Re: [cifs-discuss] [kerberos-discuss] SS7000 CIFS User unknown or invalid user

Tue, 16 Jun 2009 15:17:36 -0700 

Wrong krb alias.  Resending ...

Natalie Li wrote:

Solaris Kerberos team,
Why are we seeing the following message when running kinit to acquire a TGT ticket for the Administrator? 

kinit(v5):  no ktkt_warnd warning possible
Any idea as to why kinit would fail for the host service after a successful domain join? 

fw02-2009Q2# kinit -kV host/fw02-2009Q2.fishworks.com
kinit(v5): Preauthentication failed while getting initial credentials
Malcolm, could you please rejoin your system to see if the problem goes away? 

Thanks,

Natalie

Malcolm Gibbs wrote:

Thanks Natalie,

Here is the output from those commands:

fw02-2009Q2# idmap show -cv [email protected]
winname:[email protected] -> uid:60001
Error:  No AD servers

fw02-2009Q2# kinit Administrator
Password for [email protected]:
kinit(v5):  no ktkt_warnd warning possible

fw02-2009Q2# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting                Expires                Service principal
06/16/09 21:36:04  06/17/09 07:36:08  krbtgt/[email protected]
        renew until 06/23/09 21:36:04

fw02-2009Q2# idmap show -cv [email protected]
winname:[email protected] -> uid:60001
Error:  No AD servers

fw02-2009Q2# idmap show -cv [email protected]
winname:[email protected] -> uid:60001
Error:  No AD servers


Thanks
Malcolm
From: [email protected] [mailto:[email protected]] Sent: Wednesday, 17 June 2009 3:25 AM 
To: Malcolm Gibbs
Subject: Re: [cifs-discuss] SS7000 CIFS User unknown or invalid user

What the output from:

kinit Administrator
klist

Natalie

Malcolm Gibbs wrote: Hi Natalie,

Attached is the output from cifs-gendiag. Note this is the SS7000
Appliance Kit running under Virtual Box. Note I get this working
perfectly using OpenSolaris 2009.06 against the same Windows 2008 AD
server.

Here is the other output
fw02-2009Q2# klist /var/run/idmap/ccache
klist: No credentials cache file found (ticket cache
FILE:/var/run/idmap/ccache)


fw02-2009Q2# klist -ke
Keytab name: FILE:/var/krb5/krb5.keytab
KVNO Principal
----
------------------------------------------------------------------------
--
   2 host/[email protected] (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 host/[email protected] (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 host/[email protected] (ArcFour with
HMAC/md5)
   2 host/[email protected] (DES cbc mode with
CRC-32)
   2 host/[email protected] (DES cbc mode with
RSA-MD5)
   2 nfs/[email protected] (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 nfs/[email protected] (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 nfs/[email protected] (ArcFour with HMAC/md5)
   2 nfs/[email protected] (DES cbc mode with
CRC-32)
   2 nfs/[email protected] (DES cbc mode with
RSA-MD5)
   2 HTTP/[email protected] (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 HTTP/[email protected] (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 HTTP/[email protected] (ArcFour with
HMAC/md5)
   2 HTTP/[email protected] (DES cbc mode with
CRC-32)
   2 HTTP/[email protected] (DES cbc mode with
RSA-MD5)
   2 root/[email protected] (AES-256 CTS mode with
96-bit SHA-1 HMAC)
   2 root/[email protected] (AES-128 CTS mode with
96-bit SHA-1 HMAC)
   2 root/[email protected] (ArcFour with
HMAC/md5)
   2 root/[email protected] (DES cbc mode with
CRC-32)
   2 root/[email protected] (DES cbc mode with
RSA-MD5)


fw02-2009Q2# kinit -kV host/fw02-2009Q2.fishworks.com
kinit(v5): Preauthentication failed while getting initial credentials

Thanks for any help
Malcolm


-----Original Message-----
From: [email protected] [mailto:[email protected]] Sent: Tuesday, 16 June 2009 7:12 AM 
To: Malcolm Gibbs
Cc: [email protected]
Subject: Re: [cifs-discuss] SS7000 CIFS User unknown or invalid user

It would be useful if you could provide the output from:

http://opensolaris.org/os/project/cifs-server/files/cifs-gendiag

  fw02-2009Q2# klist -5
klist: No credentials cache file found (ticket cache
    FILE:/tmp/krb5cc_0) What's "-5"?
If you to see the idmap ccache, you should run `klist /var/run/idmap/ccache`.
Let's verify your Kerberos setup on your Solaris system. Please run the following commands: 

