Hi, Thanks for your help on this one.
With that ticket loaded in the cache, I rejoined the domain (which I could always do successfully) but idmap show still fails with "No AD Servers" That service is disabled in the SS7000 appliance kit. Starting it clears that error on the kinit but has no effect on the idmap failures. fw02-2009Q2# svcs svc:/network/security/ktkt_warn STATE STIME FMRI disabled 9:25:32 svc:/network/security/ktkt_warn:default fw02-2009Q2# svcadm enable /network/security/ktkt_warn fw02-2009Q2# svcs svc:/network/security/ktkt_warn STATE STIME FMRI online 6:12:39 svc:/network/security/ktkt_warn:default fw02-2009Q2# idmap show -cv [email protected] winname:[email protected] -> uid:60001 Error: No AD servers That error has now gone on the kinit fw02-2009Q2# kinit Administrator Password for [email protected]: fw02-2009Q2# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/17/09 06:13:12 06/17/09 16:13:16 krbtgt/[email protected] renew until 06/24/09 06:13:12 fw02-2009Q2# idmap show -cv [email protected] winname:[email protected] -> uid:60001 Error: No AD servers fw02-2009Q2# smbadm join -u administrator fishworks.com After joining fishworks.com the smb service will be restarted automatically. Would you like to continue? [no]: yes Enter domain password: Joining fishworks.com ... this may take a minute ... Successfully joined fishworks.com fw02-2009Q2# idmap show -cv [email protected] winname:[email protected] -> uid:60001 Error: No AD servers fw02-2009Q2# smbadm list [*] [FISHWORKS] [*] [fishworks.com] [+win2008-01.fishworks.com] [192.168.56.20] [*] [FISHWORKS] [S-1-5-21-424206279-106027690-574836047] [.] [FW02-2009Q2] [S-1-5-21-2328018714-2221239836-2816574501] I still get heaps of these in the debug log Jun 17 06:15:47 fw02-2009Q2 idmap[987]: [ID 702911 auth.notice] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Preauthentication failed) Jun 17 06:15:47 fw02-2009Q2 idmap[987]: [ID 706612 daemon.info] LDAP SASL bind to win2008-01.fishworks.com:389 failed (Local error) Thanks Malcolm -----Original Message----- From: Will Fiveash [mailto:[email protected]] Sent: Wednesday, 17 June 2009 11:44 AM To: Natalie Li Cc: Malcolm Gibbs; [email protected]; [email protected] Subject: Re: [kerberos-discuss] [cifs-discuss] SS7000 CIFS User unknown orinvalid user On Tue, Jun 16, 2009 at 03:17:52PM -0700, Natalie Li wrote: > Wrong krb alias. Resending ... > > Natalie Li wrote: > > Solaris Kerberos team, > > > > Why are we seeing the following message when running kinit to acquire a TGT > > ticket for the Administrator? > > > > kinit(v5): no ktkt_warnd warning possible What does: svcs svc:/network/security/ktkt_warn report? If this isn't online you'll get that warning. > > Any idea as to why kinit would fail for the host service after a successful > > domain join? > > > > fw02-2009Q2# kinit -kV host/fw02-2009Q2.fishworks.com > > kinit(v5): Preauthentication failed while getting initial credentials Is the Solaris system in sync time-wise with the AD? What does the AD log show when that error occurs? Are you sure host/fw02-2009Q2.fishworks.com exactly matches the principal name for that system in the AD's princ DB? > > Malcolm, could you please rejoin your system to see if the problem goes > > away? > > > > Thanks, > > > > Natalie > > > > Malcolm Gibbs wrote: > >> Thanks Natalie, > >> > >> Here is the output from those commands: > >> > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> > >> fw02-2009Q2# kinit Administrator > >> Password for [email protected]: > >> kinit(v5): no ktkt_warnd warning possible > >> > >> fw02-2009Q2# klist > >> Ticket cache: FILE:/tmp/krb5cc_0 > >> Default principal: [email protected] > >> > >> Valid starting Expires Service principal > >> 06/16/09 21:36:04 06/17/09 07:36:08 krbtgt/[email protected] > >> renew until 06/23/09 21:36:04 > >> > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> > >> > >> Thanks > >> Malcolm > >> > >> > >> > >> From: [email protected] [mailto:[email protected]] Sent: Wednesday, 17 > >> June 2009 3:25 AM > >> To: Malcolm Gibbs > >> Subject: Re: [cifs-discuss] SS7000 CIFS User unknown or invalid user > >> > >> What the output from: > >> > >> kinit Administrator > >> klist > >> > >> Natalie > >> > >> Malcolm Gibbs wrote: Hi Natalie, > >> > >> Attached is the output from cifs-gendiag. Note this is the SS7000 > >> Appliance Kit running under Virtual Box. Note I get this working > >> perfectly