thr3ads.net - samba - [Samba] keytabs basics linux <=> AD ? [Jun 2016]

If this information is useful, please help other people find it:
Share via:

lejeczek

2016-Jun-08 15:40 UTC

[Samba] keytabs basics linux <=> AD ?

hi users

a novice here hoping to grasp fundamentals soon
I have a samba+sssd as a client to an AD - I have all the 
keytabs for a host(I think) but I noticed weird(to me at 
least) smbclient behavior.
when I do:
$ smbclient -L swir -U me at AAA.PRIVATE.DOM -k
all works, clients sees local samba's shares, when I do:
$ smbclient -L swir.private.aaa.private.dom -U 
pe243 at AAA.PRIVATE.DOM -k
gss_init_sec_context failed with [Unspecified GSS failure. 
Minor code may provide more information: Server 
cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM 
not found in Kerberos database]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: 
NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR

and to verify:
$ klist -k /etc/krb5.swir.keytab -e
Keytab name: FILE:/etc/krb5.swir.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(des-cbc-crc)
    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(des-cbc-md5)
    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(arcfour-hmac)
    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(aes256-cts-hmac-sha1-96)
    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(aes128-cts-hmac-sha1-96)
    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(des-cbc-crc)
    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(des-cbc-md5)
    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(arcfour-hmac)
    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(aes256-cts-hmac-sha1-96)
    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM 
(aes128-cts-hmac-sha1-96)

and above keytab file samba uses in its config, and that 
keytab was generated on AD DS,
What you can notice when I smbclient with FQDN(it's all one 
local host, smbclient is trying itself) is this:

gss_init_sec_context failed with [Unspecified GSS failure.  
Minor code may provide more information: Server 
cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM 
not found in Kerberos

@PRIVATE.AAA.PRIVATE.DOM # this part, I thought it should be 
AD domain, like: @AAA.PRIVATE.DOM

why smbclient uses it's own realm?
I should also say that, this linux is a client of two 
realms: first it's a freeIPA server that runs locally on 
this box and second, its local samba is a client of AD(win2k14)
And my krb5.conf looks like this:
--------------------------
[libdefaults]
  default_realm = PRIVATE.AAA.PRIVATE.DOM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  PRIVATE.AAA.PRIVATE.DOM = {
   kdc = swir.private.aaa.private.dom:88
   master_kdc = swir.private.aaa.private.dom:88
   admin_server = swir.private.aaa.private.dom:749
   default_domain = private.aaa.private.dom
   pkinit_anchors = FILE:/etc/ipa/ca.crt
}
  AAA.PRIVATE.DOM = {
   kdc = win-srv.aaa.private.dom:88
   domain_server = wins-rv1.aaa.private.dom:749
   admin_server = win-srv1.private.aaa.private.dom
  }

[domain_realm]
  .private.aaa.private.dom = PRIVATE.AAA.PRIVATE.DOM
  private.aaa.private.dom = PRIVATE.AAA.PRIVATE.DOM

  aaa.private.dom = AAA.PRIVATE.DOM
  .aaa.private.dom = AAA.PRIVATE.DOM
--------------------
so PRIVATE.AAA.PRIVATE.DOM is own local freeIPA domain and 
AAA.PRIVATE.DOM is AD domain
Also you can see dns-wise it is like this:
IPA server(samba) is: swir.private.aaa.private.dom
and AD with it's server is: win-srv.aaa.private.dom

there is something mis-configured or/and I am confusing 
fundamentals. What am I doing wrong?
many thanks
L.

mathias dufresne

2016-Jun-10 10:56 UTC

head link

[Samba] keytabs basics linux <=> AD ?

Not sure but it seems you have two realms: Kerberos realm
PRIVATE.AAA.PRIVATE.DOM + AD realm AAA.PRIVATE.DOM.

