Don Riden
2012-Feb-20 21:06 UTC
[Samba] Privilege Attribute Certificate (PAC) Disabled/Samba authentication
Hi, I'm currently attempting to setup a Linux Samba and Kerberized NFS server using a Windows 2008 R2 Domain controller as a KDC and I've run into an issue. Currently I can make Kerberized NFS or Samba fileserving work but not both at the same time. Specifically: The Linux kerberized NFS daemon (rpc.svcgssd) appears to only be able to deal with service tickets up to a certain size. Active Directory adds a PAC to service tickets which makes them much larger than they otherwise would be. In order to work around this I've added 'NO_AUTH_DATA_REQUIRED' to the UserAccountControl attribute on the machine account in AD (as per this Microsoft KB article http://support.microsoft.com/kb/832572). This enables kerberized NFS to work correctly but appears to break the Samba authentication. Output from the samba logs initially looks promising [2012/02/20 07:37:33.548998,3] libads/kerberos_verify.c:678(ads_verify_ticket) libads/kerberos_verify.c:678: did not retrieve auth data. continuing without PAC but then degenerates from there. Is it possible to make Samba work in this configuration? The clients are running Windows 7 and I'm using Samba 3.6.1. Thanks Don
Andrew Bartlett
2012-Feb-21 06:08 UTC
[Samba] Privilege Attribute Certificate (PAC) Disabled/Samba authentication
On Mon, 2012-02-20 at 21:06 +0000, Don Riden wrote:> Hi, > > I'm currently attempting to setup a Linux Samba and Kerberized NFS > server using a Windows 2008 R2 Domain controller as a KDC and I've run > into an issue. > > Currently I can make Kerberized NFS or Samba fileserving work but not > both at the same time.Why are you trying to do both at the same time on the same principal? Why not run NFS on a different principal? (eg add a new server-nfs principal and set a servicePrincpalName: nfs/server) Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org