Домен main.sgu.ru на сервере
151 views
Skip to first unread message
Evgeny Sinelnikov
Jul 24, 2013, 6:28:05 PM7/24/13
to toiit-la...@googlegroups.com
Здравствуйте,
--
сообщая, что на сервере перестали работать учётные записи из домена. Причина тому, скорее всего в том, что ПРЦНИТ обновил сервера на Windows 2008.
Собственно ошибка выглядит следующим образом:
Jul 25 02:20:22 toiit winbindd[13151]: Kinit failed: KDC has no support for encryption type
Jul 25 02:20:22 toiit winbindd[13151]: Kinit failed: KDC has no support for encryption type
Ошибка уже известная, будем разбираться:
http://lists.samba.org/archive/samba/2010-November/159349.html
http://lists.samba.org/archive/samba/2010-November/159349.html
Принтер, до исправления, работать не будет.
--
Sin (Sinelnikov Evgeny)
Etersoft
Etersoft
Evgeny Sinelnikov
Jul 24, 2013, 7:07:20 PM7/24/13
to toiit-la...@googlegroups.com
25 июля 2013 г., 2:28 пользователь Evgeny Sinelnikov <s...@altlinux.ru> написал:
Внёс последовательно следующие исправления:
1. Настройка самбы
$ sudo net ads testjoin
[2013/07/25 02:30:38.979432, 0] param/loadparm.c:7648(lp_do_parameter)
Ignoring unknown parameter "use kerberos keytab"
Join is OK
$ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Unknown parameter encountered: "use kerberos keytab"
Ignoring unknown parameter "use kerberos keytab"
$ sudo net ads testjoin
[2013/07/25 02:30:38.979432, 0] param/loadparm.c:7648(lp_do_parameter)
Ignoring unknown parameter "use kerberos keytab"
Join is OK
$ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Unknown parameter encountered: "use kerberos keytab"
Ignoring unknown parameter "use kerberos keytab"
Вносим в /etc/samba/smb.conf:
#use kerberos keytab = true
kerberos method = system keytab
dedicated keytab file = /etc/krb5.keytab
kerberos method = system keytab
dedicated keytab file = /etc/krb5.keytab
В новой самбе, начиная с 3.4.0 (и как оно раньше работало?) уже давно так:
https://lists.samba.org/archive/samba/2011-November/164882.html
https://support.quest.com/SolutionDetail.aspx?id=SOL65673
https://lists.samba.org/archive/samba/2011-November/164882.html
https://support.quest.com/SolutionDetail.aspx?id=SOL65673
-
Title
SAMBA error: Ignoring unknown parameter "use kerberos keytab -
Description
Samba version 3.5.4 on a Redhat 5 server once installed quest-vasidmap-1.2.0-1.x86_64.rpm and run /opt/quest/sbin/vas-samba-config,
Samba can no longer authenticates any usersWhen running testparm receiving error Unknown parameter encountered: "use kerberos keytab"
Ignoring unknown parameter "use kerberos keytab"
-
Cause
Samba 3.4 has changed some smb.conf setting names and this is why you are getting the error " Ignoring unknown parameter".
-
Resolution
WORKAROUND:
Edit the smb.conf file
1 - Comment out by inserting# "use kerberos keytab = yes"2 - add the following settingskerberos method = system keytab
dedicated keytab file = /etc/opt/quest/vas/host.keytab
Please update your smb.conf file with the correct settings.
2. Указание мехнизма шифрации Kerberos
Вывод /var/log/messages:
Jul 25 02:34:19 toiit winbindd[13937]: Kinit failed: KDC has no support for encryption type
$ sudo net ads join -U mastersin
Enter mastersin's password:
Using short domain name -- MAIN
Joined 'TOIIT' to realm 'main.sgu.ru'
[2013/07/25 02:39:27.665644, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password TOIIT$@MAIN.SGU.RU failed: KDC has no support for encryption type
Enter mastersin's password:
Using short domain name -- MAIN
Joined 'TOIIT' to realm 'main.sgu.ru'
[2013/07/25 02:39:27.665644, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password TOIIT$@MAIN.SGU.RU failed: KDC has no support for encryption type
Это тоже уже решённая задача, хотя и удивительно решённая:
https://lists.samba.org/archive/samba/2010-November/159378.html
http://support.microsoft.com/kb/942564
https://lists.samba.org/archive/samba/2010-November/159378.html
http://support.microsoft.com/kb/942564
https://forums.oracle.com/thread/1527572
Поправляем /etc/krb5.conf:
[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
Перевводим машину в домен:
$ sudo net ads join -U mastersin
Enter mastersin's password:
Using short domain name -- MAIN
Joined 'TOIIT' to realm 'main.sgu.ru'
3. Проблема коллизии
Осталась давняя проблема коллизии имён, которую пока непонятно как решать:
Jul 25 02:42:00 toiit winbindd[14044]: [2013/07/25 02:42:00.343934, 0] lib/module.c:69(do_smb_load_module)
Jul 25 02:42:00 toiit winbindd[14044]: Module '/usr/lib/samba/idmap/rid.so' initialization failed: NT_STATUS_OBJECT_NAME_COLLISION
Текущая проблема, таким образом, исчерпана.
Re: KDC has no support for encryption type (14) in windows 2008
843810 Oct 22, 2009 12:54 PM (in response to 843810)In your krb5.conf file, try setting the default encryption type to rc4-hmac as follows:
[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
When your DC is running in "Windows 2003 Server Forest Functional Level" it will not accept a TGT with AES256 encryption. AES256 is only supported when the DC is running in "Windows *2008* Server Forest Functional Level"
[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
When your DC is running in "Windows 2003 Server Forest Functional Level" it will not accept a TGT with AES256 encryption. AES256 is only supported when the DC is running in "Windows *2008* Server Forest Functional Level"
Поправляем /etc/krb5.conf:
[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
Перевводим машину в домен:
$ sudo net ads join -U mastersin
Enter mastersin's password:
Using short domain name -- MAIN
Joined 'TOIIT' to realm 'main.sgu.ru'
3. Проблема коллизии
Осталась давняя проблема коллизии имён, которую пока непонятно как решать:
Jul 25 02:42:00 toiit winbindd[14044]: [2013/07/25 02:42:00.343934, 0] lib/module.c:69(do_smb_load_module)
Jul 25 02:42:00 toiit winbindd[14044]: Module '/usr/lib/samba/idmap/rid.so' initialization failed: NT_STATUS_OBJECT_NAME_COLLISION
Текущая проблема, таким образом, исчерпана.
Reply all
Reply to author
Forward
0 new messages