samba - Mar 2009 - Samba PDC - Kerberised CIFS access

Hi All,

I have machine M1 hosting Samba PDC. It stores only user information.
I have machine M2 acting as KDC server.
I have machine M3 hosting CIFS shares and it joins into the domain hosted
by PDC M1.
I have machine M4 used as CIFS client.

On M2, I have added users and cifs/host service principals for M3. Also
added service principal in keytab file.
I have added all the user and service principals using des-cbc-crc
encryption triplet.

M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2.

I have configured M3's smb.conf file to accept kerberos keytab and also for
the kerberos realm.

       realm = SONAS.COM
       use kerberos keytab = yes
       client use spnego = yes

>From M4, I do kinit <user> and then try to see exported shares from
M3.
[root@sofsedun3 ~]# kinit domuser
Password for domuser@SONAS.COM:
[root@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
[root@sofsedun3 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: domuser@SONAS.COM

Valid starting     Expires            Service principal
03/11/09 21:36:54  03/12/09 21:36:54  krbtgt/SONAS.COM@SONAS.COM
        renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
Enter domuser's password:
Anonymous login successful
Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]

        Sharename       Type      Comment
        ---------       ----      -------
        share           Disk      test share
        IPC$            IPC       IPC Service (Samba 3.2.8-ctdb-55)
Anonymous login successful
Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

It works with anonymous login. But when i try to use -k it fails. I tried
smbclient with -k and debug level 3. I get these on console.

[root@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0
added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0
added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0
Client started (version 3.2.8-ctdb-55).
Connecting to 10.0.0.24 at port 445
Doing spnego session setup (blob length=111)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=cifs/sofsedun4.vsofs1.com@SONAS.COM
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
Thu, 12 Mar 2009 21:36:54 TLT
cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
[root@sofsedun3 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: domuser@SONAS.COM

Valid starting     Expires            Service principal
03/11/09 21:36:54  03/12/09 21:36:54  krbtgt/SONAS.COM@SONAS.COM
        renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
03/11/09 21:39:15  03/12/09 21:36:54  cifs/sofsedun4.vsofs1.com@SONAS.COM
        renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


On M3, I have enabled smbd logs with debug level 10. The corresponding
errors for the above behavior are:

[2009/03/11 21:58:54,  3] smbd/process.c:switch_message(1361)
  switch message SMBsesssetupX (pid 26858) conn 0x0
[2009/03/11 21:58:54,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/11 21:58:54,  3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
  wct=12 flg2=0xc801
[2009/03/11 21:58:54,  3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
  Doing spnego session setup
[2009/03/11 21:58:54,  3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2009/03/11 21:58:54,  3] smbd/sesssetup.c:reply_spnego_negotiate(800)
  reply_spnego_negotiate: Got secblob of size 466
[2009/03/11 21:58:54,  3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
Decrypt integrity check failed
[2009/03/11 21:58:54,  3]
libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
  ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab
principals
[2009/03/11 21:58:54,  3] libads/kerberos_verify.c:ads_verify_ticket(458)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2009/03/11 21:58:54,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2009/03/11 21:58:54,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2009/03/11 21:58:54,  3] smbd/process.c:smbd_process(2036)
  receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2009/03/11 21:58:54,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/03/11 21:58:54,  3] smbd/connection.c:yield_connection(31)
  Yielding connection to
[2009/03/11 21:58:54,  3] smbd/server.c:exit_server_common(958)
  Server exit (normal exit)



In the above scenario, M1 and M2 are not aware about each other. That
means, M1 is not kerberos client.
I tried setting M1 as kerberos client as well. But the result was the same.

Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1.
I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos clients.


My queries are:
1. Is it a know issue with samba or kerberos?
2. Am I missing anything on configuration?
3. What should I do to make the above setup working?


Please feel free to ask for more information if the provided one is not
sufficient.


P.S.: I am copying my configuration files here for reference.




