Sorry to take so long to get back with you, but I've finally got it working between two computers if I use their FQDN. Is there any way to use the short name (i.e. instead of computer.domain.local, just use computer)?
I think DHCP was fouling me up with this, so I edited /etc/hosts and made sue the correct FQDN was in there. I edited /etc/dhcp/dhclient.conf and added the following two lines: supersede domain-name "domain.local domain.com"; supersede domain-name-servers 10.x.x.1, 10.x.x.2; and ran dhclient to update and check /etc/resolv.conf. I then joined the computer again to the domain (twice as the first time always seems to give me a kerberos error). I then ran net ads keytab create to create a keytab file for Kerberos. Now that I know it works, I'm going to set it up again from scratch to make sure I can replicate it and document it and to see what configurations I can get away with not doing (it would be nice to not have to override the DNS for laptops, the .com DNS has entries for the .local). If I can just get it to work with the FQDN, i will be VERY happy. Thanks, Robert LeBlanc On Thu, May 7, 2009 at 12:17 PM, Robert Foreman <[email protected]>wrote: > If kinit is not working then I'm pretty sure Kerberos is not actually > working. You will probably want to double check the contents of your > krb5.conf file. If resolve.conf is using your domain controllers for name > resolution then the krb5.conf file is about the only thing you need > configured in order to test kinit. > > I use dns lookup for realm and kdc and my krb5.conf file looks something > like this: > > =============================== > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = DOMAIN.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > > [domain_realm] > .domain.local = DOMAIN.LOCAL > domain.local = DOMAIN.LOCAL > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > validate = true > } > =================================== > > And you will probably find that you DO want the keytab file, but it's not > necessary for testing the kinit command. > > I recommend the following value in your smb.conf: > > use kerberos keytab = Yes > > That should pull the keytab file automatically when using the net ads join > command. There were previous issues with that not working for w2k8, but I > believe that has been resolved. > > You will also probably want to use the krb5_auth = yes and krb5_ccache_type > = FILE options in your pam_winbind configuration. Those can be set in the > pam config files, or in RHEL systems in /etc/security/pam_winbind.conf. If > you used the authconfig tool it probably set the krb5_auth option, but not > the cache_type. Without the cache_type it will use Kerberos for > authentication, but you won't get a Kerberos token which is used for the > next ssh connection to another host. > > You will also want the following in your ssh_config file > > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > and the following in your sshd_config file. > > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > UsePAM yes > > It took me a while to sort out Kerberos SSO with winbnd also, but it's been > great ever since. Good luck! > > On Wed, May 6, 2009 at 12:11 PM, Robert LeBlanc <[email protected]>wrote: > >> I've been trying to get Kerberos to work for the last couple of days so >> that we can use SSO. I can't seem to get past a roadblock and Google >> doesn't seem to provide any answers. I've got Samba connected to the AD >> and running. I can wbinfo everything and can login to the machine using >> PAM with the pam_winbind modules just fine. I can get user tickets just >> fine. When I try to get ssh between two AD joined machines to use >> Kerberos, I get a Server not found in Kerberos database error. I've >> noticed that /var/log/samba/log.winbinds shows: >> >> >> >> 2009/05/06 09:22:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686) >> >> ads_krb5_mk_req: krb5_get_credentials failed for ca...@byu (Cannot >> resolve network address for KDC in requested realm) >> >> [2009/05/06 09:22:31, 1] >> libsmb/cliconnect.c:cli_session_setup_kerberos(624) >> >> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot >> resolve network address for KDC in requested realm >> >> >> >> I can't run `kinit host/[email protected]` >> <mailto:host/[email protected]%60> or anything like it, all I get is >> "kinit(v5): Client not found in Kerberos database while getting initial >> credentials", I've tried all sorts of conbinations of the kinit command, >> I've tried to create a winbind keytab file, but from what I've read that >> is only used if using LDAP and not winbind. I've tweaked the >> /etc/krb.conf file. I can't get rid of the error in log.winbindd to see >> if that fixes the problem. >> >> >> >> Summary: >> >> /etc/resolve.conf: Specified AD domain and DCs as DNS servers >> >> /etc/hosts: Specified the FQDN of the machine with the AD DNS name >> >> /etc/krb5.conf: Added AD realm info >> >> /etc/samba/smb.conf: All AD info entered correctly >> >> Net ads join: OK >> >> Wbinfo -u/g: Shows all users and groups in the domain >> >> Pam_winbind: Allows users to login to the console or through SSH >> (password) >> >> /etc/ssh/sshd_conf: GSSAPIAuthentication yes >> >> /etc/ssh/ssh_conf (on remote machine configured exactly the same): >> GSSAPIAuthentication yes and GSSAPIDelegateCredentials no >> >> Same error on Debain Lenny using Samba 3.2.5 and Debain Squeeze using >> Samba 3.3.3 >> >> >> >> /etc/samba/smb.conf: >> >> [global] >> >> workgroup = BYU >> >> realm = BYU.LOCAL >> >> preferred master = no >> >> server string = %h server >> >> dns proxy = no >> >> debug level = 10 >> >> log file = /var/log/samba/log.