samba - May 2009 - Solaris 10 (sparc) and samba issue

The net ads joins the host to the AD, but cant get the proper kerberos
tix.  Manually generating the kerberos keytab from AD  dont work.  Any
suggestions?

root@host /#head -1 /etc/release
Solaris 10 10/08 s10s_u6wos_07b SPARC

root@host /usr/sfw/sbin#./smbd -V
Version 3.0.28

root@host /#for PKG in `pkginfo -x | grep -i samba | awk '{print
$1}'`; do VER=`pkginfo -l ${PKG} | grep PSTAMP`; echo ${PKG} ${VER};
done
SUNWsmbac PSTAMP: sfw10-patch20080310191909
SUNWsmbar PSTAMP: sfw10-patch20080723133424
SUNWsmbau PSTAMP: sfw10-patch20080723134146

Last few relevant lines from net ads with -d10 level debugging.

[2009/05/11 20:13:20, 10] libsmb/clientgen.c:(395)
  cli_rpc_pipe_close: closed pipe \NETLOGON to machine host.domain.com
[2009/05/11 20:13:20, 6] libsmb/clientgen.c:(153)
  write_socket(9,39)
[2009/05/11 20:13:20, 6] libsmb/clientgen.c:(156)
  write_socket(9,39) wrote 39
[2009/05/11 20:13:20, 10] lib/util_sock.c:(623)
  got smb length of 35
[2009/05/11 20:13:20, 5] lib/util.c:(484)
[2009/05/11 20:13:20, 5] lib/util.c:(494)
  size=35
  smb_com=0x71
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=51201
  smb_tid=2050
  smb_pid=2945
  smb_uid=2050
  smb_mid=12
  smt_wct=0
  smb_bcc=0
[2009/05/11 20:13:20, 10] lib/util.c:(2957)
  name_to_fqdn: lookup for HOST -> HOST.domain.com
[2009/05/11 20:13:20, 3] libads/ldap.c:(2471)
  ads_domain_func_level: 2
[2009/05/11 20:13:20, 3] libads/kerberos.c:(337)
  kerberos_secrets_store_des_salt: Storing salt
"host/host.domain.com@DOMAIN.COM"
[2009/05/11 20:13:21, 2] libads/kerberos_keytab.c:(260)
  ads_keytab_add_entry: Using default system keytab: FILE:/etc/krb5/krb5.keytab
[2009/05/11 20:13:21, 5] libads/ldap.c:(1422)
  ads_get_kvno: Searching for host HOST
[2009/05/11 20:13:21, 5] libads/ldap.c:(1440)
  ads_get_kvno: Using: CN=HOST,CN=Computers,DC=domain,DC=com
[2009/05/11 20:13:21, 5] libads/ldap.c:(1459)
  ads_get_kvno: Looked Up KVNO of: 7
[2009/05/11 20:13:21, 3] libads/kerberos_keytab.c:(65)
  smb_krb5_kt_add_entry: Will try to delete old keytab entries
[2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(152)
  smb_krb5_kt_add_entry: krb5_kt_end_seq_get failed (Bad file number)
[2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(346)
  ads_keytab_add_entry: Failed to add entry to keytab file
[2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(508)
  ads_keytab_create_default: ads_keytab_add_entry failed while adding
'host'.
[2009/05/11 20:13:21, 1] utils/net_ads.c:(1644)
  Error creating host keytab!
Joined 'HOST' to realm 'DOMAIN.COM'
[2009/05/11 20:13:21, 2] utils/net.c:(1036)
  return code = 0

Brian, it is Windows 2003/R2.  The config for samba is straightup just
from the global section.  The exact problem I'm having is the net ads
is unable to create the kerberos keytab and I hate to run ktpass and
etc from the win KDC and install them.  Even if I did the ktpass, the
tix are not working....I get constant error 'server not found in
kerberos database' whenever attempting to login.

