On Tue, Jun 16, 2009 at 03:17:52PM -0700, Natalie Li wrote: > Wrong krb alias. Resending ... > > Natalie Li wrote: > > Solaris Kerberos team, > > > > Why are we seeing the following message when running kinit to acquire a TGT > > ticket for the Administrator? > > > > kinit(v5): no ktkt_warnd warning possible
What does: svcs svc:/network/security/ktkt_warn report? If this isn't online you'll get that warning. > > Any idea as to why kinit would fail for the host service after a successful > > domain join? > > > > fw02-2009Q2# kinit -kV host/fw02-2009Q2.fishworks.com > > kinit(v5): Preauthentication failed while getting initial credentials Is the Solaris system in sync time-wise with the AD? What does the AD log show when that error occurs? Are you sure host/fw02-2009Q2.fishworks.com exactly matches the principal name for that system in the AD's princ DB? > > Malcolm, could you please rejoin your system to see if the problem goes > > away? > > > > Thanks, > > > > Natalie > > > > Malcolm Gibbs wrote: > >> Thanks Natalie, > >> > >> Here is the output from those commands: > >> > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> > >> fw02-2009Q2# kinit Administrator > >> Password for [email protected]: > >> kinit(v5): no ktkt_warnd warning possible > >> > >> fw02-2009Q2# klist > >> Ticket cache: FILE:/tmp/krb5cc_0 > >> Default principal: [email protected] > >> > >> Valid starting Expires Service principal > >> 06/16/09 21:36:04 06/17/09 07:36:08 krbtgt/[email protected] > >> renew until 06/23/09 21:36:04 > >> > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> > >> > >> Thanks > >> Malcolm > >> > >> > >> > >> From: [email protected] [mailto:[email protected]] Sent: Wednesday, 17 > >> June 2009 3:25 AM > >> To: Malcolm Gibbs > >> Subject: Re: [cifs-discuss] SS7000 CIFS User unknown or invalid user > >> > >> What the output from: > >> > >> kinit Administrator > >> klist > >> > >> Natalie > >> > >> Malcolm Gibbs wrote: Hi Natalie, > >> > >> Attached is the output from cifs-gendiag. Note this is the SS7000 > >> Appliance Kit running under Virtual Box. Note I get this working > >> perfectly using OpenSolaris 2009.06 against the same Windows 2008 AD > >> server. > >> > >> Here is the other output > >> fw02-2009Q2# klist /var/run/idmap/ccache > >> klist: No credentials cache file found (ticket cache > >> FILE:/var/run/idmap/ccache) > >> > >> > >> fw02-2009Q2# klist -ke > >> Keytab name: FILE:/var/krb5/krb5.keytab > >> KVNO Principal > >> ---- > >> ------------------------------------------------------------------------ > >> -- > >> 2 host/[email protected] (AES-256 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 host/[email protected] (AES-128 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 host/[email protected] (ArcFour with > >> HMAC/md5) > >> 2 host/[email protected] (DES cbc mode with > >> CRC-32) > >> 2 host/[email protected] (DES cbc mode with > >> RSA-MD5) > >> 2 nfs/[email protected] (AES-256 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 nfs/[email protected] (AES-128 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 nfs/[email protected] (ArcFour with HMAC/md5) > >> 2 nfs/[email protected] (DES cbc mode with > >> CRC-32) > >> 2 nfs/[email protected] (DES cbc mode with > >> RSA-MD5) > >> 2 HTTP/[email protected] (AES-256 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 HTTP/[email protected] (AES-128 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 HTTP/[email protected] (ArcFour with > >> HMAC/md5) > >> 2 HTTP/[email protected] (DES cbc mode with > >> CRC-32) > >> 2 HTTP/[email protected] (DES cbc mode with > >> RSA-MD5) > >> 2 root/[email protected] (AES-256 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 root/[email protected] (AES-128 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 root/[email protected] (ArcFour with > >> HMAC/md5) > >> 2 root/[email protected] (DES cbc mode with > >> CRC-32) > >> 2 root/[email protected] (DES cbc mode with > >> RSA-MD5) > >> > >> > >> fw02-2009Q2# kinit -kV host/fw02-2009Q2.fishworks.com > >> kinit(v5): Preauthentication failed while getting initial credentials > >> > >> Thanks for any help > >> Malcolm > >> > >> > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] Sent: Tuesday, 16 > >> June 2009 7:12 AM > >> To: Malcolm Gibbs > >> Cc: [email protected] > >> Subject: Re: [cifs-discuss] SS7000 CIFS User unknown or invalid user > >> > >> It would be useful if you could provide the output from: > >> > >> http://opensolaris.org/os/project/cifs-server/files/cifs-gendiag > >> > >> fw02-2009Q2# klist -5 > >> klist: No credentials cache file found (ticket cache > >> FILE:/tmp/krb5cc_0) What's "-5"? > >> If you to see the idmap ccache, you should run `klist > >> /var/run/idmap/ccache`. > >> > >> Let's verify your Kerberos setup on your Solaris system. Please run the > >> following commands: > >> > >> (1) klist > >> bash-3.2# klist -ke > >> Keytab name: FILE:/etc/krb5/krb5.keytab > >> KVNO Principal > >> ---- > >> ------------------------------------------------------------------------ > >> -- > >> 6 HOST/[email protected] (ArcFour with HMAC/md5) > >> 6 HOST/[email protected] (DES cbc mode with CRC-32) > >> 6 HOST/[email protected] (DES cbc mode with RSA-MD5) > >> 6 host/[email protected] (ArcFour with HMAC/md5) > >> 6 host/[email protected] (DES cbc mode with CRC-32) > >> 6 host/[email protected] (DES cbc mode with RSA-MD5) > >> 6 nfs/[email protected] (ArcFour