Hi there, I'm just learning, trying to configure Spectrum Scale: SMB File Authentication using LDAP (IPA) with kerberos, and been struggling with it for a couple of days, without success.
Users on spectrum cluster and client machine are authenticated properly, so ldap should be fine. NFS mount with keberos works with no issues as well. But I ran out of ideas how to configure SMB using LDAP with kerberos. I could messed up with netbios names, as am not sure which one to use, from cluster node, from protocol node, exactly which one. But error message seems to point to keytab file, which is present on both, server and client nodes. I ran into simillar post, dated few days ago, so I'm not the only one. https://www.mail-archive.com/gpfsug-discuss@spectrumscale.org/msg03919.html Below is my configuration and error message, and I'd appreciate any hints or help. Thank you, d. Error message from /var/adm/ras/log.smbd [2018/05/18 13:51:58.853681, 3] ../auth/gensec/gensec_start.c:918(gensec_register) GENSEC backend 'ntlmssp_resume_ccache' registered [2018/05/18 13:51:58.859984, 0] ../source3/librpc/crypto/gse.c:586(gse_init_server) smb_gss_krb5_import_cred failed with [Unspecified GSS failure. Minor code may provide more information: Keytab MEMORY:cifs_srv_keytab is nonexistent or empty] [2018/05/18 13:51:58.860151, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech) Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR Cluster nodes spectrum1.example.com RedHat 7.4 spectrum2.example.com RedHat 7.4 spectrum3.example.com RedHat 7.4 Protocols nodes: labs1.example.com lasb2.example.com labs3.example.com ssipa.example.com Centos 7.5 spectrum scale server: [root@spectrum1 security]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/labs1.example....@example.com 1 host/labs1.example....@example.com 1 host/labs2.example....@example.com 1 host/labs2.example....@example.com 1 host/labs3.example....@example.com 1 host/labs3.example....@example.com 1 nfs/labs1.example....@example.com 1 nfs/labs1.example....@example.com 1 nfs/labs2.example....@example.com 1 nfs/labs2.example....@example.com 1 nfs/labs3.example....@example.com 1 nfs/labs3.example....@example.com 1 cifs/labs1.example....@example.com 1 cifs/labs1.example....@example.com 1 cifs/labs2.example....@example.com 1 cifs/labs2.example....@example.com 1 cifs/labs3.example....@example.com 1 cifs/labs3.example....@example.com [root@spectrum1 security]# net conf list [global] disable netbios = yes disable spoolss = yes printcap cache time = 0 fileid:algorithm = fsname fileid:fstype allow = gpfs syncops:onmeta = no preferred master = no client NTLMv2 auth = yes kernel oplocks = no level2 oplocks = yes debug hires timestamp = yes max log size = 100000 host msdfs = yes notify:inotify = yes wide links = no log writeable files on exit = yes ctdb locktime warn threshold = 5000 auth methods = guest sam winbind smbd:backgroundqueue = False read only = no use sendfile = no strict locking = auto posix locking = no large readwrite = yes aio read size = 1 aio write size = 1 force unknown acl user = yes store dos attributes = yes map readonly = yes map archive = yes map system = yes map hidden = yes ea support = yes groupdb:backend = tdb winbind:online check timeout = 30 winbind max domain connections = 5 winbind max clients = 10000 dmapi support = no unix extensions = no socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPCNT=4 TCP_KEEPIDLE=240 TCP_KEEPINTVL=15 strict allocate = yes tdbsam:map builtin = no aio_pthread:aio open = yes dfree cache time = 100 change notify = yes max open files = 20000 time_audit:timeout = 5000 gencache:stabilize_count = 10000 server min protocol = SMB2_02 server max protocol = SMB3_02 vfs objects = shadow_copy2 syncops gpfs fileid time_audit smbd profiling level = on log level = 1 logging = syslog@0 file smbd exit on ip drop = yes durable handles = no ctdb:smbxsrv_open_global.tdb = false mangled names = illegal include system krb5 conf = no smbd:async search ask sharemode = yes gpfs:sharemodes = yes gpfs:leases = yes gpfs:dfreequota = yes gpfs:prealloc = yes gpfs:hsm = yes gpfs:winattr = yes gpfs:merge_writeappend = no fruit:metadata = stream fruit:nfs_aces = no fruit:veto_appledouble = no readdir_attr:aapl_max_access = false shadow:snapdir = .snapshots shadow:fixinodes = yes shadow:snapdirseverywhere = yes shadow:sort = desc nfs4:mode = simple nfs4:chown = yes nfs4:acedup = merge add share command = /usr/lpp/mmfs/bin/mmcesmmccrexport change share command = /usr/lpp/mmfs/bin/mmcesmmcchexport delete share command = /usr/lpp/mmfs/bin/mmcesmmcdelexport server string = IBM NAS client use spnego = yes kerberos method = system keytab ldap admin dn = cn=Directory Manager ldap ssl = start tls ldap suffix = dc=example,dc=com netbios name = spectrum1 passdb backend = ldapsam:"ldap://ssipa.example.com"; realm = example.com security = ADS dedicated keytab file = /etc/krb5.keytab password server = ssipa.example.com idmap:cache = no idmap config * : read only = no idmap config * : backend = autorid idmap config * : range = 10000000-299999999 idmap config * : rangesize = 1000000 workgroup = labs1 ntlm auth = yes [share1] path = /ibm/gpfs1/labs1 guest ok = no browseable = yes comment = jas share smb encrypt = disabled [root@spectrum1 ~]# mmsmb export list export path browseable guest ok smb encrypt share1 /ibm/gpfs1/labs1 yes no disabled userauth command: mmuserauth service create --type ldap --data-access-method file --servers ssipa.example.com --base-dn dc=example,dc=com --user-name 'cn=Directory Manager' --netbios-name labs1 --enable-server-tls --enable-kerberos --kerberos-server ssipa.example.com --kerberos-realm example.com root@spectrum1 ~]# mmuserauth service list FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS true ENABLE_KERBEROS true USER_NAME cn=Directory Manager SERVERS ssipa.example.com NETBIOS_NAME spectrum1 BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER ssipa.example.com KERBEROS_REALM example.com OBJECT access not configured PARAMETERS VALUES ------------------------------------------------- net ads keytab list -> does not show any keys LDAP user information was updated with Samba attributes according to the documentation: https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adm_updateldapsmb.htm [root@spectrum1 ~]# pdbedit -L -v Can't find include file /var/mmfs/ces/smb.conf.0.0.0.0 Can't find include file /var/mmfs/ces/smb.conf.internal.0.0.0.0 No builtin backend found, trying to load plugin Module 'ldapsam' loaded db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x4d2a432b db_open_ctdb: opened database 'secrets.tdb' with dbid 0x7132c184 smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SPECTRUM1))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server smbldap_search_paged: base => [dc=example,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1000] smbldap_search_paged: search was successful init_sam_from_ldap: Entry found for user: jas --------------- Unix username: jas NT username: jas Account Flags: [U ] User SID: S-1-5-21-2394233691-157776895-1049088601-1281201008 Forcing Primary Group to 'Domain Users' for jas Primary Group SID: S-1-5-21-2394233691-157776895-1049088601-513 Full Name: jas jas Home Directory: \\spectrum1\jas HomeDir Drive: Logon Script: Profile Path: \\spectrum1\jas\profile Domain: SPECTRUM1 Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Thu, 17 May 2018 14:08:01 EDT Password can change: Thu, 17 May 2018 14:08:01 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Client keytab file: [root@test ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/test.example....@example.com 1 host/test.example....@example.com _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
