Re: [Samba] Samba help?

2012-07-11 Thread Gémes Géza 

Hi Miklos,

Hello Geza,

I stand chastised and apologize. I didn't mean to hijack someone's thread. I 
also didn't plan to ask for help in Hungarian, and this is just a coincidence.

However, if you can help me I'll take whatever I can get, so thank you.

My question/problem is that I have no windows background at all and am trying 
to configure Samba with Active Directory. I also have no access to any windows 
machines to test my configuration so I don't know if it works. I believe I'm 
almost there but how do I know if it's really working?

SWAT works fine, but Winbindd won't start.

infadmnq:/>lssrc -g samba
Subsystem GroupPID  Status
  smbd samba14221530 active
  nmbd samba13893726 active
  winbindd samba inoperative

I ran testparm and it comes back clean.

infadmnq:/>testparm
Load smb config files from /usr/lib/smb.conf
Processing section "[samba_infaQ]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
 workgroup = HUMC
 security = DOMAIN
 auth methods = winbind
 password server = dchumc01, dchumc02
 client NTLMv2 auth = Yes
 syslog = 3
 log file = /var/log/samba
 ldap ssl = no
 idmap uid = 1-2
 idmap gid = 1-2
 winbind enum users = Yes
 winbind enum groups = Yes

[samba_infaQ]
 comment = Share for DBA SAs
 path = /samba_infaQ

I run:

smbclient -L '\\fileserver1\DECN_Shared\' -U INFAservice

and I get two pages of output starting like this:

Sharename   Type  Comment
 -     ---
 CHRT_Shared Disk  CHRT Departmental Shared Files
 HEDU_Shared Disk  HEDU Departmental Shared Files
 MREC_Shared Disk  MREC Departmental Shared Files
 PHBL_Shared Disk  PHBL Departmental Shared Files
 PHRM_Shared Disk  PHRM Departmental Shared Files
 SLAB_Shared Disk  SLAB Departmental Shared Files
 SPAS_Shared Disk  SPAS Departmental Shared Files
 SPTY_Shared Disk  SPTY Departmental Shared Files
 WomenChild  Disk


Kosonok minden sekitsegett!!

Miklos


First  question:

What does wbinfo -p, wbinfo -u and wbinfo -g returns?

You wrote, that you have to authenticate your users against an AD. Have 
you joined it (e.g. net ads join -U 
username_of_an_AD_user_with_the_priviledge_of_joining (for example an 
administrator))?


Regards

Geza
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] DNS Update issue

2012-07-11 Thread Pradeep Pal 
Hi;

can any one help me. i have 2 samba4 servers. one is PDC other ADC.

PDC is master server (hostname is file2.dom.com)
ADC is slave server (hostname is file.dom.com)

after add a machine in domain. when i check /var/log/messages. i see DNS
not update. this error comes in slave server.

Jul 12 09:40:36 file named[2685]: samba_dlz: starting transaction on zone
dom.com
Jul 12 09:40:36 file named[2685]: client 192.253.8.25#1055: updating zone '
dom.com/NONE': update unsuccessful: pradeep-96b8ca7.dom.com/A: 'RRset
exists (value dependent)' prerequisite not satisfied (NXRRSET)
Jul 12 09:40:36 file named[2685]: samba_dlz: cancelling transaction on zone
dom.com
Jul 12 09:40:36 file named[2685]: samba_dlz: starting transaction on zone
dom.com
Jul 12 09:40:36 file named[2685]: client 192.253.8.25#1058: update '
dom.com/IN' denied
Jul 12 09:40:36 file named[2685]: samba_dlz: cancelling transaction on zone
dom.com

please help me what is this issue. i am new for this

-- 
Thanks & Regards
Pradeep Pal
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] compiling samba 3.4.8 on CentOS_6.2

2012-07-11 Thread Denis Fateyev 
Hello there,

In general, you may save efforts using precompiled binaries from the SerNet
team.
For example: http://ftp.sernet.de/pub/samba/3.6/rhel/6/x86_64/

---
wbr, Denis.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] compiling samba 3.4.8 on CentOS_6.2

2012-07-11 Thread Randy Rue 
FWIW, I've just run the same compile steps against 3.6.6 with the same
results. Had to copy the libtalloc.so.1 file and link the binaries to /sbin
and now trying to start the daemon from the init.d script fails and directly
launching smbd returns no error but ps aux shows it's not running. debug
level is 3 and nothing appears in syslog or any of the /var/log/samba/ files

Anyone have any guidance on getting a compiled tarball to run?



