L.P.H. van Belle
2022-Jan-27 13:29 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Hai Alex,> -----Oorspronkelijk bericht----- > Van: Alex [mailto:samba at abisoft.biz] > Verzonden: donderdag 27 januari 2022 13:02 > Aan: L.P.H. van Belle via samba; L.P.H. van Belle > Onderwerp: Re: [Samba] Kerberos authentication issue after > upgrading from 4-14-stable to 4-15-stable > > Hello Louis, > > Samba is already handling the system's keytab...> Any ideas why?No, sorry, thats one i dont know, except that k5start might look in a different place which does not exist.> > The reason to use k5start is b/c some progs can't work with > keytab file directly. For example, nslcd.Aha.. But wait, if samba is already handle-ing it. Why not this way.. (example for kerberos auth in squid ) kinit Administrator export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab net ads_update keytab ADD HTTP/$(hostname -f) chmod 640 krb5-squid-HTTP-$(hostname -s).keytab chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab Adjust it to you needs for nlscd but it shows how todo it. I think what will work also.> > > Im wondering why you dont use winbind for the keytabs setup > and let samba handle it. > > > > Thats what i suggest. > > Install winbind only. > > > Use : > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > # renew the kerberos ticket > > winbind refresh tickets = yes > > > Add the use that keytab or make separated keytab file as > you do now. > > > You might have a reason to use k5start but i havent see it so far. > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex > >> via samba > >> Verzonden: donderdag 27 januari 2022 9:12 > >> Aan: Andrew Bartlett via samba; Stefan Kania; Andrew Bartlett > >> Onderwerp: Re: [Samba] Kerberos authentication issue after > >> upgrading from 4-14-stable to 4-15-stable > >> > >> Hello Andrew, > >> > >> > The big difference with 4.15 is likely to be that we disabled DES > >> > encryption types recently, so if you followed an old guide > >> that said to > >> > force DES that would end badly. > >> > >> [root at vm-corp etc]# net ads keytab list /usr/local/etc/padl.keytab > >> Vno Type Principal > >> 1 ArcFour with HMAC/md5 padl at ABISOFT.BIZ > >> [root at vm-corp etc]# > >> > >> There's no DES encryption as far as I see. Or I look at the > >> wrong place? > >> > >> -- > >> Best regards, > >> Alex > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > Best regards, > Alex > >
Alex
2022-Jan-27 14:03 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
>> Any ideas why? > No, sorry, thats one i dont know, except that k5start might look in a different place which does not exist.I checked that - it does read the file I specified.>> The reason to use k5start is b/c some progs can't work with >> keytab file directly. For example, nslcd.> Aha.. But wait, if samba is already handle-ing it. > Why not this way..> (example for kerberos auth in squid ) > kinit Administrator> export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab> net ads_update keytab ADD HTTP/$(hostname -f)> chmod 640 krb5-squid-HTTP-$(hostname -s).keytab> chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab> Adjust it to you needs for nlscd but it shows how todo it. > I think what will work also.B/c (as I said) nslcd is not able to work thru a keytab file. It only supports ready-to-use TGT: sasl_mech GSSAPI krb5_ccname /tmp/krb5cc_nslcd -- Best regards, Alex
L.P.H. van Belle
2022-Jan-27 14:53 UTC
[Samba] Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable
Ok, last thing i could find. https://samba.samba.narkive.com/fug9sqxD/4-and-gssapi-kerberos-ldap-connect#post2 Its a 10y old post but read it, i think it might help you find the source of your problem. That link gives back some old memories here, as wil for Rowland.. ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Alex [mailto:samba at abisoft.biz] > Verzonden: donderdag 27 januari 2022 15:03 > Aan: L.P.H. van Belle via samba; L.P.H. van Belle > Onderwerp: Re: [Samba] Kerberos authentication issue after > upgrading from 4-14-stable to 4-15-stable > > >> Any ideas why? > > No, sorry, thats one i dont know, except that k5start might > look in a different place which does not exist. > > I checked that - it does read the file I specified. > > >> The reason to use k5start is b/c some progs can't work with > >> keytab file directly. For example, nslcd. > > > Aha.. But wait, if samba is already handle-ing it. > > Why not this way.. > > > (example for kerberos auth in squid ) > > kinit Administrator > > > export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab > > > net ads_update keytab ADD HTTP/$(hostname -f) > > > chmod 640 krb5-squid-HTTP-$(hostname -s).keytab > > > chown root:proxy krb5-squid-HTTP-$(hostname -s).keytab > > > Adjust it to you needs for nlscd but it shows how todo it. > > I think what will work also. > > B/c (as I said) nslcd is not able to work thru a keytab file. > It only supports ready-to-use TGT: > sasl_mech GSSAPI > krb5_ccname /tmp/krb5cc_nslcd > > > -- > Best regards, > Alex > >