[Samba] net ads join's generated keytab and solaris

[mcm75]

Hey all. I am working on getting solaris 10 and 9 clients authenticating to 
active directory. We have a test setup with windows 2003 r2 and the unix 
fields filled out. All was going well with a combination of pam_krb5 and 
nss_ldap and ldap mappings, including working automouting of home directories. 
This included orginally, set up instructions from microsoft where they said to 
create a user account, assign a password, and generate a keytab to transfer to 
the unix host to import. This process also went well.

This changed when we tried to use a newer samba and share = domain. Which 
required samba to join active directory. This played with our keytab settings 
as it tried to create another machine account. We decided it would be easier 
to let samba handle the joining and managing of the krb5.keytab file as it did 
it more properly anyway. Now we can't seem to get ssh authentication working 
again. kinit username works as does kpasswd. We can run net ads keytab 
commands and net ads changetrustpw fine, but when we try to do what worked 
before, ssh [EMAIL PROTECTED] we now get the error Key table entry not 
found. We have spent considerable time messing with the local hostname 
changing it from FQDN to short and whatnot, but to no avail. They keytab also 
appears to have entries for both, so I don't understand this error. DNS works 
in both directions for this host, and like I said when creating a keytab from 
a user account on windows, manually, this process works.

If I run something like kinit -k host/[EMAIL PROTECTED] I get a 
preauthentication failed message. If insted of the mundi I make that fully 
quallified I get the client not found in kerberos database error.

I should also mention in order to get this far I had to add supported_enctypes 
= des-cbc-md5 and various other lines to krb5.conf to only allow that encoding 
as solaris does not allow many types. This successfuly limited my keytab down 
to only those enc types. I also added to smb.conf use kerberos keytab = yes, 
to have a unified system domain join, ie ssh and samba would both be 
preauthenicated from the machine account samba created.

Attached are possibly helpful log and config files.

In short, how can I get ssh authentication working again?

Thanks,
Christian McHugh
Northern Arizona University

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbind accepting old passwords

[mcm75]

Hello everyone,

I have winbind running on solaris 9, and it appears to run well. Except for 
after changing a password windows side (or with smbpasswd) then loggin on, ssh 
or dt via winbind accept the old password as well as the new one. While then 
starting a citrix or rdesktop connection confirms that active directory only 
accepts the new password. I am already starting winbind with the -n option to 
stop all caching, any ideas?


PAM Configuration follows...

sshdaccount requisite   pam_roles.so.1
sshdaccount sufficient  pam_winbind.so.1
sshdaccount requiredpam_unix_account.so.1
#
sshdpassword required   pam_dhkeys.so.1
sshdpassword requisite  pam_authtok_get.so.1
sshdpassword requisite  pam_authtok_check.so.1
sshdpassword required   pam_authtok_store.so.1
#sshd   password required   pam_pwexport.so.1 /usr/local/bin/new.test 
try_first_pass
sshdpassword required   pam_winbind.so.1
#
sshdauthrequisite   pam_authtok_get.so.1
#sshd   authrequiredpam_pwexport.so.1 /usr/local/bin/new.test 
try_first_pass
sshdauthsufficient  pam_winbind.so.1
sshdauthrequiredpam_dhkeys.so.1
sshdauthrequiredpam_unix_auth.so.1
#
sshdsession requiredpam_winbind.so.1
sshdsession requiredpam_unix_session.so.1


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba