samba - Apr 2015 - Cannot authenticate the administrator account

On 29/04/15 20:37, Sketch wrote:
> On Wed, 29 Apr 2015, Andrey Repin wrote:
>
>> Greetings, Sketch!
>>
>>>> workgroup = INTERNAL
>>>> realm = EXAMPLE.COM
>>>> netbios name = SAMBA
>>
>>> Looks that way to me.  Your realm should include the workgroup
name:
>>> INTERNAL.EXAMPLE.COM.
>>
>> Nothing is "SHOULD" as long as the settings follow basic
requirements
>> (single-label NETBIOS domain name, resolvable REALM name).
>> I.e. I have domains provisioned with "ADS.<netbios domain
name>.<tld>"
>> All works fine, given correct DNS configuration.
>
> Netbios name is basically irrelevant here.  Do you mean that the realm 
> name does not have to match the workgroup name?
I don't know how I can say this plainer, the only thing that has to 
match is the realm name and the dns domain name, if your dns domain name 
is 'internal.example.com' then your kerberos realm must be 
'INTERNAL.EXAMPLE.COM'

The netbios domain name (also known as workgroup name), can be 
*anything* you like, but it is usually the lefthand hand part of the dns 
domain name, 'INTERNAL' from the given example, but you could use 
'BUTTERCUP' or 'MOON' or *ANYTHING* else, just as long as it is
a single
word, of not more than 15 characters.

Rowland

Rowland,

I definitely don't want to vex you.  You've been very generous with your
help.
If I can't get it right using Andrey's provisioning example, I'll
reach out
for some commercial samba support.

Best regards,

Mike

On Wed, Apr 29, 2015 at 4:24 PM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
> On 29/04/15 20:37, Sketch wrote:
>
>> On Wed, 29 Apr 2015, Andrey Repin wrote:
>>
>>  Greetings, Sketch!
>>>
>>>  workgroup = INTERNAL
>>>>> realm = EXAMPLE.COM
>>>>> netbios name = SAMBA
>>>>>
>>>>
>>>  Looks that way to me.  Your realm should include the workgroup
name:
>>>> INTERNAL.EXAMPLE.COM.
>>>>
>>>
>>> Nothing is "SHOULD" as long as the settings follow basic
requirements
>>> (single-label NETBIOS domain name, resolvable REALM name).
>>> I.e. I have domains provisioned with "ADS.<netbios domain
name>.<tld>"
>>> All works fine, given correct DNS configuration.
>>>
>>
>> Netbios name is basically irrelevant here.  Do you mean that the realm
>> name does not have to match the workgroup name?
>>
>
> I don't know how I can say this plainer, the only thing that has to
match
> is the realm name and the dns domain name, if your dns domain name is '
> internal.example.com' then your kerberos realm must be '
> INTERNAL.EXAMPLE.COM'
>
> The netbios domain name (also known as workgroup name), can be *anything*
> you like, but it is usually the lefthand hand part of the dns domain name,
> 'INTERNAL' from the given example, but you could use
'BUTTERCUP' or 'MOON'
> or *ANYTHING* else, just as long as it is a single word, of not more than
> 15 characters.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

SUCCESS.........up to the point of kerberos tickets.
((What a difference a night's sleep can do for logic neurons.))

Everything works with the provisioning now except for kerberos.
The setup follows and ends with the kinit, klist, and kvno errors/failures:

[root at dc1 ~]# hostname -f
dc1.internal.example.com
[root at dc1 ~]# hostname -s
dc1
[root at dc1 ~]# hostname -d
internal.example.com
[root at dc1 ~]# hostnamectl status
   Static hostname: dc1.internal.example.com
         Icon name: computer-server
           Chassis: server
        Machine ID: 57ccaldjfre9tuq34uadl5fjgq9823uadog
           Boot ID: f4c1eqa9e8rt709q23y849tyqghlkqdhfg9
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-229.1.2.el7.x86_64
      Architecture: x86_64
[root at dc1 ~]# cat /etc/resolv.conf
domain internal.example.com
search internal.example.com
nameserver 10.10.1.225

[root at dc1 ~]# cat /etc/hosts
127.0.0.1       dc1.internal.example.com    dc1
127.0.0.1       localhost
10.10.1.225     dc1.internal.example.com    dc1

[root at dc1 ~]# cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = INTERNAL
        realm = INTERNAL.EXAMPLE.COM
        netbios name = dc1
        interfaces = lo, eno1
        bind interfaces only = Yes
        server role = active directory domain controller
        dns forwarder = 75.75.76.76
        idmap_ldb:use rfc2307 = yes


[root at dc1 ~]# smbclient //internal.example.com/netlogon -UAdministrator -c
'ls'
Enter Administrator's password:
Domain=[INTERNAL] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
  .                                   D        0  Thu Apr 30 09:36:14 2015
  ..                                  D        0  Thu Apr 30 09:36:20 2015

                51175 blocks of size 1048576. 48360 blocks available

[root at dc1 ~]# host -t SRV _ldap._tcp.internal.example.com.
_ldap._tcp.internal.example.com has SRV record 0 100 389
dc1.internal.example.com.
[root at dc1 ~]# host -t SRV _kerberos._udp.internal.example.com.
_kerberos._udp.internal.example.com has SRV record 0 100 88
dc1.internal.example.com.
[root at dc1 ~]# host -t A dc1.internal.example.com.
dc1.internal.example.com has address 10.10.1.225
[root at dc1 ~]#

[root at dc1 ~]# kinit administrator at INTERNAL.EXAMPLE.COM
Password for administrator at INTERNAL.EXAMPLE.COM:
kinit: Preauthentication failed while getting initial credentials

[root at dc1 ~]# cat /etc/krb5.conf
[libdefaults]
        default_realm = INTERNAL.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
[root at dc1 ~]# klist
klist: Credentials cache file '/tmp/krb5cc_0' not found
[root at dc1 ~]#

[root at dc1 ~]# kvno administrator at INTERNAL.EXAMPLE.COM
kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting
client
principal name
[root at dc1 ~]#

Hai Mike, 

in /etc/hosts
remove the line : 
127.0.0.1       dc1.internal.example.com    dc1

and try again. 

Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: 1100100 at gmail.com [mailto:samba-bounces at lists.samba.org] 
>Namens Mike
>Verzonden: donderdag 30 april 2015 16:35
>Aan: samba
>Onderwerp: Re: [Samba] Cannot authenticate the administrator account
>
>SUCCESS.........up to the point of kerberos tickets.
>((What a difference a night's sleep can do for logic neurons.))
>
>Everything works with the provisioning now except for kerberos.
>The setup follows and ends with the kinit, klist, and kvno 
>errors/failures:
>
>[root at dc1 ~]# hostname -f
>dc1.internal.example.com
>[root at dc1 ~]# hostname -s
>dc1
>[root at dc1 ~]# hostname -d
>internal.example.com
>[root at dc1 ~]# hostnamectl status
>   Static hostname: dc1.internal.example.com
>         Icon name: computer-server
>           Chassis: server
>        Machine ID: 57ccaldjfre9tuq34uadl5fjgq9823uadog
>           Boot ID: f4c1eqa9e8rt709q23y849tyqghlkqdhfg9
>  Operating System: CentOS Linux 7 (Core)
>       CPE OS Name: cpe:/o:centos:centos:7
>            Kernel: Linux 3.10.0-229.1.2.el7.x86_64
>      Architecture: x86_64
>[root at dc1 ~]# cat /etc/resolv.conf
>domain internal.example.com
>search internal.example.com
>nameserver 10.10.1.225
>
>[root at dc1 ~]# cat /etc/hosts
>127.0.0.1       dc1.internal.example.com    dc1
>127.0.0.1       localhost
>10.10.1.225     dc1.internal.example.com    dc1
>
>[root at dc1 ~]# cat /etc/samba/smb.conf
># Global parameters
>[global]
>        workgroup = INTERNAL
>        realm = INTERNAL.EXAMPLE.COM
>        netbios name = dc1
>        interfaces = lo, eno1
>        bind interfaces only = Yes
>        server role = active directory domain controller
>        dns forwarder = 75.75.76.76
>        idmap_ldb:use rfc2307 = yes
>
>
>[root at dc1 ~]# smbclient //internal.example.com/netlogon 
>-UAdministrator -c
>'ls'
>Enter Administrator's password:
>Domain=[INTERNAL] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
>  .                                   D        0  Thu Apr 30 
>09:36:14 2015
>  ..                                  D        0  Thu Apr 30 
>09:36:20 2015
>
>                51175 blocks of size 1048576. 48360 blocks available
>
>[root at dc1 ~]# host -t SRV _ldap._tcp.internal.example.com.
>_ldap._tcp.internal.example.com has SRV record 0 100 389
>dc1.internal.example.com.
>[root at dc1 ~]# host -t SRV _kerberos._udp.internal.example.com.
>_kerberos._udp.internal.example.com has SRV record 0 100 88
>dc1.internal.example.com.
>[root at dc1 ~]# host -t A dc1.internal.example.com.
>dc1.internal.example.com has address 10.10.1.225
>[root at dc1 ~]#
>
>[root at dc1 ~]# kinit administrator at INTERNAL.EXAMPLE.COM
>Password for administrator at INTERNAL.EXAMPLE.COM:
>kinit: Preauthentication failed while getting initial credentials
>
>[root at dc1 ~]# cat /etc/krb5.conf
>[libdefaults]
>        default_realm = INTERNAL.EXAMPLE.COM
>        dns_lookup_realm = false
>        dns_lookup_kdc = true
>[root at dc1 ~]# klist
>klist: Credentials cache file '/tmp/krb5cc_0' not found
>[root at dc1 ~]#
>
>[root at dc1 ~]# kvno administrator at INTERNAL.EXAMPLE.COM
>kvno: Credentials cache file '/tmp/krb5cc_0' not found while 
>getting client
>principal name
>[root at dc1 ~]#
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>