Client has default realm set to PRIVATE.AAA.PRIVATE.DOM which is not your
AD's realm and so you get:
gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may
provide more information: Server
cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM not found in
Kerberos

Just a lead, not I'm a kerberos expert and I'm not sure to have really
undestood you (I'm not a foreign language expert too :p)

Hoping this helps anyway,

mathias

2016-06-08 17:40 GMT+02:00 lejeczek <peljasz at yahoo.co.uk>:
> hi users
>
> a novice here hoping to grasp fundamentals soon
> I have a samba+sssd as a client to an AD - I have all the keytabs for a
> host(I think) but I noticed weird(to me at least) smbclient behavior.
> when I do:
> $ smbclient -L swir -U me at AAA.PRIVATE.DOM -k
> all works, clients sees local samba's shares, when I do:
> $ smbclient -L swir.private.aaa.private.dom -U pe243 at AAA.PRIVATE.DOM -k
> gss_init_sec_context failed with [Unspecified GSS failure. Minor code may
> provide more information: Server
> cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM not found in
> Kerberos database]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
> Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
> and to verify:
> $ klist -k /etc/krb5.swir.keytab -e
> Keytab name: FILE:/etc/krb5.swir.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (des-cbc-crc)
>    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (des-cbc-md5)
>    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (arcfour-hmac)
>    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM
> (aes256-cts-hmac-sha1-96)
>    4 host/swir.private.aaa.private.dom at AAA.PRIVATE.DOM
> (aes128-cts-hmac-sha1-96)
>    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (des-cbc-crc)
>    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (des-cbc-md5)
>    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM (arcfour-hmac)
>    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM
> (aes256-cts-hmac-sha1-96)
>    4 CIFS/swir.private.aaa.private.dom at AAA.PRIVATE.DOM
> (aes128-cts-hmac-sha1-96)
>
> and above keytab file samba uses in its config, and that keytab was
> generated on AD DS,
> What you can notice when I smbclient with FQDN(it's all one local host,
> smbclient is trying itself) is this:
>
> gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may
> provide more information: Server
> cifs/swir.private.aaa.private.dom at PRIVATE.AAA.PRIVATE.DOM not found in
> Kerberos
>
> @PRIVATE.AAA.PRIVATE.DOM # this part, I thought it should be AD domain,
> like: @AAA.PRIVATE.DOM
>
> why smbclient uses it's own realm?
> I should also say that, this linux is a client of two realms: first
it's a
> freeIPA server that runs locally on this box and second, its local samba is
> a client of AD(win2k14)
> And my krb5.conf looks like this:
> --------------------------
> [libdefaults]
>  default_realm = PRIVATE.AAA.PRIVATE.DOM
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = yes
>  udp_preference_limit = 0
>  default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
>  PRIVATE.AAA.PRIVATE.DOM = {
>   kdc = swir.private.aaa.private.dom:88
>   master_kdc = swir.private.aaa.private.dom:88
>   admin_server = swir.private.aaa.private.dom:749
>   default_domain = private.aaa.private.dom
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>  AAA.PRIVATE.DOM = {
>   kdc = win-srv.aaa.private.dom:88
>   domain_server = wins-rv1.aaa.private.dom:749
>   admin_server = win-srv1.private.aaa.private.dom
>  }
>
> [domain_realm]
>  .private.aaa.private.dom = PRIVATE.AAA.PRIVATE.DOM
>  private.aaa.private.dom = PRIVATE.AAA.PRIVATE.DOM
>
>  aaa.private.dom = AAA.PRIVATE.DOM
>  .aaa.private.dom = AAA.PRIVATE.DOM
> --------------------
> so PRIVATE.AAA.PRIVATE.DOM is own local freeIPA domain and AAA.PRIVATE.DOM
> is AD domain
> Also you can see dns-wise it is like this:
> IPA server(samba) is: swir.private.aaa.private.dom
> and AD with it's server is: win-srv.aaa.private.dom
>
> there is something mis-configured or/and I am confusing fundamentals. What
> am I doing wrong?
> many thanks
> L.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Maybe Matching Threads

Search for more reasonably related threads

samba - Jun 2016 - keytabs basics linux <=> AD ?

[Samba] keytabs basics linux <=> AD ?

[Samba] keytabs basics linux <=> AD ?

Maybe Matching Threads