%m >> >> max log size = 1000 >> >> syslog = 0 >> >> panic action = /usr/share/samba/panic-action %d >> >> security = ADS >> >> encrypt passwords = true >> >> passdb backend = tdbsam >> >> obey pam restrictions = yes >> >> invalid users = root >> >> unix password sync = yes >> >> passwd program = /usr/bin/passwd %u >> >> passwd chat = *Enter\snew\s*\spassword:* %n\n >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >> >> pam password change = yes >> >> load printers = no >> >> printing = bsd >> >> printcap name = /dev/null >> >> show add printer wizard = no >> >> disable spoolss = yes >> >> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 >> SO_SNDBUF=8192 >> >> allow trusted domains = No >> >> idmap backend = idmap_rid:BYU=10000-100000000 >> >> idmap uid = 10000-100000000 >> >> idmap gid = 10000-100000000 >> >> winbind use default domain = yes >> >> winbind separator = + >> >> winbind enum groups = no >> >> winbind enum users = no >> >> winbind nested groups = yes >> >> template homedir = /home/%U >> >> template shell = /bin/bash >> >> winbind refresh tickets = yes >> >> get quota command = /root/sambaquota.sh >> >> [users] >> >> comment = Life Sciences user share >> >> browseable = yes >> >> path = /ls/users >> >> guest ok = no >> >> read only = no >> >> admin users = @lfsci-csr >> >> create mask = 0770 >> >> directory mask = 0770 >> >> force user = %S >> >> veto files = /.htaccess/ /.DAV/ >> >> [groups] >> >> comment = Life Sciences groups share >> >> browseable = yes >> >> path = /ls/groups >> >> guest ok = no >> >> read only = no >> >> admin users = lfsci-csr >> >> create mask = 0770 >> >> directory mask = 0770 >> >> veto files = /.htaccess/ /.DAV/ >> >> dos filemode = yes >> >> posix locking = no >> >> >> >> relevant part of /var/log/samba/log.winbindd: >> >> [2009/05/06 09:22:31, 5] >> winbindd/winbindd_cm.c:cm_prepare_connection(852) >> >> connecting to CAD1.byu.local from VI4DEBIAN with kerberos principal >> [[email protected]] and realm [BYU.LOCAL] >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(823) >> >> Doing spnego session setup (blob length=124) >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(850) >> >> got OID=1 2 840 48018 1 2 2 >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(850) >> >> got OID=1 2 840 113554 1 2 2 >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(850) >> >> got OID=1 2 840 113554 1 2 2 3 >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(850) >> >> got OID=1 3 6 1 4 1 311 2 2 10 >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(858) >> >> got principal=not_defined_in_rfc4...@please_ignore >> >> [2009/05/06 09:22:31, 10] >> libads/kerberos.c:kerberos_kinit_password_ext(217) >> >> kerberos_kinit_password: as [email protected] using >> [MEMORY:cliconnect] as ccache and config [(null)] >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(899) >> >> cli_session_setup_spnego: got a bad server principal, trying to guess >> ... >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(927) >> >> cli_session_setup_spnego: guessed server principal=ca...@byu >> >> [2009/05/06 09:22:31, 2] >> libsmb/cliconnect.c:cli_session_setup_kerberos(617) >> >> Doing kerberos session setup >> >> [2009/05/06 09:22:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686) >> >> ads_krb5_mk_req: krb5_get_credentials failed for ca...@byu (Cannot >> resolve network address for KDC in requested realm) >> >> [2009/05/06 09:22:31, 1] >> libsmb/cliconnect.c:cli_session_setup_kerberos(624) >> >> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot >> resolve network address for KDC in requested realm >> >> [2009/05/06 09:22:31, 4] >> winbindd/winbindd_cm.c:cm_prepare_connection(864) >> >> failed kerberos session setup with Cannot resolve network address for >> KDC in requested realm >> >> [2009/05/06 09:22:31, 5] >> winbindd/winbindd_cm.c:cm_prepare_connection(880) >> >> connecting to CAD1.byu.local from VI4DEBIAN with username >> [BYU]\[VI4DEBIAN$] >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(823) >> >> Doing spnego session setup (blob length=124) >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(850) >> >> got OID=1 2 840 48018 1 2 2 >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(850) >> >> got OID=1 2 840 113554 1 2 2 >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(850) >> >> got OID=1 2 840 113554 1 2 2 3 >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(850) >> >> got OID=1 3 6 1 4 1 311 2 2 10 >> >> [2009/05/06 09:22:31, 3] >> libsmb/cliconnect.c:cli_session_setup_spnego(858) >> >> got principal=not_defined_in_rfc4...@please_ignore >> >> >> >> If you need more info, please let me know. >> >> >> >> Thanks, >> >> >> >> Robert LeBlanc >> >> Life Sciences Computer Support >> >> Brigham Young University >> >> [email protected] >> >> (801)422-1882 >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