[global]
   workgroup = WKG
   netbios name = HOST
   security = ads
   password server = x.domain.com
   use kerberos keytab = true
   realm = DOMAIN.COM

[2009/05/11 22:33:30, 10] lib/util.c:(2957)
  name_to_fqdn: lookup for HOST -> HOST.domain.com
[2009/05/11 22:33:30, 3] libads/ldap.c:(2471)
  ads_domain_func_level: 2
[2009/05/11 22:33:30, 3] libads/kerberos.c:(337)
  kerberos_secrets_store_des_salt: Storing salt
"host/HOST.domain.com@DOMAIN.COM"
[2009/05/11 22:33:30, 2] libads/kerberos_keytab.c:(260)
  ads_keytab_add_entry: Using default system keytab: FILE:/etc/krb5/krb5.keytab
[2009/05/11 22:33:30, 5] libads/ldap.c:(1422)
  ads_get_kvno: Searching for host HOST
[2009/05/11 22:33:30, 5] libads/ldap.c:(1440)
  ads_get_kvno: Using: CN=host,OU=NewComputers,DC=domain,DC=com
[2009/05/11 22:33:30, 5] libads/ldap.c:(1459)
  ads_get_kvno: Looked Up KVNO of: 7
[2009/05/11 22:33:30, 3] libads/kerberos_keytab.c:(65)
  smb_krb5_kt_add_entry: Will try to delete old keytab entries
[2009/05/11 22:33:30, 5] libads/kerberos_keytab.c:(105)
  smb_krb5_kt_add_entry: Found old entry for principal:
host/host.domain.com@DOMAIN.COM (kvno 7) - trying to remove it.
[2009/05/11 22:33:30, 1] libads/kerberos_keytab.c:(116)
  smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (Cannot write to
specified key table)
[2009/05/11 22:33:30, 1] libads/kerberos_keytab.c:(346)
  ads_keytab_add_entry: Failed to add entry to keytab file
[2009/05/11 22:33:30, 1] libads/kerberos_keytab.c:(508)
  ads_keytab_create_default: ads_keytab_add_entry failed while adding
'host'.
[2009/05/11 22:33:30, 1] utils/net_ads.c:(1644)
  Error creating host keytab!
Joined 'HOST' to realm 'DOMAIN.COM'
[2009/05/11 22:33:30, 2] utils/net.c:(1036)
  return code = 0