(1) klist
bash-3.2# klist -ke
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ------------------------------------------------------------------------ 
--
6 HOST/[email protected] (ArcFour with HMAC/md5)
6 HOST/[email protected] (DES cbc mode with CRC-32)
6 HOST/[email protected] (DES cbc mode with RSA-MD5)
6 host/[email protected] (ArcFour with HMAC/md5)
6 host/[email protected] (DES cbc mode with CRC-32)
6 host/[email protected] (DES cbc mode with RSA-MD5)
6 nfs/[email protected] (ArcFour with HMAC/md5)
6 nfs/[email protected] (DES cbc mode with CRC-32)
6 nfs/[email protected] (DES cbc mode with RSA-MD5)
6 HTTP/[email protected] (ArcFour with HMAC/md5)
6 HTTP/[email protected] (DES cbc mode with CRC-32)
6 HTTP/[email protected] (DES cbc mode with RSA-MD5)
6 root/[email protected] (ArcFour with HMAC/md5)
6 root/[email protected] (DES cbc mode with CRC-32)
6 root/[email protected] (DES cbc mode with RSA-MD5)
6 cifs/[email protected] (ArcFour with HMAC/md5)
6 cifs/[email protected] (DES cbc mode with CRC-32)
6 cifs/[email protected] (DES cbc mode with RSA-MD5)

(2) kinit -k HOST/<hostname.fqdn> something like:

bash-3.2# kinit -k HOST/pb-49.w2k3r2.com
bash-3.2# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HOST/[email protected]

Valid starting Expires Service principal
06/08/09 17:22:35 06/09/09 03:24:47 krbtgt/[email protected]
renew until 06/15/09 17:22:35

Regards,

Natalie

Malcolm Gibbs wrote:
  Hi,

I am having great fun with the SS7000 Simulator and CIFS but need some
help.

I have the recent release of the SS7000 simulator running
2009.04.10.0.0,1-1.2 setup with a Windows Server 2008 running Active Directory (with the prereq SS7000 
Hotfix installed).

I successfully join the AD domain but when I go to create SS7000 CIFS
file-systems and
enter AD users and groups in the Root Directory Access ACL fields I
    get
  the error
"User: Unknown or invalid user", when the user or group does indeed
exist (for example "[email protected]")

Now I am presuming the CIFS idmap service is key to these lookups
    (NOTE
that I have not setup any mapping rules I am simply using the default Ephemeral ID mapping) 

Dropping into the SS7000 "shell" I can see the following errors
happening when I start the idmap service

Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 702911 auth.notice] GSSAPI
Error: Unspecified GSS failure.  Minor code may provide more
    information
  (Preauthentication failed)
Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 706612 daemon.info] LDAP
SASL bind to win2008-01.fishworks.com:389 failed (Local error)
Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 692716 daemon.debug]
    unable
  to discover Forest Name
Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 966149 daemon.debug]
    unable
  to discover Site Name
Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 520885 daemon.debug]
    unable
  to discover Global Catalog
Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 638774 daemon.debug]
    unable
  to discover Domains in the Forest
Jun  7 16:09:00 fw02-2009Q2 idmap[970]: [ID 767837 daemon.debug]
    unable
  to discover Trusted Domains

Note the contents of the SS7000 krb5 setup but the ticket cache is
empty, like it has not done the pre-authentication
fw02-2009Q2# cat /etc/krb5/krb5.conf
#
# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

[libdefaults]
        default_realm = FISHWORKS.COM

[realms]
        FISHWORKS.COM = {
                kdc = win2008-01
                kpasswd_server = win2008-01
                kpasswd_protocol = SET_CHANGE
        }

[domain_realm]
        .fishworks.com = FISHWORKS.COM
        fishworks.com = FISHWORKS.COM

fw02-2009Q2# klist -5
klist: No credentials cache file found (ticket cache
    FILE:/tmp/krb5cc_0)
  This shows the idmap cache is empty
fw02-2009Q2# idmap dump -nv

This idmap command should force idmap to query the AD domain
fishworks.com and perform a temporary mapping but errors out
fw02-2009Q2# idmap show -cv [email protected]
winname:[email protected] -> uid:60001
Error: No AD servers

This shows I have joined a domain
fw02-2009Q2# smbadm list
[*] [FISHWORKS]
[*] [fishworks.com]
       [+win2008-01.fishworks.com] [192.168.56.20]
[*] [FISHWORKS] [S-1-5-21-424206279-106027690-574836047]
[.] [FW02-2009Q2] [S-1-5-21-1009684547-3152003461-3128221115]

Same again different users
fw02-2009Q2# idmap show -cv [email protected]
winname:[email protected] -> uid:60001
Error: No AD servers
fw02-2009Q2# idmap show -cv [email protected]
winname:[email protected] -> uid:60001
Error: No AD servers

This is specifically using the Windows SID for [email protected]
fw02-2009Q2# idmap show -cv
usid:S-1-5-21-424206279-106027690-574836047-1104
Error: No AD servers

This is the idmap cache after I map a share from a Windows machine
    using
  [email protected], note that it creates the temporary mapping but
does recognise it as [email protected]
fw02-2009Q2# idmap dump -nv
usid:S-1-5-21-424206279-106027690-574836047-1104 ==     uid:2147581953
Method: Ephemeral
usid:S-1-5-21-424206279-106027690-574836047-513 ==      gid:2147581954
Method: Ephemeral
wingroup:Authenticated Users    ==      gid:2147581955
Method: Ephemeral
wingroup:Network ==     gid:2147581956
Method: Ephemeral

Any clues why this is broken?

Thanks
Malcolm

_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss





_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss

Reply via email to