Hi, I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf: use kerberos keytabe = true and as mentioned in man smb.conf i have set in krb5.conf default_keytab_name = FILE:/etc/krb5/krb5.keytab after a "net join ads" the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong? Help would be really apreciated. Thanks and Regards, Oliver Weinmann Unix/Linux Administrator VEGA IT GmbH Europaplatz 5 D-64293 Darmstadt Germany Tel : +49 (0) 6151 8257 744 Fax : +49 (0)6151 8257-799 Email : oliver.weinmann@vega.de Web : www.vega-group.com Register court/Registergericht: Darmstadt, HRB No. 4096, Managing Directors/Gesch?ftsf?hrer: Philip Cartmell, Susan Bygrave, John Lewis Notice of Confidentiality This transmission is intended for the named addressee only. It contains information which may be confidential and which may also be privileged. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately.
Guenther Deschner
2008-Apr-02 09:39 UTC
[Samba] Urgent... winbind and keytab file creation
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oliver Weinmann wrote:> Hi, > > I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf: > > use kerberos keytabe = true > > and as mentioned in man smb.conf i have set in krb5.conf > > default_keytab_name = FILE:/etc/krb5/krb5.keytab > > after a "net join ads" the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong?Have you tried "net ads keytab create" ? Guenther - -- G?nther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP WjEvra9U//Tj25Y8hFjnDwg=peli -----END PGP SIGNATURE-----
Gerald (Jerry) Carter
2008-Apr-02 13:10 UTC
[Samba] Urgent... winbind and keytab file creation
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oliver Weinmann wrote: | Hi, | | I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf: | | use kerberos keytabe = true DOn't use this if you use Samba to joined the domain. It is really on;y useful for non-MS realms. jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH84WZIR7qMdg1EfYRAk6iAJ0d04pZey+cqgyzfOGbB6cmW+nhWwCgpOjV U+A6DB3LB7IZMlqBxWv0u6s=MlpW -----END PGP SIGNATURE-----
On Wed, 2008-04-02 at 10:39 -0500, Gerald (Jerry) Carter wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Oliver Weinmann wrote: > > Ok. i got it. I had to change the parameter for: > > > > krb5_ccache_type = FILE > > > > now the users get a "cached" ticket at login. COOL :) > > > > but when the automount daemon tries to mount their home it fails: > > > > Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create > > krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net > > Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss: > > gss_init_sec_context: (major) Miscellaneous failure - (minor) No > > credentials found with supported encryption types > > > I expect the nfsv4 service is trying to use 3des or aes. > I always set these enc types in /etc/krb5.conf > > [libdefaults] > default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 > default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 > preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC >Currently linux nfs server requires that both server and client use ONLY des keys Any other combination will simply fail. There are kernel patches reaching upstream that are adding 3des and aes but not yet rc4-hmac IIRC. Simo. -- Simo Sorce Samba Team GPL Compliance Officer <simo@samba.org> Senior Software Engineer at Red Hat Inc. <ssorce@redhat.com>