-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Randy Rue
Sent: Wednesday, July 11, 2012 2:38 PM
To: samba@lists.samba.org
Subject: [Samba] compiling samba 3.4.8 on CentOS_6.2

Too late to save grief, I've been grieving on this for weeks now.

I'm rolling back to 3.4.8 because I heard from several sources that idmap
against AD has broken at some point since then. I'd obviously prefer to
install 3.4.8 from an RPM or (even better) a yum repository somewhere but
can't seem to find any for this distro and/or version.

I haven't heard from anywhere that the idmap --> ad problem is fixed in 3.6.
Is it? If so, I'd be happy to try that instead.

I confess I'm unfamiliar with how to use RPM's to install the source and
then compile from there. Install the RPM and then from some newly created
source folder I ./configure / make / make install / etc?

>From the github link below, how do I get an actual rpm file to install?

Can anyone point me toward a howto?

Or I could get the "plain" source tarball from samba.org for some later
version (that's where I'm getting 3.4.8). But it seems likely I'll have the
same trouble with the daemon not starting.

Or can anyone answer my actual question? For example, how to get logging
working so I can get some clues on why the binary fails to start?

Hope to hear from you.

Randy

-Original Message-
From: Nico Kadel-Garcia [mailto:nka...@gmail.com]
Sent: Tuesday, July 10, 2012 6:07 PM
To: Randy Rue
Cc: samba@lists.samba.org
Subject: Re: [Samba] compiling samba 3.4.8 on CentOS_6.2

On Tue, Jul 10, 2012 at 7:32 PM, Randy Rue  wrote:
> Hello All.
>
> Been trying without avail to make idmap work with my AD so I can get
"real"
> UID/GID for SSH logins on a CentOS_6 box. Have heard from several 
> sources that idmap has seen some serious changes since 3.5 and decided 
> to roll back from the "stock" 3.5 that comes with CentOS_6 to 3.4.8.
> I'd like to see if it has the same problems.

Save yourself some grief. Either go to www.samba.org for a more recent
version, or look at:

https://github.com/nkadel/samba-3.6.4-srpm for some useful and very
buildable tools for a more recent release.


>
> Installed a clean build of CentOS_6.2. Stopped the samba service, 
> removed the package using yum and excluded samba* from yum updates in
/etc/yum.conf.
>
> Downloaded and extracted the 3.4.8 tarball.
>
> cd into samba-3.../source3 and ran:
>
> the autoconfig.sh script
> ./configure
> make
> make install
>
> copied the smb.init script from the packaging/RHEL/setup folder to 
> /etc/init.d and made it executable chkconfig --add smb chkconfig smb 
> on
>
>
> service smb start fails. Tries to start both smbd and nmbd and both fail.
>
> First I get errors about libraries.
> copied the libtalloc.so.1 file from /usr/local/samba/lib to /usr/lib64 
> fixed that one
>
> Then I get errors about not finding the binaries linked 
> /usr/local/samba/sbin/smbd and nmbd to /sbin and fixed that one This 
> feels like a hack. I also tried adding /usr/local/samba/sbin to the 
> path. Also a hack but made no difference.
>
>
> Now if I try service smb start (or restart) I get failures from the 
> init script.
>
> Or I can try smbd directly and I get no response (it appears to start) 
> but "ps" shows that it didn't start.
>
> I've turned debug level and log level up to 3 in smb.conf (tried both
> arguments) but I get nothing in /var/log/syslog and nothing in any 
> file in /var/log/samba when I try to start it.
>
> Forgive the anecdotal tone of the above, I'm working mostly from 
> memory and have probably garbled a path or file name. Then again, I've 
> been through these steps six or more times now.
>
> Am I missing something obvious?
>
> Hope to hear from you,
>
> Randy
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba help?