On Mon, May 11, 2009 at 10:16 PM, Brian H. Nelson <bnelson@cis.ysu.edu>
wrote:
> Ravi,
>
> You don't mention which version of AD your are working with or include
any
> relevant config files. Both would be helpful.
>
> Also, it might just be me, but I'm not clear on exactly what problem
you're
> having. Maybe you could clarify, list error messages, etc.
>
> You might want to get Solaris patch 119757-14 which gives you samba 3.0.33.
> I don't know if it will help. I had no problems with samba 3.0.28 on
Solaris
> 10.
>
> -Brian
>
>
> Ravi Channavajhala wrote:
>>
>> The net ads joins the host to the AD, but cant get the proper kerberos
>> tix. ?Manually generating the kerberos keytab from AD ?dont work. ?Any
>> suggestions?
>>
>> root@host /#head -1 /etc/release
>> Solaris 10 10/08 s10s_u6wos_07b SPARC
>>
>> root@host /usr/sfw/sbin#./smbd -V
>> Version 3.0.28
>>
>> root@host /#for PKG in `pkginfo -x | grep -i samba | awk '{print
>> $1}'`; do VER=`pkginfo -l ${PKG} | grep PSTAMP`; echo ${PKG}
${VER};
>> done
>> SUNWsmbac PSTAMP: sfw10-patch20080310191909
>> SUNWsmbar PSTAMP: sfw10-patch20080723133424
>> SUNWsmbau PSTAMP: sfw10-patch20080723134146
>>
>> Last few relevant lines from net ads with -d10 level debugging.
>>
>> [2009/05/11 20:13:20, 10] libsmb/clientgen.c:(395)
>> ?cli_rpc_pipe_close: closed pipe \NETLOGON to machine host.domain.com
>> [2009/05/11 20:13:20, 6] libsmb/clientgen.c:(153)
>> ?write_socket(9,39)
>> [2009/05/11 20:13:20, 6] libsmb/clientgen.c:(156)
>> ?write_socket(9,39) wrote 39
>> [2009/05/11 20:13:20, 10] lib/util_sock.c:(623)
>> ?got smb length of 35
>> [2009/05/11 20:13:20, 5] lib/util.c:(484)
>> [2009/05/11 20:13:20, 5] lib/util.c:(494)
>> ?size=35
>> ?smb_com=0x71
>> ?smb_rcls=0
>> ?smb_reh=0
>> ?smb_err=0
>> ?smb_flg=136
>> ?smb_flg2=51201
>> ?smb_tid=2050
>> ?smb_pid=2945
>> ?smb_uid=2050
>> ?smb_mid=12
>> ?smt_wct=0
>> ?smb_bcc=0
>> [2009/05/11 20:13:20, 10] lib/util.c:(2957)
>> ?name_to_fqdn: lookup for HOST -> HOST.domain.com
>> [2009/05/11 20:13:20, 3] libads/ldap.c:(2471)
>> ?ads_domain_func_level: 2
>> [2009/05/11 20:13:20, 3] libads/kerberos.c:(337)
>> ?kerberos_secrets_store_des_salt: Storing salt
>> "host/host.domain.com@DOMAIN.COM"
>> [2009/05/11 20:13:21, 2] libads/kerberos_keytab.c:(260)
>> ?ads_keytab_add_entry: Using default system keytab:
>> FILE:/etc/krb5/krb5.keytab
>> [2009/05/11 20:13:21, 5] libads/ldap.c:(1422)
>> ?ads_get_kvno: Searching for host HOST
>> [2009/05/11 20:13:21, 5] libads/ldap.c:(1440)
>> ?ads_get_kvno: Using: CN=HOST,CN=Computers,DC=domain,DC=com
>> [2009/05/11 20:13:21, 5] libads/ldap.c:(1459)
>> ?ads_get_kvno: Looked Up KVNO of: 7
>> [2009/05/11 20:13:21, 3] libads/kerberos_keytab.c:(65)
>> ?smb_krb5_kt_add_entry: Will try to delete old keytab entries
>> [2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(152)
>> ?smb_krb5_kt_add_entry: krb5_kt_end_seq_get failed (Bad file number)
>> [2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(346)
>> ?ads_keytab_add_entry: Failed to add entry to keytab file
>> [2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(508)
>> ?ads_keytab_create_default: ads_keytab_add_entry failed while adding
>> 'host'.
>> [2009/05/11 20:13:21, 1] utils/net_ads.c:(1644)
>> ?Error creating host keytab!
>> Joined 'HOST' to realm 'DOMAIN.COM'
>> [2009/05/11 20:13:21, 2] utils/net.c:(1036)
>> ?return code = 0
>>
>
> --
> ---------------------------------------------------
> Brian H. Nelson ? ? ? ? Youngstown State University
> System Administrator ? Media and Academic Computing
> ? ? ? ? ? ? bnelson[at]cis.ysu.edu
> ---------------------------------------------------
>

Ravi,

You don't mention which version of AD your are working with or include 
any relevant config files. Both would be helpful.

Also, it might just be me, but I'm not clear on exactly what problem 
you're having. Maybe you could clarify, list error messages, etc.

You might want to get Solaris patch 119757-14 which gives you samba 
3.0.33. I don't know if it will help. I had no problems with samba 
3.0.28 on Solaris 10.

