thr3ads.net - samba - [Samba] Can't setup kerberos auth for samba4 server? [Oct 2019]

If this information is useful, please help other people find it:
Share via:

Thomas Schweikle

2019-Oct-16 08:56 UTC

[Samba] Can't setup kerberos auth for samba4 server?

Hi!

Setup: Debian, Samba 4.11

After successfully setting up samba4, I want this machine to authenticate
against the running samba4-server. I've created /etc/krb5.conf:

[libdefaults]
        default_realm = ADA.DE <http://ada.de/>
        dns_lookup_realm = false
        dns_lookup_kdc = true

        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

        fcc-mit-ticketflags = true

[realms]
        ADA.DE <http://ada.de/> = {
                kdc = ad01.ada.de
                kdc = ad02.ada.de
                admin_server = ad01.ada.de
                chpasswd_server = ad01.ada.de
                default_domain = ada.de
        }

[domain_realm]
        .ada.de = ADA.DE <http://ada.de/>
        ada.de = ADA.DE <http://ada.de/>


kinit works:
# kinit Administrator
Passwort f?r Administrator at ADA.DE:
Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
ablaufen.
#klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: Administrator at ADA.DE

Valid starting       Expires              Service principal
16.10.2019 10:22:13  16.10.2019 20:22:13  krbtgt/ADA.DE at ADA.DE
        erneuern bis 17.10.2019 10:22:08

But:
# net ads join -k
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the
domain.

It is quite true this host is not configured as a member server -- it is
the PDC! So what do I have to do to make this host use the running samba4
to authenticate users? sssd fails because it cant find /etc/krb5.keytab.

/etc/sssd/sssd.conf is set to:
[sssd]
services = nss, pam, autofs
domains = ADA.DE <http://ada.de/>
debug_level = 0x0270

[domain/ADA.DE <http://ada.de/>]
enumerate = true
cache_credentials = True
krb5_realm = ADA.DE <http://ada.de/>
ldap_search_base = dc=ada,dc=de
krb5_server = ad01.ada.de, ad02.ada.de
id_provider = ad
auth_provider = ad
ldap_uri = ldap://ad01.ada.de:389/, ldap://ad02.ada.de:389/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 0x0270

[nss]
homedir_substring = /home
debug_level = 0x0270

[pam]
debug_level = 0x0270

[sudo]
debug_level = 0x0270

[autofs]
debug_level = 0x0270

[ssh]
debug_level = 0x0270

[pac]
debug_level = 0x0270

[ifp]
debug_level = 0x0270

[secrets]
debug_level = 0x0270

[session_recording]
debug_level = 0x0270

Any hint, link, Howto would be great help!

-- 
Thomas

Rowland penny

2019-Oct-16 09:23 UTC

head link

[Samba] Can't setup kerberos auth for samba4 server?

On 16/10/2019 09:56, Thomas Schweikle via samba wrote:> Hi!
>
> Setup: Debian, Samba 4.11
>
> After successfully setting up samba4, I want this machine to authenticate
> against the running samba4-server. I've created /etc/krb5.conf:
>
> [libdefaults]
>          default_realm = ADA.DE <http://ada.de/>
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>
>          kdc_timesync = 1
>          ccache_type = 4
>          forwardable = true
>          proxiable = true
>
>          fcc-mit-ticketflags = true
>
> [realms]
>          ADA.DE <http://ada.de/> = {
>                  kdc = ad01.ada.de
>                  kdc = ad02.ada.de
>                  admin_server = ad01.ada.de
>                  chpasswd_server = ad01.ada.de
>                  default_domain = ada.de
>          }
>
> [domain_realm]
>          .ada.de = ADA.DE <http://ada.de/>
>          ada.de = ADA.DE <http://ada.de/>
>
>
> kinit works:
> # kinit Administrator
> Passwort f?r Administrator at ADA.DE:
> Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
> ablaufen.
> #klist
> Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
> Standard-Principal: Administrator at ADA.DE
>
> Valid starting       Expires              Service principal
> 16.10.2019 10:22:13  16.10.2019 20:22:13  krbtgt/ADA.DE at ADA.DE
>          erneuern bis 17.10.2019 10:22:08
>
> But:
> # net ads join -k
> Host is not configured as a member server.
> Invalid configuration.  Exiting....
> Failed to join domain: This operation is only allowed for the PDC of the
> domain.
>
> It is quite true this host is not configured as a member server -- it is
> the PDC! So what do I have to do to make this host use the running samba4
> to authenticate users? sssd fails because it cant find /etc/krb5.keytab.
>How have you set up Samba ?

is it a PDC or are you just calling an AD DC a PDC because it is the 
first DC ?

An AD DC != PDC

If it is a PDC, you cannot join it to an AD DC

If it is an AD DC, you do not join it to itself

Finally, do not use sssd, it is not supported by Samba (or Red Hat)

I think you need to post your smb.conf

Rowland

L.P.H. van Belle

2019-Oct-16 09:39 UTC

head link

[Samba] Can't setup kerberos auth for samba4 server?

If this is a member server. 

Just install minimal debian server + ssh.
Point dns (resolv.conf) to AD-DC. 
search ada.de
nameserver IP_AD_DC

Now apt-get install samba winbind acl attr krb5-user
Keep all default, you dont need to change anything..

After the install off all packages. 

systemctl stop smbd winbind (optional nmbd)
(optional : systemctl disable nmbd)

Setup the correct smb.conf for a member server
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 

kinit Administrator
net ads join -k

systemctl enable smbd winbind (optional nmbd)
systemctl start smbd winbind (optional nmbd)

Enjoy, its that simple.. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Thomas Schweikle via samba
> Verzonden: woensdag 16 oktober 2019 10:57
> Aan: Samba
> Onderwerp: [Samba] Can't setup kerberos auth for samba4 server?
> 
> Hi!
> 
> Setup: Debian, Samba 4.11
> 
> After successfully setting up samba4, I want this machine to 
> authenticate
> against the running samba4-server. I've created /etc/krb5.conf:
> 
> [libdefaults]
>         default_realm = ADA.DE <http://ada.de/>
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
> 
>         fcc-mit-ticketflags = true
> 
> [realms]
>         ADA.DE <http://ada.de/> = {
>                 kdc = ad01.ada.de
>                 kdc = ad02.ada.de
>                 admin_server = ad01.ada.de
>                 chpasswd_server = ad01.ada.de
>                 default_domain = ada.de
>         }
> 
> [domain_realm]
>         .ada.de = ADA.DE <http://ada.de/>
>         ada.de = ADA.DE <http://ada.de/>
> 
> 
> kinit works:
> # kinit Administrator
> Passwort f?r Administrator at ADA.DE:
> Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
> ablaufen.
> #klist
> Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
> Standard-Principal: Administrator at ADA.DE
> 
> Valid starting       Expires              Service principal
> 16.10.2019 10:22:13  16.10.2019 20:22:13  krbtgt/ADA.DE at ADA.DE
>         erneuern bis 17.10.2019 10:22:08
> 
> But:
> # net ads join -k
> Host is not configured as a member server.
> Invalid configuration.  Exiting....
> Failed to join domain: This operation is only allowed for the 
> PDC of the
> domain.
> 
> It is quite true this host is not configured as a member 
> server -- it is
> the PDC! So what do I have to do to make this host use the 
> running samba4
> to authenticate users? sssd fails because it cant find 
> /etc/krb5.keytab.
> 
> /etc/sssd/sssd.conf is set to:
> [sssd]
> services = nss, pam, autofs
> domains = ADA.DE <http://ada.de/>
> debug_level = 0x0270
> 
> [domain/ADA.DE <http://ada.de/>]
> enumerate = true
> cache_credentials = True
> krb5_realm = ADA.DE <http://ada.de/>
> ldap_search_base = dc=ada,dc=de
> krb5_server = ad01.ada.de, ad02.ada.de
> id_provider = ad
> auth_provider = ad
> ldap_uri = ldap://ad01.ada.de:389/, ldap://ad02.ada.de:389/
> ldap_id_use_start_tls = True
> ldap_tls_cacertdir = /etc/openldap/cacerts
> debug_level = 0x0270
> 
> [nss]
> homedir_substring = /home
> debug_level = 0x0270
> 
> [pam]
> debug_level = 0x0270
> 
> [sudo]
> debug_level = 0x0270
> 
> [autofs]
> debug_level = 0x0270
> 
> [ssh]
> debug_level = 0x0270
> 
> [pac]
> debug_level = 0x0270
> 
> [ifp]
> debug_level = 0x0270
> 
> [secrets]
> debug_level = 0x0270
> 
> [session_recording]
> debug_level = 0x0270
> 
> Any hint, link, Howto would be great help!
> 
> -- 
> Thomas
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Thomas Schweikle

2019-Oct-16 16:24 UTC

head link

[Samba] Can't setup kerberos auth for samba4 server?

It is not a member server it's the PDC. And after configuring
/etc/krb5.conf you'll be able to
# kinit Administrator
Passwort f?r Administrator at ADA.DE:
Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
ablaufen.

And now:
# net ads join -k
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the
domain.

But to authenticate on this PDC against the running samba I need some way
to have /etc/krb5.keytab created ... some Howto this would be done would be
nice!

On Wed, Oct 16, 2019 at 11:39 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> If this is a member server.
>
> Just install minimal debian server + ssh.
> Point dns (resolv.conf) to AD-DC.
> search ada.de
> nameserver IP_AD_DC
>
> Now apt-get install samba winbind acl attr krb5-user
> Keep all default, you dont need to change anything..
>
> After the install off all packages.
>
> systemctl stop smbd winbind (optional nmbd)
> (optional : systemctl disable nmbd)
>
> Setup the correct smb.conf for a member server
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> kinit Administrator
> net ads join -k
>
> systemctl enable smbd winbind (optional nmbd)
> systemctl start smbd winbind (optional nmbd)
>
> Enjoy, its that simple..
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Thomas Schweikle via samba
> > Verzonden: woensdag 16 oktober 2019 10:57
> > Aan: Samba
> > Onderwerp: [Samba] Can't setup kerberos auth for samba4 server?
> >
> > Hi!
> >
> > Setup: Debian, Samba 4.11
> >
> > After successfully setting up samba4, I want this machine to
> > authenticate
> > against the running samba4-server. I've created /etc/krb5.conf:
> >
> > [libdefaults]
> >         default_realm = ADA.DE <http://ada.de/>
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> >         kdc_timesync = 1
> >         ccache_type = 4
> >         forwardable = true
> >         proxiable = true
> >
> >         fcc-mit-ticketflags = true
> >
> > [realms]
> >         ADA.DE <http://ada.de/> = {
> >                 kdc = ad01.ada.de
> >                 kdc = ad02.ada.de
> >                 admin_server = ad01.ada.de
> >                 chpasswd_server = ad01.ada.de
> >                 default_domain = ada.de
> >         }
> >
> > [domain_realm]
> >         .ada.de = ADA.DE <http://ada.de/>
> >         ada.de = ADA.DE <http://ada.de/>
> >
> >
> > kinit works:
> > # kinit Administrator
> > Passwort f?r Administrator at ADA.DE:
> > Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
> > ablaufen.
> > #klist
> > Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
> > Standard-Principal: Administrator at ADA.DE
> >
> > Valid starting       Expires              Service principal
> > 16.10.2019 10:22:13  16.10.2019 20:22:13  krbtgt/ADA.DE at ADA.DE
> >         erneuern bis 17.10.2019 10:22:08
> >
> > But:
> > # net ads join -k
> > Host is not configured as a member server.
> > Invalid configuration.  Exiting....
> > Failed to join domain: This operation is only allowed for the
> > PDC of the
> > domain.
> >
> > It is quite true this host is not configured as a member
> > server -- it is
> > the PDC! So what do I have to do to make this host use the
> > running samba4
> > to authenticate users? sssd fails because it cant find
> > /etc/krb5.keytab.
> >
> > /etc/sssd/sssd.conf is set to:
> > [sssd]
> > services = nss, pam, autofs
> > domains = ADA.DE <http://ada.de/>
> > debug_level = 0x0270
> >
> > [domain/ADA.DE <http://ada.de/>]
> > enumerate = true
> > cache_credentials = True
> > krb5_realm = ADA.DE <http://ada.de/>
> > ldap_search_base = dc=ada,dc=de
> > krb5_server = ad01.ada.de, ad02.ada.de
> > id_provider = ad
> > auth_provider = ad
> > ldap_uri = ldap://ad01.ada.de:389/, ldap://ad02.ada.de:389/
> > ldap_id_use_start_tls = True
> > ldap_tls_cacertdir = /etc/openldap/cacerts
> > debug_level = 0x0270
> >
> > [nss]
> > homedir_substring = /home
> > debug_level = 0x0270
> >
> > [pam]
> > debug_level = 0x0270
> >
> > [sudo]
> > debug_level = 0x0270
> >
> > [autofs]
> > debug_level = 0x0270
> >
> > [ssh]
> > debug_level = 0x0270
> >
> > [pac]
> > debug_level = 0x0270
> >
> > [ifp]
> > debug_level = 0x0270
> >
> > [secrets]
> > debug_level = 0x0270
> >
> > [session_recording]
> > debug_level = 0x0270
> >
> > Any hint, link, Howto would be great help!
> >
> > --
> > Thomas
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Thomas

Seemingly Similar Threads

Search for more apparently analagous threads

samba - Oct 2019 - Can't setup kerberos auth for samba4 server?

[Samba] Can't setup kerberos auth for samba4 server?

[Samba] Can't setup kerberos auth for samba4 server?

[Samba] Can't setup kerberos auth for samba4 server?

[Samba] Can't setup kerberos auth for samba4 server?

Seemingly Similar Threads