2012-07-11 Thread Gémes Géza 

Hi Miklós,

Hello everyone,

I have just joined this group (discussion board) and would like to know how it 
works. Can I just put questions out there about my Samba difficulties and hope 
someone can help me?

Sorry to sound naïve, but I do need help with my Samba config and I have spent 
months, yes months, trying to get what I am told is a simple thing to work, to 
work for me and I just can't get it.

I would love it if I could get some help because I sure do need it.

Respectfully waiting for the kindness of strangers..

Miklos


First of all please do not hijack other threads!
Second tell us your questions/problems!
Third if you need help in Hungarian you can contact me (I wouldn't say 
I'm the source of knowledge, but if I can help I won't refuse)


Regards

Geza
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba help?

2012-07-11 Thread Szentmiklosy, Miklos 
Hello everyone,

I have just joined this group (discussion board) and would like to know how it 
works. Can I just put questions out there about my Samba difficulties and hope 
someone can help me?

Sorry to sound naïve, but I do need help with my Samba config and I have spent 
months, yes months, trying to get what I am told is a simple thing to work, to 
work for me and I just can't get it.

I would love it if I could get some help because I sure do need it.

Respectfully waiting for the kindness of strangers..

Miklos

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Randy Rue
Sent: Wednesday, July 11, 2012 5:19 PM
To: samba@lists.samba.org
Subject: Re: [Samba] compiling samba 3.4.8 on CentOS_6.2

Jonathan,

I appreciate the help you've given but you and I are having fundamentally
different experiences with 3.5. I've tried everything you've suggested, as
well as a bunch of conflicting suggestions from others, with no success.
I've narrowed the problem down to the idmap --> ad settings in smb.conf and
the best information I have right now suggests that something went wonky in
the app sometime after 3.4.8. So right now my immediate objective is to get
3.4.8 running and see if the problem still occurs. A particular help would
be at least getting some error in syslog or the samba logs to find out why
the binary won't start.

Randy

-Original Message-
From: Jonathan Buzzard [mailto:jonat...@buzzard.me.uk]
Sent: Wednesday, July 11, 2012 1:29 AM
To: Randy Rue
Subject: Re: [Samba] compiling samba 3.4.8 on CentOS_6.2

On 11/07/12 00:32, Randy Rue wrote:
> Hello All.
>
> Been trying without avail to make idmap work with my AD so I can get
"real"
> UID/GID for SSH logins on a CentOS_6 box. Have heard from several
> sources that idmap has seen some serious changes since 3.5 and decided
> to roll back from the "stock" 3.5 that comes with CentOS_6 to 3.4.8.
> I'd like to see if it has the same problems.

Why, it works just fine at least with the packages in CentOS 6.2. I cannot
speak for CentOS 6.3 because it is just out, but I very much doubt it has
broken it.


JAB.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
*** HUMC's Proactive Security and Virus Scanner has scanned this email for
malicious content and it is safe to use***



 Important news about our email communications. HackensackUMC has implemented 
secure messaging services. If you need assistance with retrieving a secure 
email, please send an e-mail to postmas...@hackensackumc.org 

 Confidentiality Notice: This e-mail message and any attachments from 
HackensackUMC are confidential and for the sole use of the intended recipient. 
This communication may contain Protected Health Information ("PHI"). PHI is 
confidential information that may only be used or disclosed in accordance with 
applicable law. There are penalties under the law for the improper use or 
further disclosure of PHI. If you are not the intended recipient of this e-mail 
or the employee or agent responsible for delivering the communication to the 
intended recipient, then you may not read, copy, distribute or otherwise use or 
disclose the information contained in this message. If you received this 
message in error, please notify us by telephone at 551.996.2000 or by e-mail to 
postmas...@hackensackumc.org Please indicate that you were not the intended 
recipient, and confirm that you have deleted the original message. Please do 
not retransmit the contents of the message. Thank you. 