-Brian


Ravi Channavajhala wrote:
> The net ads joins the host to the AD, but cant get the proper kerberos
> tix.  Manually generating the kerberos keytab from AD  dont work.  Any
> suggestions?
>
> root@host /#head -1 /etc/release
> Solaris 10 10/08 s10s_u6wos_07b SPARC
>
> root@host /usr/sfw/sbin#./smbd -V
> Version 3.0.28
>
> root@host /#for PKG in `pkginfo -x | grep -i samba | awk '{print
> $1}'`; do VER=`pkginfo -l ${PKG} | grep PSTAMP`; echo ${PKG} ${VER};
> done
> SUNWsmbac PSTAMP: sfw10-patch20080310191909
> SUNWsmbar PSTAMP: sfw10-patch20080723133424
> SUNWsmbau PSTAMP: sfw10-patch20080723134146
>
> Last few relevant lines from net ads with -d10 level debugging.
>
> [2009/05/11 20:13:20, 10] libsmb/clientgen.c:(395)
>   cli_rpc_pipe_close: closed pipe \NETLOGON to machine host.domain.com
> [2009/05/11 20:13:20, 6] libsmb/clientgen.c:(153)
>   write_socket(9,39)
> [2009/05/11 20:13:20, 6] libsmb/clientgen.c:(156)
>   write_socket(9,39) wrote 39
> [2009/05/11 20:13:20, 10] lib/util_sock.c:(623)
>   got smb length of 35
> [2009/05/11 20:13:20, 5] lib/util.c:(484)
> [2009/05/11 20:13:20, 5] lib/util.c:(494)
>   size=35
>   smb_com=0x71
>   smb_rcls=0
>   smb_reh=0
>   smb_err=0
>   smb_flg=136
>   smb_flg2=51201
>   smb_tid=2050
>   smb_pid=2945
>   smb_uid=2050
>   smb_mid=12
>   smt_wct=0
>   smb_bcc=0
> [2009/05/11 20:13:20, 10] lib/util.c:(2957)
>   name_to_fqdn: lookup for HOST -> HOST.domain.com
> [2009/05/11 20:13:20, 3] libads/ldap.c:(2471)
>   ads_domain_func_level: 2
> [2009/05/11 20:13:20, 3] libads/kerberos.c:(337)
>   kerberos_secrets_store_des_salt: Storing salt
> "host/host.domain.com@DOMAIN.COM"
> [2009/05/11 20:13:21, 2] libads/kerberos_keytab.c:(260)
>   ads_keytab_add_entry: Using default system keytab:
FILE:/etc/krb5/krb5.keytab
> [2009/05/11 20:13:21, 5] libads/ldap.c:(1422)
>   ads_get_kvno: Searching for host HOST
> [2009/05/11 20:13:21, 5] libads/ldap.c:(1440)
>   ads_get_kvno: Using: CN=HOST,CN=Computers,DC=domain,DC=com
> [2009/05/11 20:13:21, 5] libads/ldap.c:(1459)
>   ads_get_kvno: Looked Up KVNO of: 7
> [2009/05/11 20:13:21, 3] libads/kerberos_keytab.c:(65)
>   smb_krb5_kt_add_entry: Will try to delete old keytab entries
> [2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(152)
>   smb_krb5_kt_add_entry: krb5_kt_end_seq_get failed (Bad file number)
> [2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(346)
>   ads_keytab_add_entry: Failed to add entry to keytab file
> [2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(508)
>   ads_keytab_create_default: ads_keytab_add_entry failed while adding
'host'.
> [2009/05/11 20:13:21, 1] utils/net_ads.c:(1644)
>   Error creating host keytab!
> Joined 'HOST' to realm 'DOMAIN.COM'
> [2009/05/11 20:13:21, 2] utils/net.c:(1036)
>   return code = 0
>   
-- 
---------------------------------------------------
Brian H. Nelson         Youngstown State University
System Administrator   Media and Academic Computing
              bnelson[at]cis.ysu.edu
---------------------------------------------------