with HMAC/md5) > >> 6 nfs/[email protected] (DES cbc mode with CRC-32) > >> 6 nfs/[email protected] (DES cbc mode with RSA-MD5) > >> 6 HTTP/[email protected] (ArcFour with HMAC/md5) > >> 6 HTTP/[email protected] (DES cbc mode with CRC-32) > >> 6 HTTP/[email protected] (DES cbc mode with RSA-MD5) > >> 6 root/[email protected] (ArcFour with HMAC/md5) > >> 6 root/[email protected] (DES cbc mode with CRC-32) > >> 6 root/[email protected] (DES cbc mode with RSA-MD5) > >> 6 cifs/[email protected] (ArcFour with HMAC/md5) > >> 6 cifs/[email protected] (DES cbc mode with CRC-32) > >> 6 cifs/[email protected] (DES cbc mode with RSA-MD5) > >> > >> (2) kinit -k HOST/<hostname.fqdn> something like: > >> > >> bash-3.2# kinit -k HOST/pb-49.w2k3r2.com > >> bash-3.2# klist > >> Ticket cache: FILE:/tmp/krb5cc_0 > >> Default principal: HOST/[email protected] > >> > >> Valid starting Expires Service principal > >> 06/08/09 17:22:35 06/09/09 03:24:47 krbtgt/[email protected] > >> renew until 06/15/09 17:22:35 > >> > >> Regards, > >> > >> Natalie > >> > >> Malcolm Gibbs wrote: > >> Hi, > >> > >> I am having great fun with the SS7000 Simulator and CIFS but need some > >> help. > >> > >> I have the recent release of the SS7000 simulator running > >> 2009.04.10.0.0,1-1.2 setup with a Windows Server 2008 running Active > >> Directory (with the prereq SS7000 > >> Hotfix installed). > >> > >> I successfully join the AD domain but when I go to create SS7000 CIFS > >> file-systems and > >> enter AD users and groups in the Root Directory Access ACL fields I > >> get > >> the error > >> "User: Unknown or invalid user", when the user or group does indeed > >> exist (for example "[email protected]") > >> > >> Now I am presuming the CIFS idmap service is key to these lookups > >> (NOTE > >> that I have not setup any mapping rules I am simply using the default > >> Ephemeral ID mapping) > >> > >> Dropping into the SS7000 "shell" I can see the following errors > >> happening when I start the idmap service > >> > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 702911 auth.notice] GSSAPI > >> Error: Unspecified GSS failure. Minor code may provide more > >> information > >> (Preauthentication failed) > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 706612 daemon.info] LDAP > >> SASL bind to win2008-01.fishworks.com:389 failed (Local error) > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 692716 daemon.debug] > >> unable > >> to discover Forest Name > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 966149 daemon.debug] > >> unable > >> to discover Site Name > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 520885 daemon.debug] > >> unable > >> to discover Global Catalog > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 638774 daemon.debug] > >> unable > >> to discover Domains in the Forest > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 767837 daemon.debug] > >> unable > >> to discover Trusted Domains > >> > >> Note the contents of the SS7000 krb5 setup but the ticket cache is > >> empty, like it has not done the pre-authentication > >> fw02-2009Q2# cat /etc/krb5/krb5.conf > >> # > >> # Copyright 2009 Sun Microsystems, Inc. All rights reserved. > >> # Use is subject to license terms. > >> # > >> > >> [libdefaults] > >> default_realm = FISHWORKS.COM > >> > >> [realms] > >> FISHWORKS.COM = { > >> kdc = win2008-01 > >> kpasswd_server = win2008-01 > >> kpasswd_protocol = SET_CHANGE > >> } > >> > >> [domain_realm] > >> .fishworks.com = FISHWORKS.COM > >> fishworks.com = FISHWORKS.COM > >> > >> fw02-2009Q2# klist -5 > >> klist: No credentials cache file found (ticket cache > >> FILE:/tmp/krb5cc_0) > >> This shows the idmap cache is empty > >> fw02-2009Q2# idmap dump -nv > >> > >> This idmap command should force idmap to query the AD domain > >> fishworks.com and perform a temporary mapping but errors out > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> > >> This shows I have joined a domain > >> fw02-2009Q2# smbadm list > >> [*] [FISHWORKS] > >> [*] [fishworks.com] > >> [+win2008-01.fishworks.com] [192.168.56.20] > >> [*] [FISHWORKS] [S-1-5-21-424206279-106027690-574836047] > >> [.] [FW02-2009Q2] [S-1-5-21-1009684547-3152003461-3128221115] > >> > >> Same again different users > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> > >> This is specifically using the Windows SID for [email protected] > >> fw02-2009Q2# idmap show -cv > >> usid:S-1-5-21-424206279-106027690-574836047-1104 > >> Error: No AD servers > >> > >> This is the idmap cache after I map a share from a Windows machine > >> using > >> [email protected], note that it creates the temporary mapping but > >> does recognise it as [email protected] > >> fw02-2009Q2# idmap dump -nv > >> usid:S-1-5-21-424206279-106027690-574836047-1104 == uid:2147581953 > >> Method: Ephemeral > >> usid:S-1-5-21-424206279-106027690-574836047-513 == gid:2147581954 > >> Method: Ephemeral > >> wingroup:Authenticated Users == gid:2147581955 > >> Method: Ephemeral > >> wingroup:Network == gid:2147581956 > >> Method: Ephemeral > >> > >> Any clues why this is broken? > >> > >> Thanks > >> Malcolm > >> > >> _______________________________________________ > >> cifs-discuss mailing list > >> [email protected] > >> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss > >> > > > > > > _______________________________________________ > kerberos-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
