[Samba] Urgent... winbind and keytab file creation
Oliver Weinmann
I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything =
works fine so far. Now i need to have the host keytab generated by =
winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs =
with kerberos security. The problem is i have set the parameter in =
smb.conf:
use kerberos keytabe =3D true
and as mentioned in man smb.conf i have set in krb5.conf
default_keytab_name =3D FILE:/etc/krb5/krb5.keytab
after a "net join ads" the krb5.keytab file is not created? do i have to =
create it myself? Is this not really implemented? What am I doing wrong?
Help would be really apreciated.
Thanks and Regards,
Oliver Weinmann
Unix/Linux Administrator
VEGA IT GmbH
Europaplatz 5
D-64293 Darmstadt
Germany
Tel : +49 (0) 6151 8257 744
Fax : +49 (0)6151 8257-799
Email : oliver....@vega.de
Web : www.vega-group.com
Register court/Registergericht: Darmstadt, HRB No. 4096, Managing =
Directors/Gesch=E4ftsf=FChrer: Philip Cartmell, Susan Bygrave, John =
Lewis
Notice of Confidentiality
This transmission is intended for the named addressee only. It contains =
information which may be confidential and which may also be privileged. =
Unless you are the named addressee (or authorised to receive it for the =
addressee) you may not copy or use it, or disclose it to anyone else. =
If you have received this transmission in error please notify the sender =
immediately.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Guenther Deschner
Hash: SHA1
Oliver Weinmann wrote:
> Hi,
>
> I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf:
>
> use kerberos keytabe = true
>
> and as mentioned in man smb.conf i have set in krb5.conf
>
> default_keytab_name = FILE:/etc/krb5/krb5.keytab
>
> after a "net join ads" the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong?
Have you tried "net ads keytab create" ?
Guenther
- --
Günther Deschner GPG-ID: 8EE11688
Red Hat gdes...@redhat.com
Samba Team g...@samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP
WjEvra9U//Tj25Y8hFjnDwg=
=peli
-----END PGP SIGNATURE-----
Oliver Weinmann
i tested the same thing on rhel4 with MIT kerberos and here it creates =
the krb5.keytab file under /etc/krb5.keytab i then linked it to =
/etc/krb5/krb5.keytab and now i can see all the keys with klist -k, but =
i can't use them:
[root@rhel4wbtest2 etc]# klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- =
-------------------------------------------------------------------------=
-
2 host/rhel4wbtest2....@VEGAGROUP.NET
2 host/rhel4wbtest2....@VEGAGROUP.NET
2 host/rhel4wbtest2....@VEGAGROUP.NET
2 host/RHEL4W...@VEGAGROUP.NET
2 host/RHEL4W...@VEGAGROUP.NET
2 host/RHEL4W...@VEGAGROUP.NET
2 RHEL4WBTEST2$@VEGAGROUP.NET
2 RHEL4WBTEST2$@VEGAGROUP.NET
2 RHEL4WBTEST2$@VEGAGROUP.NET
[root@rhel4wbtest2 etc]# kinit -k host/rhel4wbtest2.vegagroup.net
kinit(v5): Cannot find KDC for requested realm while getting initial =
credentials=20
-----Original Message-----
From: Guenther Deschner [mailto:g...@samba.org]=20
Sent: 02 April 2008 11:39
To: Oliver Weinmann
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Oliver Weinmann wrote:
> Hi,
>=20
> I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. =
Everything works fine so far. Now i need to have the host keytab =
generated by winbind to be in the default /etc/krb5/krb5.keytab in order =
to use nfs with kerberos security. The problem is i have set the =
parameter in smb.conf:
>=20
> use kerberos keytabe =3D true
>=20
> and as mentioned in man smb.conf i have set in krb5.conf
>=20
> default_keytab_name =3D FILE:/etc/krb5/krb5.keytab
>=20
> after a "net join ads" the krb5.keytab file is not created? do i have =
to create it myself? Is this not really implemented? What am I doing =
wrong?
Have you tried "net ads keytab create" ?
Guenther
- --
G=FCnther Deschner GPG-ID: 8EE11688
Red Hat gdes...@redhat.com
Samba Team g...@samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP
WjEvra9U//Tj25Y8hFjnDwg=3D
=3Dpeli
-----END PGP SIGNATURE-----
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email =
______________________________________________________________________
Gerald (Jerry) Carter
Hash: SHA1
Oliver Weinmann wrote:
| Hi,
|
| I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos.
Everything works fine so far. Now i need to have the host keytab
generated by winbind to be in the default /etc/krb5/krb5.keytab in order
to use nfs with kerberos security. The problem is i have set the
parameter in smb.conf:
|
| use kerberos keytabe = true
DOn't use this if you use Samba to joined the domain.