[root@sofsedun2 ~]# cat /etc/samba/smb.conf
# Samba Configuration file.
#
# ****************** WARNING ********************************
# The contents of this file should not be modified directly !
#
# The samba options are stored in the registry.
# Use the "net conf" command to add/modify samba options in the
registry
# ***************************************************************
[global]
        workgroup = VSOFS1.COM
        server string = Samba/NT PDC
        netbios name = sofsedun2
        passdb backend = tdbsam
        log level = 3
        log file = /var/log/samba/%m.log
        max log size = 50
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g"
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u"
"%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation
(%u)" -M
-d /nohome -s /bin/false "%u"
        add user script = /usr/sbin/useradd -n -c "Workstation (%u)"
-M -d
/nohome -s /bin/false "%u"
        domain logons = Yes
        os level = 64
        preferred master = Yes
        domain master = Yes
        local master = Yes
        wins support = Yes
        cups options = raw
        security = user
        encrypt passwords = Yes
[netlogon]
        path = /etc/samba/netlogon
        writeable = no
        write list = ntadmin
        guest ok = no
[profiles]
        path = /usr/smb/ntprofile
        writeable = yes
        create mask = 0600
       directory mask = 0700



2. CIFS server smb.conf
[root@sofsedun4 ~]# cat /etc/samba/smb.conf
# Samba Configuration file.
#
# ****************** WARNING ********************************
# The contents of this file should not be modified directly !
#
# The samba options are stored in the registry.
# Use the "net conf" command to add/modify samba options in the
registry
# ***************************************************************
[global]
   workgroup = VSOFS1.COM
   password server = sofsedun2
   security = domain
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/sh
   winbind use default domain = false
   winbind offline logon = false
   realm = SONAS.COM
   use kerberos keytab = yes
   client use spnego = yes
   wins support = Yes
   cups options = raw
   log level = 3
  log file = /var/log/samba/%m.log
[share]
        comment = test share
        path = /home/share
        read only = no
        public = yes
        valid users = 'VSOFS1.COM\domuser' 'VSOFS1.COM\domadmin'
'VSOFS1.COM\domguest'




[root@sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 SONAS.COM = {
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
 }



[root@sofsedun3 ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SONAS.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 default_tgs_enctypes = des-cbc-crc des-cbc-md5

[realms]
        VSOFS1.COM = {
                kdc = sofsedutsm.VSOFS1.COM
        }
 SONAS.COM = {
  kdc = sofsedutsm.VSOFS1.COM:88
  admin_server = sofsedutsm.VSOFS1.COM:749
  default_domain = VSOFS1.COM
 }

[domain_realm]
 .VSOFS1.COM = SONAS.COM
 VSOFS1.COM = SONAS.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured to
use winbind for auth, account and passwords.



[root@sofsedun4 ~]# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   3 03/11/09 20:24:49 cifs/sofsedun2.vsofs1.com@SONAS.COM (DES cbc mode
with CRC-32)
   3 03/11/09 20:25:05 host/sofsedun2.vsofs1.com@SONAS.COM (DES cbc mode
with CRC-32)
   3 03/11/09 20:25:19 host/sofsedun4.vsofs1.com@SONAS.COM (DES cbc mode
with CRC-32)
   3 03/11/09 20:25:36 cifs/sofsedun4.vsofs1.com@SONAS.COM (DES cbc mode
with CRC-32)
[root@sofsedun4 ~]#


Regards,
Shahid Shaikh.

Shahid,

I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket:

https://bugzilla.samba.org/show_bug.cgi?id=5810

The developers have not yet responded.

Thanks!

