[37515] in Kerberos
keytabs basics linux <=> AD ?
daemon@ATHENA.MIT.EDU (lejeczek)
Tue Jun 7 09:02:09 2016
To: kerberos@mit.edu
From: lejeczek <peljasz@yahoo.co.uk>
Message-ID: <8ae57557-9289-78c0-8979-8c14d421a3a4@yahoo.co.uk>
Date: Tue, 7 Jun 2016 14:01:49 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
hi users
a novice here hoping to grasp fundamentals soon :)
I have a samba+sssd as a client to an AD - I have all the
keytabs for a host(I think) but I noticed weird(to me at
least) smbclient behavior.
when I do:
$ smbclient -L swir -U me@CEB.PRIVATE.DOM -k
all works, clients sees local samba's shares, when I do:
$ smbclient -L swir.private.ceb.private.dom -U
pe243@CEB.PRIVATE.DOM -k
gss_init_sec_context failed with [Unspecified GSS failure.
Minor code may provide more information: Server
cifs/swir.private.ceb.private.dom@PRIVATE.CEB.PRIVATE.DOM
not found in Kerberos database]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request:
NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR
and to verify:
$ klist -k /etc/krb5.swir.keytab -e
Keytab name: FILE:/etc/krb5.swir.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 host/swir.private.ceb.private.dom@CEB.PRIVATE.DOM
(des-cbc-crc)
4 host/swir.private.ceb.private.dom@CEB.PRIVATE.DOM
(des-cbc-md5)
4 host/swir.private.ceb.private.dom@CEB.PRIVATE.DOM
(arcfour-hmac)
4 host/swir.private.ceb.private.dom@CEB.PRIVATE.DOM
(aes256-cts-hmac-sha1-96)
4 host/swir.private.ceb.private.dom@CEB.PRIVATE.DOM
(aes128-cts-hmac-sha1-96)
4 CIFS/swir.private.ceb.private.dom@CEB.PRIVATE.DOM
(des-cbc-crc)
4 CIFS/swir.private.ceb.private.dom@CEB.PRIVATE.DOM
(des-cbc-md5)
4 CIFS/swir.private.ceb.private.dom@CEB.PRIVATE.DOM
(arcfour-hmac)
4 CIFS/swir.private.ceb.private.dom@CEB.PRIVATE.DOM
(aes256-cts-hmac-sha1-96)
4 CIFS/swir.private.ceb.private.dom@CEB.PRIVATE.DOM
(aes128-cts-hmac-sha1-96)
and above keytab file samba uses in its config, and that
keytab was generated on AD DS,
What you can notice when I smbclient with FQDN(it's all one
local host, smbclient is trying itself) is this:
gss_init_sec_context failed with [Unspecified GSS failure.
Minor code may provide more information: Server
cifs/swir.private.ceb.private.dom@PRIVATE.CEB.PRIVATE.DOM
not found in Kerberos
@PRIVATE.CEB.PRIVATE.DOM # this part, I thought it should be
AD domain, like: @CEB.PRIVATE.DOM
why smbclient uses it's own realm?
I should also say that, this linux is a client of two
realms: first it's a freeIPA server that runs locally on
this box and second, its local samba is a client of AD(win2k14)
And my krb5.conf looks like this:
--------------------------
[libdefaults]
default_realm = PRIVATE.CEB.PRIVATE.DOM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
PRIVATE.CEB.PRIVATE.DOM = {
kdc = swir.private.ceb.private.dom:88
master_kdc = swir.private.ceb.private.dom:88
admin_server = swir.private.ceb.private.dom:749
default_domain = private.ceb.private.dom
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
CEB.PRIVATE.DOM = {
kdc = win-srv.ceb.private.dom:88
domain_server = ccnr-winsrv1.ceb.private.dom:749
admin_server = ccnr-winsrv1.private.ceb.private.dom
}
[domain_realm]
.private.ceb.private.dom = PRIVATE.CEB.PRIVATE.DOM
private.ceb.private.dom = PRIVATE.CEB.PRIVATE.DOM
ceb.private.dom = CEB.PRIVATE.DOM
.ceb.private.dom = CEB.PRIVATE.DOM
--------------------
so PRIVATE.CEB.PRIVATE.DOM is own local freeIPA domain and
CEB.PRIVATE.DOM is AD domain
Also you can see dns-wise it is like this:
IPA server(samba) is: swir.private.ceb.private.dom
and AD with it's server is: win-srv.ceb.private.dom
there is something misconfigured or/and I am confusing
fundamentals. What am I doing wrong?
many thanks
L.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos