Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client.
On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes >From M4, I do kinit <user> and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas....@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment --------- ---- ------- share Disk test share IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment --------- ------- Workgroup Master --------- ------- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0 added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0 added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0 Client started (version 3.2.8-ctdb-55). Connecting to 10.0.0.24 at port 445 Doing spnego session setup (blob length=111) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/sofsedun4.vsofs1....@sonas.com Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Thu, 12 Mar 2009 21:36:54 TLT cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas....@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 03/11/09 21:39:15 03/12/09 21:36:54 cifs/sofsedun4.vsofs1....@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached On M3, I have enabled smbd logs with debug level 10. The corresponding errors for the above behavior are: [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 26858) conn 0x0 [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc801 [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 466 [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(282) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(171) ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_verify_ticket(458) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2009/03/11 21:58:54, 3] smbd/error.c:error_packet_set(61) error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2009/03/11 21:58:54, 3] smbd/process.c:smbd_process(2036) receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/03/11 21:58:54, 3] smbd/connection.c:yield_connection(31) Yielding connection to [2009/03/11 21:58:54, 3] smbd/server.c:exit_server_common(958) Server exit (normal exit) In the above scenario, M1 and M2 are not aware about each other. That means, M1 is not kerberos client. I tried setting M1 as kerberos client as well. But the result was the same. Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1. I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos clients. My queries are: 1. Is it a know issue with samba or kerberos? 2. Am I missing anything on configuration? 3. What should I do to make the above setup working? Please feel free to ask for more information if the provided one is not sufficient. P.S.: I am copying my configuration files here for reference. [r...@sofsedun2 ~]# cat /etc/samba/smb.conf # Samba Configuration file. # # ****************** WARNING ******************************** # The contents of this file should not be modified directly ! # # The samba options are stored in the registry. # Use the "net conf" command to add/modify samba options in the registry # *************************************************************** [global] workgroup = VSOFS1.COM server string = Samba/NT PDC netbios name = sofsedun2 passdb backend = tdbsam log level = 3 log file = /var/log/samba/%m.log max log size = 50 delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" add user script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" domain logons = Yes os level = 64 preferred master = Yes domain master = Yes local master = Yes wins support = Yes cups options = raw security = user encrypt passwords = Yes [netlogon] path = /etc/samba/netlogon writeable = no write list = ntadmin guest ok = no [profiles] path = /usr/smb/ntprofile writeable = yes create mask = 0600 directory mask = 0700 2. CIFS server smb.conf [r...@sofsedun4 ~]# cat /etc/samba/smb.conf # Samba Configuration file. # # ****************** WARNING ******************************** # The contents of this file should not be modified directly ! # # The samba options are stored in the registry. # Use the "net conf" command to add/modify samba options in the registry # *************************************************************** [global] workgroup = VSOFS1.COM password server = sofsedun2 security = domain idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/sh winbind use default domain = false winbind offline logon = false realm = SONAS.COM use kerberos keytab = yes client use spnego = yes wins support = Yes cups options = raw log level = 3 log file = /var/log/samba/%m.log [share] comment = test share path = /home/share read only = no public = yes valid users = 'VSOFS1.COM\domuser' 'VSOFS1.COM\domadmin' 'VSOFS1.COM\domguest' [r...@sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 88 [realms] SONAS.COM = { #master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 } [r...@sofsedun3 ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SONAS.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 [realms] VSOFS1.COM = { kdc = sofsedutsm.VSOFS1.COM } SONAS.COM = { kdc = sofsedutsm.VSOFS1.COM:88 admin_server = sofsedutsm.VSOFS1.COM:749 default_domain = VSOFS1.COM } [domain_realm] .VSOFS1.COM = SONAS.COM VSOFS1.COM = SONAS.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } 5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured to use winbind for auth, account and passwords. [r...@sofsedun4 ~]# klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 03/11/09 20:24:49 cifs/sofsedun2.vsofs1....@sonas.com (DES cbc mode with CRC-32) 3 03/11/09 20:25:05 host/sofsedun2.vsofs1....@sonas.com (DES cbc mode with CRC-32) 3 03/11/09 20:25:19 host/sofsedun4.vsofs1....@sonas.com (DES cbc mode with CRC-32) 3 03/11/09 20:25:36 cifs/sofsedun4.vsofs1....@sonas.com (DES cbc mode with CRC-32) [r...@sofsedun4 ~]# Regards, Shahid Shaikh. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba