Ok, setting up from scratch work perfectly with both FQDN and the short name. I did not need to specify the AD DNS servers either. Thanks for all the help.
Robert On Mon, May 18, 2009 at 3:30 PM, Robert LeBlanc <[email protected]>wrote: > Sorry to take so long to get back with you, but I've finally got it working > between two computers if I use their FQDN. Is there any way to use the short > name (i.e. instead of computer.domain.local, just use computer)? > > I think DHCP was fouling me up with this, so I edited /etc/hosts and made > sue the correct FQDN was in there. I edited /etc/dhcp/dhclient.conf and > added the following two lines: > > supersede domain-name "domain.local domain.com"; > supersede domain-name-servers 10.x.x.1, 10.x.x.2; > > and ran dhclient to update and check /etc/resolv.conf. I then joined the > computer again to the domain (twice as the first time always seems to give > me a kerberos error). I then ran > > net ads keytab create > > to create a keytab file for Kerberos. Now that I know it works, I'm going > to set it up again from scratch to make sure I can replicate it and document > it and to see what configurations I can get away with not doing (it would be > nice to not have to override the DNS for laptops, the .com DNS has entries > for the .local). > > If I can just get it to work with the FQDN, i will be VERY happy. > > Thanks, > Robert LeBlanc > > > > > On Thu, May 7, 2009 at 12:17 PM, Robert Foreman > <[email protected]>wrote: > >> If kinit is not working then I'm pretty sure Kerberos is not actually >> working. You will probably want to double check the contents of your >> krb5.conf file. If resolve.conf is using your domain controllers for name >> resolution then the krb5.conf file is about the only thing you need >> configured in order to test kinit. >> >> I use dns lookup for realm and kdc and my krb5.conf file looks something >> like this: >> >> =============================== >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = DOMAIN.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> >> [domain_realm] >> .domain.local = DOMAIN.LOCAL >> domain.local = DOMAIN.LOCAL >> >> [kdc] >> profile = /var/kerberos/krb5kdc/kdc.conf >> >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> validate = true >> } >> =================================== >> >> And you will probably find that you DO want the keytab file, but it's not >> necessary for testing the kinit command. >> >> I recommend the following value in your smb.conf: >> >> use kerberos keytab = Yes >> >> That should pull the keytab file automatically when using the net ads join >> command. There were previous issues with that not working for w2k8, but I >> believe that has been resolved. >> >> You will also probably want to use the krb5_auth = yes and >> krb5_ccache_type = FILE options in your pam_winbind configuration. Those can >> be set in the pam config files, or in RHEL systems in >> /etc/security/pam_winbind.conf. If you used the authconfig tool it probably >> set the krb5_auth option, but not the cache_type. Without the cache_type it >> will use Kerberos for authentication, but you won't get a Kerberos token >> which is used for the next ssh connection to another host. >> >> You will also want the following in your ssh_config file >> >> GSSAPIAuthentication yes >> GSSAPIDelegateCredentials yes >> >> and the following in your sshd_config file. >> >> GSSAPIAuthentication yes >> GSSAPICleanupCredentials yes >> UsePAM yes >> >> It took me a while to sort out Kerberos SSO with winbnd also, but it's >> been great ever since. Good luck! >> >> On Wed, May 6, 2009 at 12:11 PM, Robert LeBlanc <[email protected]>wrote: >> >>> I've been trying to get Kerberos to work for the last couple of days so >>> that we can use SSO. I can't seem to get past a roadblock and Google >>> doesn't seem to provide any answers. I've got Samba connected to the AD >>> and running. I can wbinfo everything and can login to the machine using >>> PAM with the pam_winbind modules just fine. I can get user tickets just >>> fine. When I try to get ssh between two AD joined machines to use >>> Kerberos, I get a Server not found in Kerberos database error. I've >>> noticed that /var/log/samba/log.winbinds shows: >>> >>> >>> >>> 2009/05/06 09:22:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686) >>> >>> ads_krb5_mk_req: krb5_get_credentials failed for ca...@byu (Cannot >>> resolve network address for KDC in requested realm) >>> >>> [2009/05/06 09:22:31, 1] >>> libsmb/cliconnect.c:cli_session_setup_kerberos(624) >>> >>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot >>> resolve network address for KDC in requested realm >>> >>> >>> >>> I can't run `kinit host/[email protected]` >>> <mailto:host/[email protected]%60> or anything like it, all I get is >>> "kinit(v5): Client not found in Kerberos database while getting initial >>> credentials", I've tried all sorts of conbinations of the kinit command, >>> I've tried to create a winbind keytab file, but from what I've read that >>> is only used if using LDAP and not winbind. I've tweaked the >>> /etc/krb.conf file. I can't get rid of the error in log.winbindd to see >>> if that fixes the problem. >>> >>> >>> >>> Summary: >>> >>> /etc/resolve.conf: Specified AD domain and DCs as DNS servers >>> >>> /etc/hosts: Specified the FQDN of the machine with the AD DNS name >>> >>> /etc/krb5.conf: Added AD realm info >>> >>> /etc/samba/smb.conf: All AD info entered correctly >>> >>> Net ads join: OK >>> >>> Wbinfo -u/g: Shows all users and groups in the domain >>> >>> Pam_winbind: Allows users to login to the console or through SSH >>> (password) >>> >>> /etc/ssh/sshd_conf: GSSAPIAuthentication yes >>> >>> /etc/ssh/ssh_conf (on remote machine configured exactly the same): >>> GSSAPIAuthentication yes and GSSAPIDelegateCredentials no >>> >>> Same error on Debain Lenny using Samba 3.2.5 and Debain Squeeze using >>> Samba 3.3.3 >>> >>> >>> >>> /etc/samba/smb.conf: >>> >>> [global] >>> >>> workgroup = BYU >>> >>> realm = BYU.LOCAL >>> >>> preferred master = no >>> >>> server string = %h server >>> >>> dns proxy = no >>> >>> debug level = 10 >>> >>> log file = /var/log/samba/log.