using OpenSolaris 2009.06 against the same Windows 2008 AD > >> server. > >> > >> Here is the other output > >> fw02-2009Q2# klist /var/run/idmap/ccache > >> klist: No credentials cache file found (ticket cache > >> FILE:/var/run/idmap/ccache) > >> > >> > >> fw02-2009Q2# klist -ke > >> Keytab name: FILE:/var/krb5/krb5.keytab > >> KVNO Principal > >> ---- > >> ------------------------------------------------------------------------ > >> -- > >> 2 host/[email protected] (AES-256 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 host/[email protected] (AES-128 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 host/[email protected] (ArcFour with > >> HMAC/md5) > >> 2 host/[email protected] (DES cbc mode with > >> CRC-32) > >> 2 host/[email protected] (DES cbc mode with > >> RSA-MD5) > >> 2 nfs/[email protected] (AES-256 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 nfs/[email protected] (AES-128 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 nfs/[email protected] (ArcFour with HMAC/md5) > >> 2 nfs/[email protected] (DES cbc mode with > >> CRC-32) > >> 2 nfs/[email protected] (DES cbc mode with > >> RSA-MD5) > >> 2 HTTP/[email protected] (AES-256 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 HTTP/[email protected] (AES-128 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 HTTP/[email protected] (ArcFour with > >> HMAC/md5) > >> 2 HTTP/[email protected] (DES cbc mode with > >> CRC-32) > >> 2 HTTP/[email protected] (DES cbc mode with > >> RSA-MD5) > >> 2 root/[email protected] (AES-256 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 root/[email protected] (AES-128 CTS mode with > >> 96-bit SHA-1 HMAC) > >> 2 root/[email protected] (ArcFour with > >> HMAC/md5) > >> 2 root/[email protected] (DES cbc mode with > >> CRC-32) > >> 2 root/[email protected] (DES cbc mode with > >> RSA-MD5) > >> > >> > >> fw02-2009Q2# kinit -kV host/fw02-2009Q2.fishworks.com > >> kinit(v5): Preauthentication failed while getting initial credentials > >> > >> Thanks for any help > >> Malcolm > >> > >> > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] Sent: Tuesday, 16 > >> June 2009 7:12 AM > >> To: Malcolm Gibbs > >> Cc: [email protected] > >> Subject: Re: [cifs-discuss] SS7000 CIFS User unknown or invalid user > >> > >> It would be useful if you could provide the output from: > >> > >> http://opensolaris.org/os/project/cifs-server/files/cifs-gendiag > >> > >> fw02-2009Q2# klist -5 > >> klist: No credentials cache file found (ticket cache > >> FILE:/tmp/krb5cc_0) What's "-5"? > >> If you to see the idmap ccache, you should run `klist > >> /var/run/idmap/ccache`. > >> > >> Let's verify your Kerberos setup on your Solaris system. Please run the > >> following commands: > >> > >> (1) klist > >> bash-3.2# klist -ke > >> Keytab name: FILE:/etc/krb5/krb5.keytab > >> KVNO Principal > >> ---- > >> ------------------------------------------------------------------------ > >> -- > >> 6 HOST/[email protected] (ArcFour with HMAC/md5) > >> 6 HOST/[email protected] (DES cbc mode with CRC-32) > >> 6 HOST/[email protected] (DES cbc mode with RSA-MD5) > >> 6 host/[email protected] (ArcFour with HMAC/md5) > >> 6 host/[email protected] (DES cbc mode with CRC-32) > >> 6 host/[email protected] (DES cbc mode with RSA-MD5) > >> 6 nfs/[email protected] (ArcFour with HMAC/md5) > >> 6 nfs/[email protected] (DES cbc mode with CRC-32) > >> 6 nfs/[email protected] (DES cbc mode with RSA-MD5) > >> 6 HTTP/[email protected] (ArcFour with HMAC/md5) > >> 6 HTTP/[email protected] (DES cbc mode with CRC-32) > >> 6 HTTP/[email protected] (DES cbc mode with RSA-MD5) > >> 6 root/[email protected] (ArcFour with HMAC/md5) > >> 6 root/[email protected] (DES cbc mode with CRC-32) > >> 6 root/[email protected] (DES cbc mode with RSA-MD5) > >> 6 cifs/[email protected] (ArcFour with HMAC/md5) > >> 6 cifs/[email protected] (DES cbc mode with CRC-32) > >> 6 cifs/[email protected] (DES cbc mode with RSA-MD5) > >> > >> (2) kinit -k HOST/<hostname.fqdn> something like: > >> > >> bash-3.2# kinit -k HOST/pb-49.w2k3r2.com > >> bash-3.2# klist > >> Ticket cache: FILE:/tmp/krb5cc_0 > >> Default principal: HOST/[email protected] > >> > >> Valid starting Expires Service principal > >> 06/08/09 17:22:35 06/09/09 03:24:47 krbtgt/[email protected] > >> renew until 06/15/09 17:22:35 > >> > >> Regards, > >> > >> Natalie > >> > >> Malcolm Gibbs wrote: > >> Hi, > >> > >> I am having great fun