2009/3/11 Shahid M Shaikh
<shahid.shaikh@in.ibm.com>:
> Hi All,
>
> I have machine M1 hosting Samba PDC. It stores only user information.
> I have machine M2 acting as KDC server.
> I have machine M3 hosting CIFS shares and it joins into the domain hosted
> by PDC M1.
> I have machine M4 used as CIFS client.
>
> On M2, I have added users and cifs/host service principals for M3. Also
> added service principal in keytab file.
> I have added all the user and service principals using des-cbc-crc
> encryption triplet.
>
> M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2.
>
> I have configured M3's smb.conf file to accept kerberos keytab and also
for
> the kerberos realm.
>
> ? ? ? realm = SONAS.COM
> ? ? ? use kerberos keytab = yes
> ? ? ? client use spnego = yes
>
>
> >From M4, I do kinit <user> and then try to see exported shares
from M3.
>
> [root@sofsedun3 ~]# kinit domuser
> Password for domuser@SONAS.COM:
> [root@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
> [root@sofsedun3 ~]# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: domuser@SONAS.COM
>
> Valid starting ? ? Expires ? ? ? ? ? ?Service principal
> 03/11/09 21:36:54 ?03/12/09 21:36:54 ?krbtgt/SONAS.COM@SONAS.COM
> ? ? ? ?renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
> CRC-32, DES cbc mode with CRC-32
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser
> Enter domuser's password:
> Anonymous login successful
> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
>
> ? ? ? ?Sharename ? ? ? Type ? ? ?Comment
> ? ? ? ?--------- ? ? ? ---- ? ? ?-------
> ? ? ? ?share ? ? ? ? ? Disk ? ? ?test share
> ? ? ? ?IPC$ ? ? ? ? ? ?IPC ? ? ? IPC Service (Samba 3.2.8-ctdb-55)
> Anonymous login successful
> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55]
>
> ? ? ? ?Server ? ? ? ? ? ? ? Comment
> ? ? ? ?--------- ? ? ? ? ? ?-------
>
> ? ? ? ?Workgroup ? ? ? ? ? ?Master
> ? ? ? ?--------- ? ? ? ? ? ?-------
>
> It works with anonymous login. But when i try to use -k it fails. I tried
> smbclient with -k and debug level 3. I get these on console.
>
> [root@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k
> lp_load_ex: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
> Processing section "[global]"
> added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0
> added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0
> added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0
> Client started (version 3.2.8-ctdb-55).
> Connecting to 10.0.0.24 at port 445
> Doing spnego session setup (blob length=111)
> got OID=1 2 840 113554 1 2 2
> got OID=1 2 840 48018 1 2 2
> got OID=1 3 6 1 4 1 311 2 2 10
> got principal=cifs/sofsedun4.vsofs1.com@SONAS.COM
> Doing kerberos session setup
> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
> Thu, 12 Mar 2009 21:36:54 TLT
> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
> [root@sofsedun3 ~]# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: domuser@SONAS.COM
>
> Valid starting ? ? Expires ? ? ? ? ? ?Service principal
> 03/11/09 21:36:54 ?03/12/09 21:36:54 ?krbtgt/SONAS.COM@SONAS.COM
> ? ? ? ?renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
> CRC-32, DES cbc mode with CRC-32
> 03/11/09 21:39:15 ?03/12/09 21:36:54 ?cifs/sofsedun4.vsofs1.com@SONAS.COM
> ? ? ? ?renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with
> CRC-32, DES cbc mode with CRC-32
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
>
> On M3, I have enabled smbd logs with debug level 10. The corresponding
> errors for the above behavior are:
>
> [2009/03/11 21:58:54, ?3] smbd/process.c:switch_message(1361)