%m >>> >>> max log size = 1000 >>> >>> syslog = 0 >>> >>> panic action = /usr/share/samba/panic-action %d >>> >>> security = ADS >>> >>> encrypt passwords = true >>> >>> passdb backend = tdbsam >>> >>> obey pam restrictions = yes >>> >>> invalid users = root >>> >>> unix password sync = yes >>> >>> passwd program = /usr/bin/passwd %u >>> >>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>> >>> pam password change = yes >>> >>> load printers = no >>> >>> printing = bsd >>> >>> printcap name = /dev/null >>> >>> show add printer wizard = no >>> >>> disable spoolss = yes >>> >>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 >>> SO_SNDBUF=8192 >>> >>> allow trusted domains = No >>> >>> idmap backend = idmap_rid:BYU=10000-100000000 >>> >>> idmap uid = 10000-100000000 >>> >>> idmap gid = 10000-100000000 >>> >>> winbind use default domain = yes >>> >>> winbind separator = + >>> >>> winbind enum groups = no >>> >>> winbind enum users = no >>> >>> winbind nested groups = yes >>> >>> template homedir = /home/%U >>> >>> template shell = /bin/bash >>> >>> winbind refresh tickets = yes >>> >>> get quota command = /root/sambaquota.sh >>> >>> [users] >>> >>> comment = Life Sciences user share >>> >>> browseable = yes >>> >>> path = /ls/users >>> >>> guest ok = no >>> >>> read only = no >>> >>> admin users = @lfsci-csr >>> >>> create mask = 0770 >>> >>> directory mask = 0770 >>> >>> force user = %S >>> >>> veto files = /.htaccess/ /.DAV/ >>> >>> [groups] >>> >>> comment = Life Sciences groups share >>> >>> browseable = yes >>> >>> path = /ls/groups >>> >>> guest ok = no >>> >>> read only = no >>> >>> admin users = lfsci-csr >>> >>> create mask = 0770 >>> >>> directory mask = 0770 >>> >>> veto files = /.htaccess/ /.DAV/ >>> >>> dos filemode = yes >>> >>> posix locking = no >>> >>> >>> >>> relevant part of /var/log/samba/log.winbindd: >>> >>> [2009/05/06 09:22:31, 5] >>> winbindd/winbindd_cm.c:cm_prepare_connection(852) >>> >>> connecting to CAD1.byu.local from VI4DEBIAN with kerberos principal >>> [[email protected]] and realm [BYU.LOCAL] >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(823) >>> >>> Doing spnego session setup (blob length=124) >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(850) >>> >>> got OID=1 2 840 48018 1 2 2 >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(850) >>> >>> got OID=1 2 840 113554 1 2 2 >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(850) >>> >>> got OID=1 2 840 113554 1 2 2 3 >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(850) >>> >>> got OID=1 3 6 1 4 1 311 2 2 10 >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(858) >>> >>> got principal=not_defined_in_rfc4...@please_ignore >>> >>> [2009/05/06 09:22:31, 10] >>> libads/kerberos.c:kerberos_kinit_password_ext(217) >>> >>> kerberos_kinit_password: as [email protected] using >>> [MEMORY:cliconnect] as ccache and config [(null)] >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(899) >>> >>> cli_session_setup_spnego: got a bad server principal, trying to guess >>> ... >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(927) >>> >>> cli_session_setup_spnego: guessed server principal=ca...@byu >>> >>> [2009/05/06 09:22:31, 2] >>> libsmb/cliconnect.c:cli_session_setup_kerberos(617) >>> >>> Doing kerberos session setup >>> >>> [2009/05/06 09:22:31, 1] libsmb/clikrb5.c:ads_krb5_mk_req(686) >>> >>> ads_krb5_mk_req: krb5_get_credentials failed for ca...@byu (Cannot >>> resolve network address for KDC in requested realm) >>> >>> [2009/05/06 09:22:31, 1] >>> libsmb/cliconnect.c:cli_session_setup_kerberos(624) >>> >>> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot >>> resolve network address for KDC in requested realm >>> >>> [2009/05/06 09:22:31, 4] >>> winbindd/winbindd_cm.c:cm_prepare_connection(864) >>> >>> failed kerberos session setup with Cannot resolve network address for >>> KDC in requested realm >>> >>> [2009/05/06 09:22:31, 5] >>> winbindd/winbindd_cm.c:cm_prepare_connection(880) >>> >>> connecting to CAD1.byu.local from VI4DEBIAN with username >>> [BYU]\[VI4DEBIAN$] >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(823) >>> >>> Doing spnego session setup (blob length=124) >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(850) >>> >>> got OID=1 2 840 48018 1 2 2 >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(850) >>> >>> got OID=1 2 840 113554 1 2 2 >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(850) >>> >>> got OID=1 2 840 113554 1 2 2 3 >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(850) >>> >>> got OID=1 3 6 1 4 1 311 2 2 10 >>> >>> [2009/05/06 09:22:31, 3] >>> libsmb/cliconnect.c:cli_session_setup_spnego(858) >>> >>> got principal=not_defined_in_rfc4...@please_ignore >>> >>> >>> >>> If you need more info, please let me know. >>> >>> >>> >>> Thanks, >>> >>> >>> >>> Robert LeBlanc >>> >>> Life Sciences Computer Support >>> >>> Brigham Young University >>> >>> [email protected] >>> >>> (801)422-1882 >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
