I'm wondering if anyone is running Samba/AD in a zone.
I have sambe-3.6.63 installed.
[root@base2 ~]# cat /etc/release | grep joy
See joyent_20140124T065835Z for assembly date and time.
[root@base2 ~]# pkgin list | grep samba
samba-3.6.23 SMB/CIFS protocol server suite
Kerberos seems to be working:
[root@base2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
06/06/14 16:13:08 06/07/14 02:13:10 krbtgt/[email protected]
renew until 06/13/14 16:13:08
Basic krb5.conf:
[root@base2 /etc/krb5]# cat krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = CORP.KPAC.CO.NZ
dns_lookup_realm = true
dns_lookup_kdc = false
[realms]
CORP.KPAC.CO.NZ = {
kdc = twin.corp.kpac.co.nz
admin_server = twin.corp.kpac.co.nz
default_domain = corp.kpac.co.nz
}
[domain_realm]
.corp.kpac.co.nz = CORP.KPAC.CO.NZ
corp.kpac.co.nz = CORP.KPAC.CO.NZ
[logging]
default = FILE:/var/log/kdc.log
kdc = FILE:/var/log/kdc.log
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
and very simple smb.conf:
[root@base2 /opt/local/etc/samba]# cat smb.conf
[global]
workgroup = KPAC
realm = CORP.KPAC.CO.NZ
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /usr/bin/bash
winbind use default domain = true
winbind offline logon = false
load printers = no
server string = oi
dns proxy = no
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = 5
password server = twin.corp.kpac.co.nz
template homedir = /data/home/%U
However, I get the following errors:
[root@base2 /opt/local/etc/samba]# net ads join -U Administrator
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Error in the PKCS 11
library calls
Failed to join domain: failed to connect to AD: Error in the PKCS 11
library calls
[root@base2 /etc/krb5]# winbindd -i -d 1
winbindd version 3.6.23 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
ads_krb5_mk_req: krb5_mk_req_extended failed (Error in the PKCS 11 library
calls)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Error in
the PKCS 11 library calls
ads_krb5_mk_req: krb5_mk_req_extended failed (Error in the PKCS 11 library
calls)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Error in
the PKCS 11 library calls
ads_krb5_mk_req: krb5_mk_req_extended failed (Error in the PKCS 11 library
calls)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Error in
the PKCS 11 library calls
ads_krb5_mk_req: krb5_mk_req_extended failed (Error in the PKCS 11 library
calls)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Error in the PKCS 11
library calls
ads_connect for domain KPAC failed: Error in the PKCS 11 library calls
Could not receive trustdoms
Could not receive trustdoms
This should work with just the kerberos key:
[root@base2 /opt/local/etc/samba]# smbclient -k -L //TWIN.CORP.KPAC.CO.NZ
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
ads_krb5_mk_req: krb5_mk_req_extended failed (Error in the PKCS 11 library
calls)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Error in
the PKCS 11 library calls
[root@base2 /opt/local/etc/samba]# wbinfo -p
Ping to winbindd succeeded
[root@base2 /opt/local/etc/samba]# wbinfo -t
checking the trust secret for domain KPAC via RPC calls succeeded
[root@base2 /opt/local/etc/samba]# wbinfo -u
[root@base2 /opt/local/etc/samba]#
Few questions.
I haven;t looked at the kernel cifs server - I assume this only works in
the GZ.
There seems to be another kerberos package in the repository.
[root@base2 /opt/local/etc/samba]# pkgin search krb5
pam-krb5-4.6 Very flexible kerberos module for the PAM framework
mit-krb5-1.10.7nb1 MIT Kerberos 5 authentication system
How does this relate to the built kerberos binaries?
[root@base2 /opt/local/etc/samba]# pkgin pkg-content mit-krb5-1.10.7nb1 |
grep bin/kinit && which kinit
/opt/local/bin/kinit
/usr/bin/kinit
This issue may be related to:
http://permalink.gmane.org/gmane.os.omnios.general/962
https://github.com/oposs/pkg.oetiker.ch-build/tree/master/build/samba
and
http://www.nineproductions.com/solaris-11-samba-zfs-configuration/
"NEW WEIRDNESS – Not sure why but as of Solaris 11 I needed to manually
create a key tab file from my domain controller otherwise I was getting
kerberos errors. This is strange as this is normally all handled in Samba."
I'm wondering if the lack of nss-wrapper is an issue:
[root@base2 /opt/local/etc/samba]# pkgin pkg-build-defs samba | grep
'nss-wrap'
...
Note been referencing:
http://www.perkin.org.uk/posts/setting-up-samba-on-smartos.html
http://wiki.openindiana.org/oi/winbind
http://ogris.de/samba/unix-active-directory.html
On a secondary note, the current package doesn't have a smf manifest. I
just noticed that the smf manifest file doesn't mention winbindd:
https://github.com/joyent/pkgsrc/blob/trunk/net/samba/files/smf/manifest.xml
Also keyberos seems to depend on ktkt_warn and rpc/bind, which are not
started by default. I'm not sure if this has any affect on samba.
[root@base2 /etc/krb5]# kinit Administrator
Password for Administrator
kinit(v5): no ktkt_warnd warning possible
svcadm enable ktkt_warn
svcadm enable rpc/bind
Nicholas
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
