAC/md5)
>> 6 root/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with CRC-32)
>> 6 root/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with RSA-MD5)
>> 6 cifs/pb-49.w2k3r2.com at W2K3R2.COM (ArcFour with HMAC/md5)
>> 6 cifs/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with CRC-32)
>> 6 cifs/pb-49.w2k3r2.com at W2K3R2.COM (DES cbc mode with RSA-MD5)
>>
>> (2) kinit -k HOST/<hostname.fqdn> something like:
>>
>> bash-3.2# kinit -k HOST/pb-49.w2k3r2.com
>> bash-3.2# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: HOST/pb-49.w2k3r2.com at W2K3R2.COM
>>
>> Valid starting Expires Service principal
>> 06/08/09 17:22:35 06/09/09 03:24:47 krbtgt/W2K3R2.COM at W2K3R2.COM
>> renew until 06/15/09 17:22:35
>>
>> Regards,
>>
>> Natalie
>>
>> Malcolm Gibbs wrote:
>>   Hi,
>>
>> I am having great fun with the SS7000 Simulator and CIFS but need some
>> help.
>>
>> I have the recent release of the SS7000 simulator running
>> 2009.04.10.0.0,1-1.2 setup with a Windows Server 2008 running Active 
>> Directory (with the prereq SS7000
>> Hotfix installed).
>>
>> I successfully join the AD domain but when I go to create SS7000 CIFS
>> file-systems and
>> enter AD users and groups in the Root Directory Access ACL fields I
>>     get
>>   the error
>> "User: Unknown or invalid user", when the user or group does indeed
>> exist (for example "malcolm at fishworks.com")
>>
>> Now I am presuming the CIFS idmap service is key to these lookups
>>     (NOTE
>>   that I have not setup any mapping rules I am simply using the 
>> default Ephemeral ID mapping)
>>
>> Dropping into the SS7000 "shell" I can see the following errors
>> happening when I start the idmap service
>>
>> Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 702911 auth.notice] GSSAPI
>> Error: Unspecified GSS failure.  Minor code may provide more
>>     information
>>   (Preauthentication failed)
>> Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 706612 daemon.info] LDAP
>> SASL bind to win2008-01.fishworks.com:389 failed (Local error)
>> Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 692716 daemon.debug]
>>     unable
>>   to discover Forest Name
>> Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 966149 daemon.debug]
>>     unable
>>   to discover Site Name
>> Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 520885 daemon.debug]
>>     unable
>>   to discover Global Catalog
>> Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 638774 daemon.debug]
>>     unable
>>   to discover Domains in the Forest
>> Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 767837 daemon.debug]
>>     unable
>>   to discover Trusted Domains
>>
>> Note the contents of the SS7000 krb5 setup but the ticket cache is
>> empty, like it has not done the pre-authentication
>> fw02-2009Q2# cat /etc/krb5/krb5.conf
>> #
>> # Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
>> # Use is subject to license terms.
>> #
>>
>> [libdefaults]
>>         default_realm = FISHWORKS.COM
>>
>> [realms]
>>         FISHWORKS.COM = {
>>                 kdc = win2008-01
>>                 kpasswd_server = win2008-01
>>                 kpasswd_protocol = SET_CHANGE
>>         }
>>
>> [domain_realm]
>>         .fishworks.com = FISHWORKS.COM
>>         fishworks.com = FISHWORKS.COM
>>
>> fw02-2009Q2# klist -5
>> klist: No credentials cache file found (ticket cache
>>     FILE:/tmp/krb5cc_0)
>>   This shows the idmap cache is empty
>> fw02-2009Q2# idmap dump -nv
>>
>> This idmap command should force idmap to query the AD domain
>> fishworks.com and perform a temporary mapping but errors out
>> fw02-2009Q2# idmap show -cv malcolm at fishworks.com
>> winname:malcolm at fishworks.com -> uid:60001
>> Error: No AD servers
>>
>> This shows I have joined a domain
>> fw02-2009Q2# smbadm list
>> [*] [FISHWORKS]
>> [*] [fishworks.com]
>>        [+win2008-01.fishworks.com] [192.168.56.20]
>> [*] [FISHWORKS] [S-1-5-21-424206279-106027690-574836047]
>> [.] [FW02-2009Q2] [S-1-5-21-1009684547-3152003461-3128221115]
>>
>> Same again different users
>> fw02-2009Q2# idmap show -cv bob at fishworks.com
>> winname:bob at fishworks.com -> uid:60001
>> Error: No AD servers
>> fw02-2009Q2# idmap show -cv administrator at fishworks.com
>> winname:administrator at fishworks.com -> uid:60001
>> Error: No AD servers
>>
>> This is specifically using the Windows SID for Malcolm at fishworks.com
>> fw02-2009Q2# idmap show -cv
>> usid:S-1-5-21-424206279-106027690-574836047-1104
>> Error: No AD servers
>>
>> This is the idmap cache after I map a share from a Windows machine
>>     using
>>   Malcolm at fishworks.com, note that it creates the temporary mapping but
>> does recognise it as Malcolm at fishworks.com
>> fw02-2009Q2# idmap dump -nv
>> usid:S-1-5-21-424206279-106027690-574836047-1104 ==     uid:2147581953
>> Method: Ephemeral
>> usid:S-1-5-21-424206279-106027690-574836047-513 ==      gid:2147581954
>> Method: Ephemeral
>> wingroup:Authenticated Users    ==      gid:2147581955
>> Method: Ephemeral
>> wingroup:Network ==     gid:2147581956
>> Method: Ephemeral
>>
>> Any clues why this is broken?
>>
>> Thanks
>> Malcolm
>>
>> _______________________________________________
>> cifs-discuss mailing list
>> cifs-discuss at opensolaris.org
>> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
>>      
>>  
>>   
>
>
[kerberos-discuss] [cifs-discuss] SS7000 CIFS User unknown or invalid user

Reply via email to
