thr3ads.net - samba - [Samba] Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi

If this information is useful, please help other people find it:
Share via:

Paul Sobey

2009-Nov-05 12:04 UTC

[Samba] Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?

Good Morning,

We have a network of Solaris 10 machines authenticating and doing name 
lookups via a Windows 2008 (SP2) domain using the Solaris ldap client and 
self/gssapi credentials. Each machine has a machine account that is 
prepared via a script with the following attributes:

userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT | 
DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)
msDS-SupportedEncryptionTypes: 23 (KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 | 
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_DES_CBC_MD5 | 
KERB_ENCTYPE_DES_CBC_CRC)

We would like to install a new Samba file server and have it play nicely 
with this setup, using the system keytab, ideally taking a password from 
the keytab or being able to control the password used in the joining 
process.

Is there a prescribed/supported way to have Samba 'fit in' to an
existing
setup like this?

We've tried running net ads join after the host keytab is created, and 
note that the KVNO on the computer account increases, the 
userAccountControl flag gets overwritten with DONT_REQ_PREAUTH (seems to 
be needed for Solaris kinit -k), and the resulting keytab is unusable by 
Solaris kinit:

before net ads join:

Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) HMAC/md5)
   18 host/fqdn at REALM (ArcFour with HMAC/md5)
   18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
   18 host/fqdn at REALM (DES cbc mode with CRC-32)

kinit -k

Default principal: host/fqdn at REALM

Valid starting                  Expires                  Service principal
05/11/2009 11:46:16  05/11/2009 21:46:16 
krbtgt/REALM at REALM
         renew until 12/11/2009 11:46:16, Etype(skey, tkt): AES-256 CTS 
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC


after net ads join (Samba added entries are KVNO 19)

   18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   18 host/fqdn at REALM (ArcFour with HMAC/md5)
   18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
   18 host/fqdn at REALM (DES cbc mode with CRC-32)
   19 host/fqdn at REALM (DES cbc mode with CRC-32)
   19 host/fqdn at REALM (DES cbc mode with RSA-MD5)
   19 host/fqdn at REALM (ArcFour with HMAC/md5)
   19 host/HOST at REALM (DES cbc mode with CRC-32)
   19 host/HOST at REALM (DES cbc mode with RSA-MD5)
   19 host/HOST at REALM (ArcFour with HMAC/md5)
   19 HOST$@REALM (DES cbc mode with CRC-32)
   19 HOST$@REALM (DES cbc mode with RSA-MD5)
   19 HOST$@REALM (ArcFour with HMAC/md5)

kinit -k

kinit(v5): Clients credentials have been revoked while getting initial 
credentials

after removal of kvno 18 tickets with ktutil:

kinit(v5): Key table entry not found while getting initial credentials


Should I just give up and use pam_winbind and nss_winbind, or is there a 
way to make this work? Also, is there a way to make net ads join request 
or write aes256 entries to the keytab? Our krb5.conf explicitly specifies 
this as a permitted enc type.

Cheers,
Paul

Douglas E. Engert

2009-Nov-05 16:09 UTC

head link

[Samba] Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?

Paul Sobey wrote:> Good Morning,
> 
> We have a network of Solaris 10 machines authenticating and doing name 
> lookups via a Windows 2008 (SP2) domain using the Solaris ldap client 
> and self/gssapi credentials. Each machine has a machine account that is 
> prepared via a script with the following attributes:
> 
> userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT | 
> DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)
> msDS-SupportedEncryptionTypes: 23 (KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 
> | KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_DES_CBC_MD5 | 
> KERB_ENCTYPE_DES_CBC_CRC)
> 
> We would like to install a new Samba file server and have it play nicely 
> with this setup, using the system keytab, ideally taking a password from 
> the keytab or being able to control the password used in the joining 
> process.
> 
> Is there a prescribed/supported way to have Samba 'fit in' to an 
> existing setup like this?
This could be an issue with older Solaris systems supporting AES-128 but
not AES-256 because of policy.

http://docs.sun.com/app/docs/doc/816-4557/egric?a=view

says:
  "In releases prior to Solaris 10 8/07 release, the
aes256-cts-hmac-sha1-96
   encryption type can be used with the Kerberos service if the unbundled Strong
   Cryptographic packages are installed."

See:
http://www.sun.com/software/solaris/security.jsp
> 
> We've tried running net ads join after the host keytab is created, and 
> note that the KVNO on the computer account increases, the 
> userAccountControl flag gets overwritten with DONT_REQ_PREAUTH (seems to 
> be needed for Solaris kinit -k), and the resulting keytab is unusable by 
> Solaris kinit:
> 
> before net ads join:
> 
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>   18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) HMAC/md5)
>   18 host/fqdn at REALM (ArcFour with HMAC/md5)
>   18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
>   18 host/fqdn at REALM (DES cbc mode with CRC-32)
> 
> kinit -k
> 
> Default principal: host/fqdn at REALM
> 
> Valid starting                  Expires                  Service principal
> 05/11/2009 11:46:16  05/11/2009 21:46:16 krbtgt/REALM at REALM
>         renew until 12/11/2009 11:46:16, Etype(skey, tkt): AES-256 CTS 
> mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
> 
> 
> after net ads join (Samba added entries are KVNO 19)
> 
>   18 host/fqdn at REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
>   18 host/fqdn at REALM (ArcFour with HMAC/md5)
>   18 host/fqdn at REALM (DES cbc mode with RSA-MD5)
>   18 host/fqdn at REALM (DES cbc mode with CRC-32)
>   19 host/fqdn at REALM (DES cbc mode with CRC-32)
>   19 host/fqdn at REALM (DES cbc mode with RSA-MD5)
>   19 host/fqdn at REALM (ArcFour with HMAC/md5)
>   19 host/HOST at REALM (DES cbc mode with CRC-32)
>   19 host/HOST at REALM (DES cbc mode with RSA-MD5)
>   19 host/HOST at REALM (ArcFour with HMAC/md5)
>   19 HOST$@REALM (DES cbc mode with CRC-32)
>   19 HOST$@REALM (DES cbc mode with RSA-MD5)
>   19 HOST$@REALM (ArcFour with HMAC/md5)
> 
> kinit -k
> 
> kinit(v5): Clients credentials have been revoked while getting initial 
> credentials
> 
> after removal of kvno 18 tickets with ktutil:
> 
> kinit(v5): Key table entry not found while getting initial credentials
> 
> 
> Should I just give up and use pam_winbind and nss_winbind, or is there a 
> way to make this work? Also, is there a way to make net ads join request 
> or write aes256 entries to the keytab? Our krb5.conf explicitly 
> specifies this as a permitted enc type.
> 
> Cheers,
> Paul
> 
-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Possibly Parallel Threads

Search for more maybe matching threads

samba - Nov 2009 - Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?

[Samba] Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?

[Samba] Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?

Possibly Parallel Threads