with the SS7000 Simulator and CIFS but need some > >> help. > >> > >> I have the recent release of the SS7000 simulator running > >> 2009.04.10.0.0,1-1.2 setup with a Windows Server 2008 running Active > >> Directory (with the prereq SS7000 > >> Hotfix installed). > >> > >> I successfully join the AD domain but when I go to create SS7000 CIFS > >> file-systems and > >> enter AD users and groups in the Root Directory Access ACL fields I > >> get > >> the error > >> "User: Unknown or invalid user", when the user or group does indeed > >> exist (for example "[email protected]") > >> > >> Now I am presuming the CIFS idmap service is key to these lookups > >> (NOTE > >> that I have not setup any mapping rules I am simply using the default > >> Ephemeral ID mapping) > >> > >> Dropping into the SS7000 "shell" I can see the following errors > >> happening when I start the idmap service > >> > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 702911 auth.notice] GSSAPI > >> Error: Unspecified GSS failure. Minor code may provide more > >> information > >> (Preauthentication failed) > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 706612 daemon.info] LDAP > >> SASL bind to win2008-01.fishworks.com:389 failed (Local error) > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 692716 daemon.debug] > >> unable > >> to discover Forest Name > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 966149 daemon.debug] > >> unable > >> to discover Site Name > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 520885 daemon.debug] > >> unable > >> to discover Global Catalog > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 638774 daemon.debug] > >> unable > >> to discover Domains in the Forest > >> Jun 7 16:09:00 fw02-2009Q2 idmap[970]: [ID 767837 daemon.debug] > >> unable > >> to discover Trusted Domains > >> > >> Note the contents of the SS7000 krb5 setup but the ticket cache is > >> empty, like it has not done the pre-authentication > >> fw02-2009Q2# cat /etc/krb5/krb5.conf > >> # > >> # Copyright 2009 Sun Microsystems, Inc. All rights reserved. > >> # Use is subject to license terms. > >> # > >> > >> [libdefaults] > >> default_realm = FISHWORKS.COM > >> > >> [realms] > >> FISHWORKS.COM = { > >> kdc = win2008-01 > >> kpasswd_server = win2008-01 > >> kpasswd_protocol = SET_CHANGE > >> } > >> > >> [domain_realm] > >> .fishworks.com = FISHWORKS.COM > >> fishworks.com = FISHWORKS.COM > >> > >> fw02-2009Q2# klist -5 > >> klist: No credentials cache file found (ticket cache > >> FILE:/tmp/krb5cc_0) > >> This shows the idmap cache is empty > >> fw02-2009Q2# idmap dump -nv > >> > >> This idmap command should force idmap to query the AD domain > >> fishworks.com and perform a temporary mapping but errors out > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> > >> This shows I have joined a domain > >> fw02-2009Q2# smbadm list > >> [*] [FISHWORKS] > >> [*] [fishworks.com] > >> [+win2008-01.fishworks.com] [192.168.56.20] > >> [*] [FISHWORKS] [S-1-5-21-424206279-106027690-574836047] > >> [.] [FW02-2009Q2] [S-1-5-21-1009684547-3152003461-3128221115] > >> > >> Same again different users > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> fw02-2009Q2# idmap show -cv [email protected] > >> winname:[email protected] -> uid:60001 > >> Error: No AD servers > >> > >> This is specifically using the Windows SID for [email protected] > >> fw02-2009Q2# idmap show -cv > >> usid:S-1-5-21-424206279-106027690-574836047-1104 > >> Error: No AD servers > >> > >> This is the idmap cache after I map a share from a Windows machine > >> using > >> [email protected], note that it creates the temporary mapping but > >> does recognise it as [email protected] > >> fw02-2009Q2# idmap dump -nv > >> usid:S-1-5-21-424206279-106027690-574836047-1104 == uid:2147581953 > >> Method: Ephemeral > >> usid:S-1-5-21-424206279-106027690-574836047-513 == gid:2147581954 > >> Method: Ephemeral > >> wingroup:Authenticated Users == gid:2147581955 > >> Method: Ephemeral > >> wingroup:Network == gid:2147581956 > >> Method: Ephemeral > >> > >> Any clues why this is broken? > >> > >> Thanks > >> Malcolm > >> > >> _______________________________________________ > >> cifs-discuss mailing list > >> [email protected] > >> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss > >> > > > > > > _______________________________________________ > kerberos-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