It is really on;y useful for non-MS realms.
jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH84WZIR7qMdg1EfYRAk6iAJ0d04pZey+cqgyzfOGbB6cmW+nhWwCgpOjV
U+A6DB3LB7IZMlqBxWv0u6s=
=MlpW
-----END PGP SIGNATURE-----
Oliver Weinmann
here is the output about the encryption used:
[root@rhel4wbtest2 krb5]# klist -e -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
----
------------------------------------------------------------------------
--
2 host/rhel4wbtest2....@VEGAGROUP.NET (DES cbc mode with
CRC-32)
2 host/rhel4wbtest2....@VEGAGROUP.NET (DES cbc mode with
RSA-MD5)
2 host/rhel4wbtest2....@VEGAGROUP.NET (ArcFour with
HMAC/md5)
2 host/RHEL4W...@VEGAGROUP.NET (DES cbc mode with CRC-32)
2 host/RHEL4W...@VEGAGROUP.NET (DES cbc mode with RSA-MD5)
2 host/RHEL4W...@VEGAGROUP.NET (ArcFour with HMAC/md5)
2 RHEL4WBTEST2$@VEGAGROUP.NET (DES cbc mode with CRC-32)
2 RHEL4WBTEST2$@VEGAGROUP.NET (DES cbc mode with RSA-MD5)
2 RHEL4WBTEST2$@VEGAGROUP.NET (ArcFour with HMAC/md5)
i have to use pam_krb5 because i need to mount nfs shares with kerberos
security. So when a user logs in he gets a valid TGT and is able to
mount the share.
if the keytab created cannot be used for this... can i somehow delete
the host principal created by winbind, create a new one, that will work
for pam_krb5 and let winbind use the newly created one?
-----Original Message-----
From: Gerald (Jerry) Carter [mailto:je...@samba.org]=20
Sent: 02 April 2008 15:10
To: Oliver Weinmann
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Oliver Weinmann wrote:
| Hi,
|
| I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos.
Everything works fine so far. Now i need to have the host keytab
generated by winbind to be in the default /etc/krb5/krb5.keytab in order
to use nfs with kerberos security. The problem is i have set the
parameter in smb.conf:
|
| use kerberos keytabe =3D true
DOn't use this if you use Samba to joined the domain.
It is really on;y useful for non-MS realms.
jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH84WZIR7qMdg1EfYRAk6iAJ0d04pZey+cqgyzfOGbB6cmW+nhWwCgpOjV
U+A6DB3LB7IZMlqBxWv0u6s=3D
=3DMlpW
-----END PGP SIGNATURE-----
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Gerald (Jerry) Carter
Hash: SHA1
Oliver Weinmann wrote:
> Hi and thanks for you answer.
>
> here is the output about the encryption used:
>
> [root@rhel4wbtest2 krb5]# klist -e -k
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
Enctypes look fine.
> i have to use pam_krb5 because i need to mount nfs
> shares with kerberos security. So when a user logs in he
> gets a valid TGT and is able to mount the share.
pam_winbind will do that for you as well.
> if the keytab created cannot be used for this... can i somehow delete
> the host principal created by winbind, create a new one, that will work
> for pam_krb5 and let winbind use the newly created one?
jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH843HIR7qMdg1EfYRAmDhAKC9ZLpFfsiBRZGqOS1uJDdke7r4qwCePF6D
mYwG/R3TyRnd9DHFhhFLUpE=
=Iu9j
-----END PGP SIGNATURE-----
Oliver Weinmann
with kerberos security i dont get a TGT at login. So this doesn't seem
to work with pam_winbind or?=20
-----Original Message-----
From: Gerald (Jerry) Carter [mailto:je...@samba.org]=20
Sent: 02 April 2008 15:45
To: Oliver Weinmann
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Oliver Weinmann wrote:
> Hi and thanks for you answer.
>=20
> here is the output about the encryption used:
>=20
> [root@rhel4wbtest2 krb5]# klist -e -k
> Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal
Enctypes look fine.
> i have to use pam_krb5 because i need to mount nfs shares with=20
> kerberos security. So when a user logs in he gets a valid TGT and is=20
> able to mount the share.
pam_winbind will do that for you as well.
> if the keytab created cannot be used for this... can i somehow delete=20
> the host principal created by winbind, create a new one, that will=20
> work for pam_krb5 and let winbind use the newly created one?
jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH843HIR7qMdg1EfYRAmDhAKC9ZLpFfsiBRZGqOS1uJDdke7r4qwCePF6D
mYwG/R3TyRnd9DHFhhFLUpE=3D
=3DIu9j
-----END PGP SIGNATURE-----
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Gerald (Jerry) Carter
Hash: SHA1
Oliver Weinmann wrote:
> how? when i use pam_winbind to login and automount to mount a users home
> with kerberos security i dont get a TGT at login. So this doesn't seem
> to work with pam_winbind or?
Install examples/pam_winbind/pam_winbind.conf to /etc/security/
and enable the krb5_auth option.
Also set "winbind refresh tickets = yes" in smb.conf.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1CjgUMlHQCfcJ7k
XPb8CJDfP62ida5MuNjbEn4=
=/0bH
-----END PGP SIGNATURE-----
Oliver Weinmann
i made the changes. When i login as an ad user i don't get a ticket? Is
there anything else i need to set?