> ?switch message SMBsesssetupX (pid 26858) conn 0x0
> [2009/03/11 21:58:54, ?3] smbd/sec_ctx.c:set_sec_ctx(324)
> ?setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2009/03/11 21:58:54, ?3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
> ?wct=12 flg2=0xc801
> [2009/03/11 21:58:54, ?3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
> ?Doing spnego session setup
> [2009/03/11 21:58:54, ?3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
> ?NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
> [2009/03/11 21:58:54, ?3] smbd/sesssetup.c:reply_spnego_negotiate(800)
> ?reply_spnego_negotiate: Got secblob of size 466
> [2009/03/11 21:58:54, ?3]
> libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
> ?ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
> Decrypt integrity check failed
> [2009/03/11 21:58:54, ?3]
> libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
> ?ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab
> principals
> [2009/03/11 21:58:54, ?3] libads/kerberos_verify.c:ads_verify_ticket(458)
> ?ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2009/03/11 21:58:54, ?1] smbd/sesssetup.c:reply_spnego_kerberos(350)
> ?Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2009/03/11 21:58:54, ?3] smbd/error.c:error_packet_set(61)
> ?error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2009/03/11 21:58:54, ?3] smbd/process.c:smbd_process(2036)
> ?receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
> [2009/03/11 21:58:54, ?3] smbd/sec_ctx.c:set_sec_ctx(324)
> ?setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2009/03/11 21:58:54, ?3] smbd/connection.c:yield_connection(31)
> ?Yielding connection to
> [2009/03/11 21:58:54, ?3] smbd/server.c:exit_server_common(958)
> ?Server exit (normal exit)
>
>
>
> In the above scenario, M1 and M2 are not aware about each other. That
> means, M1 is not kerberos client.
> I tried setting M1 as kerberos client as well. But the result was the same.
>
> Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1.
> I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos clients.
>
>
> My queries are:
> 1. Is it a know issue with samba or kerberos?
> 2. Am I missing anything on configuration?
> 3. What should I do to make the above setup working?
>
>
> Please feel free to ask for more information if the provided one is not
> sufficient.
>
>
> P.S.: I am copying my configuration files here for reference.
>
>
>
>
> [root@sofsedun2 ~]# cat /etc/samba/smb.conf
> # Samba Configuration file.
> #
> # ****************** WARNING ********************************
> # The contents of this file should not be modified directly !
> #
> # The samba options are stored in the registry.
> # Use the "net conf" command to add/modify samba options in the
registry
> # ***************************************************************
> [global]
> ? ? ? ?workgroup = VSOFS1.COM
> ? ? ? ?server string = Samba/NT PDC
> ? ? ? ?netbios name = sofsedun2
> ? ? ? ?passdb backend = tdbsam
> ? ? ? ?log level = 3
> ? ? ? ?log file = /var/log/samba/%m.log
> ? ? ? ?max log size = 50
> ? ? ? ?delete user script = /usr/sbin/userdel "%u"
> ? ? ? ?add group script = /usr/sbin/groupadd "%g"
> ? ? ? ?delete group script = /usr/sbin/groupdel "%g"
> ? ? ? ?delete user from group script = /usr/sbin/userdel "%u"
"%g"
> ? ? ? ?add machine script = /usr/sbin/useradd -n -c "Workstation
(%u)" -M
> -d /nohome -s /bin/false "%u"
> ? ? ? ?add user script = /usr/sbin/useradd -n -c "Workstation
(%u)" -M -d
> /nohome -s /bin/false "%u"
> ? ? ? ?domain logons = Yes
> ? ? ? ?os level = 64
> ? ? ? ?preferred master = Yes