Cheers =20
-----Original Message-----
From: Gerald (Jerry) Carter [mailto:je...@samba.org]=20
Sent: 02 April 2008 16:08
To: Oliver Weinmann
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Oliver Weinmann wrote:
> how? when i use pam_winbind to login and automount to mount a users=20
> home with kerberos security i dont get a TGT at login. So this doesn't
> seem to work with pam_winbind or?
Install examples/pam_winbind/pam_winbind.conf to /etc/security/ and
enable the krb5_auth option.
Also set "winbind refresh tickets =3D yes" in smb.conf.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1CjgUMlHQCfcJ7k
XPb8CJDfP62ida5MuNjbEn4=3D
=3D/0bH
-----END PGP SIGNATURE-----
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Oliver Weinmann
krb5_ccache_type =3D FILE
now the users get a "cached" ticket at login. COOL :)
but when the automount daemon tries to mount their home it fails:
Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
gss_init_sec_context: (major) Miscellaneous failure - (minor) No
credentials found with supported encryption types
Cheers,
Oli
mallapadi niranjan
I have recently figured that nfs supports only only "des-cbc-crc:normal".
encryption type.
Regards
On Wed, Apr 2, 2008 at 8:11 PM, Oliver Weinmann <oliver....@vega.de>
wrote:
> Ok. i got it. I had to change the parameter for:
>
> krb5_ccache_type = FILE
>
> now the users get a "cached" ticket at login. COOL :)
>
> but when the automount daemon tries to mount their home it fails:
>
> Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
> krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
> Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
> gss_init_sec_context: (major) Miscellaneous failure - (minor) No
> credentials found with supported encryption types
>
> Cheers,
> Oli
> -----Original Message-----
> From: samba-bounces+oliver.weinmann=veg...@lists.samba.org
> [mailto:samba-bounces+oliver.weinmann <samba-bounces%2Boliver.weinmann>=
> veg...@lists.samba.org] On Behalf
> Of Oliver Weinmann
> Sent: 02 April 2008 16:31
> To: Gerald (Jerry) Carter
> Cc: sa...@lists.samba.org
> Subject: RE: [Samba] Urgent... winbind and keytab file creation
>
> Sounds cool.
>
> i made the changes. When i login as an ad user i don't get a ticket? Is
> there anything else i need to set?
>
> Cheers
>
> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:je...@samba.org]
> Sent: 02 April 2008 16:08
> To: Oliver Weinmann
> Cc: sa...@lists.samba.org
> Subject: Re: [Samba] Urgent... winbind and keytab file creation
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Oliver Weinmann wrote:
> > how? when i use pam_winbind to login and automount to mount a users
> > home with kerberos security i dont get a TGT at login. So this doesn't
>
> > seem to work with pam_winbind or?
>
> Install examples/pam_winbind/pam_winbind.conf to /etc/security/ and
> enable the krb5_auth option.
>
> Also set "winbind refresh tickets = yes" in smb.conf.
>
>
>
>
>
> cheers, jerry
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1CjgUMlHQCfcJ7k
> XPb8CJDfP62ida5MuNjbEn4=
> =/0bH
Gerald (Jerry) Carter
Hash: SHA1
Oliver Weinmann wrote:
> Ok. i got it. I had to change the parameter for:
>
> krb5_ccache_type = FILE
>
> now the users get a "cached" ticket at login. COOL :)
>
> but when the automount daemon tries to mount their home it fails:
>
> Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
> krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
> Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
> gss_init_sec_context: (major) Miscellaneous failure - (minor) No
> credentials found with supported encryption types
I expect the nfsv4 service is trying to use 3des or aes.
I always set these enc types in /etc/krb5.conf
[libdefaults]
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH86i/IR7qMdg1EfYRAiQcAJ9PoxRrBKYjWxhDcqc8pKsRAok8nQCeMIOF
Y9bRg2KlV5qXK9u65e0WK6U=
=Cgv+
-----END PGP SIGNATURE-----
simo
On Wed, 2008-04-02 at 10:39 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Oliver Weinmann wrote:
> > Ok. i got it. I had to change the parameter for:
> >
> > krb5_ccache_type = FILE
> >
> > now the users get a "cached" ticket at login. COOL :)
> >
> > but when the automount daemon tries to mount their home it fails:
> >
> > Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
> > krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
> > Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
> > gss_init_sec_context: (major) Miscellaneous failure - (minor) No
> > credentials found with supported encryption types
>
>
> I expect the nfsv4 service is trying to use 3des or aes.
> I always set these enc types in /etc/krb5.conf
>
> [libdefaults]
> default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
> default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
> preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>
Currently linux nfs server requires that both server and client use ONLY
des keys
Any other combination will simply fail.
There are kernel patches reaching upstream that are adding 3des and aes
but not yet rc4-hmac IIRC.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <si...@samba.org>
Senior Software Engineer at Red Hat Inc. <sso...@redhat.com>