> ? ? ? ?domain master = Yes
> ? ? ? ?local master = Yes
> ? ? ? ?wins support = Yes
> ? ? ? ?cups options = raw
> ? ? ? ?security = user
> ? ? ? ?encrypt passwords = Yes
> [netlogon]
> ? ? ? ?path = /etc/samba/netlogon
> ? ? ? ?writeable = no
> ? ? ? ?write list = ntadmin
> ? ? ? ?guest ok = no
> [profiles]
> ? ? ? ?path = /usr/smb/ntprofile
> ? ? ? ?writeable = yes
> ? ? ? ?create mask = 0600
> ? ? ? directory mask = 0700
>
>
>
> 2. CIFS server smb.conf
> [root@sofsedun4 ~]# cat /etc/samba/smb.conf
> # Samba Configuration file.
> #
> # ****************** WARNING ********************************
> # The contents of this file should not be modified directly !
> #
> # The samba options are stored in the registry.
> # Use the "net conf" command to add/modify samba options in the
registry
> # ***************************************************************
> [global]
> ? workgroup = VSOFS1.COM
> ? password server = sofsedun2
> ? security = domain
> ? idmap uid = 16777216-33554431
> ? idmap gid = 16777216-33554431
> ? template shell = /bin/sh
> ? winbind use default domain = false
> ? winbind offline logon = false
> ? realm = SONAS.COM
> ? use kerberos keytab = yes
> ? client use spnego = yes
> ? wins support = Yes
> ? cups options = raw
> ? log level = 3
> ?log file = /var/log/samba/%m.log
> [share]
> ? ? ? ?comment = test share
> ? ? ? ?path = /home/share
> ? ? ? ?read only = no
> ? ? ? ?public = yes
> ? ? ? ?valid users = 'VSOFS1.COM\domuser'
'VSOFS1.COM\domadmin'
> 'VSOFS1.COM\domguest'
>
>
>
>
> [root@sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf
> [kdcdefaults]
> ?v4_mode = nopreauth
> ?kdc_tcp_ports = 88
>
> [realms]
> ?SONAS.COM = {
> ?#master_key_type = des3-hmac-sha1
> ?acl_file = /var/kerberos/krb5kdc/kadm5.acl
> ?dict_file = /usr/share/dict/words
> ?admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> ?supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
> des-cbc-crc:afs3
> ?}
>
>
>
> [root@sofsedun3 ~]# cat /etc/krb5.conf
> [logging]
> ?default = FILE:/var/log/krb5libs.log
> ?kdc = FILE:/var/log/krb5kdc.log
> ?admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ?default_realm = SONAS.COM
> ?dns_lookup_realm = true
> ?dns_lookup_kdc = true
> ?ticket_lifetime = 24h
> ?forwardable = yes
> ?default_tkt_enctypes = des-cbc-crc des-cbc-md5
> ?default_tgs_enctypes = des-cbc-crc des-cbc-md5
>
> [realms]
> ? ? ? ?VSOFS1.COM = {
> ? ? ? ? ? ? ? ?kdc = sofsedutsm.VSOFS1.COM
> ? ? ? ?}
> ?SONAS.COM = {
> ?kdc = sofsedutsm.VSOFS1.COM:88
> ?admin_server = sofsedutsm.VSOFS1.COM:749
> ?default_domain = VSOFS1.COM
> ?}
>
> [domain_realm]
> ?.VSOFS1.COM = SONAS.COM
> ?VSOFS1.COM = SONAS.COM
>
> [appdefaults]
> ?pam = {
> ? debug = false
> ? ticket_lifetime = 36000
> ? renew_lifetime = 36000
> ? forwardable = true
> ? krb4_convert = false
> ?}
>
>
> 5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured to
> use winbind for auth, account and passwords.
>
>
>
> [root@sofsedun4 ~]# klist -kte
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp ? ? ? ? Principal
> ---- -----------------
> --------------------------------------------------------
> ? 3 03/11/09 20:24:49 cifs/sofsedun2.vsofs1.com@SONAS.COM (DES cbc mode
> with CRC-32)
> ? 3 03/11/09 20:25:05 host/sofsedun2.vsofs1.com@SONAS.COM (DES cbc mode
> with CRC-32)
> ? 3 03/11/09 20:25:19 host/sofsedun4.vsofs1.com@SONAS.COM (DES cbc mode
> with CRC-32)
> ? 3 03/11/09 20:25:36 cifs/sofsedun4.vsofs1.com@SONAS.COM (DES cbc mode
> with CRC-32)
> [root@sofsedun4 ~]#
>
>
> Regards,
> Shahid Shaikh.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>