 HackensackUMC is a nationally recognized healthcare organization offering 
patients the most comprehensive services, state-of-the-art technologies, and 
facilities. HackensackUMC has been named one of America's 50 Best Hospitals by 
HealthGrades for four years in a row. HackensackUMC is the only hospital in New 
Jersey, New York, and New England to receive this honor. The medical center has 
also been ranked by U.S. News and World Report's "America's Best Hospitals 
2010-11" in Geriatrics and Heart & Heart Surgery. 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] compiling samba 3.4.8 on CentOS_6.2

2012-07-11 Thread Randy Rue 
Too late to save grief, I've been grieving on this for weeks now.

I'm rolling back to 3.4.8 because I heard from several sources that idmap
against AD has broken at some point since then. I'd obviously prefer to
install 3.4.8 from an RPM or (even better) a yum repository somewhere but
can't seem to find any for this distro and/or version.

I haven't heard from anywhere that the idmap --> ad problem is fixed in 3.6.
Is it? If so, I'd be happy to try that instead.

I confess I'm unfamiliar with how to use RPM's to install the source and
then compile from there. Install the RPM and then from some newly created
source folder I ./configure / make / make install / etc?

>From the github link below, how do I get an actual rpm file to install?

Can anyone point me toward a howto?

Or I could get the "plain" source tarball from samba.org for some later
version (that's where I'm getting 3.4.8). But it seems likely I'll have the
same trouble with the daemon not starting.

Or can anyone answer my actual question? For example, how to get logging
working so I can get some clues on why the binary fails to start?

Hope to hear from you.

Randy

-Original Message-
From: Nico Kadel-Garcia [mailto:nka...@gmail.com] 
Sent: Tuesday, July 10, 2012 6:07 PM
To: Randy Rue
Cc: samba@lists.samba.org
Subject: Re: [Samba] compiling samba 3.4.8 on CentOS_6.2

On Tue, Jul 10, 2012 at 7:32 PM, Randy Rue  wrote:
> Hello All.
>
> Been trying without avail to make idmap work with my AD so I can get
"real"
> UID/GID for SSH logins on a CentOS_6 box. Have heard from several 
> sources that idmap has seen some serious changes since 3.5 and decided 
> to roll back from the "stock" 3.5 that comes with CentOS_6 to 3.4.8. 
> I'd like to see if it has the same problems.

Save yourself some grief. Either go to www.samba.org for a more recent
version, or look at:

https://github.com/nkadel/samba-3.6.4-srpm for some useful and very
buildable tools for a more recent release.


>
> Installed a clean build of CentOS_6.2. Stopped the samba service, 
> removed the package using yum and excluded samba* from yum updates in
/etc/yum.conf.
>
> Downloaded and extracted the 3.4.8 tarball.
>
> cd into samba-3.../source3 and ran:
>
> the autoconfig.sh script
> ./configure
> make
> make install
>
> copied the smb.init script from the packaging/RHEL/setup folder to 
> /etc/init.d and made it executable chkconfig --add smb chkconfig smb 
> on
>
>
> service smb start fails. Tries to start both smbd and nmbd and both fail.
>
> First I get errors about libraries.
> copied the libtalloc.so.1 file from /usr/local/samba/lib to /usr/lib64 
> fixed that one
>
> Then I get errors about not finding the binaries linked 
> /usr/local/samba/sbin/smbd and nmbd to /sbin and fixed that one This 
> feels like a hack. I also tried adding /usr/local/samba/sbin to the 
> path. Also a hack but made no difference.
>
>
> Now if I try service smb start (or restart) I get failures from the 
> init script.
>
> Or I can try smbd directly and I get no response (it appears to start) 
> but "ps" shows that it didn't start.
>
> I've turned debug level and log level up to 3 in smb.conf (tried both
> arguments) but I get nothing in /var/log/syslog and nothing in any 
> file in /var/log/samba when I try to start it.
>
> Forgive the anecdotal tone of the above, I'm working mostly from 
> memory and have probably garbled a path or file name. Then again, I've 
> been through these steps six or more times now.
>
> Am I missing something obvious?
>
> Hope to hear from you,
>
> Randy
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] compiling samba 3.4.8 on CentOS_6.2

2012-07-11 Thread Randy Rue 
Jonathan,

I appreciate the help you've given but you and I are having fundamentally
different experiences with 3.5. I've tried everything you've suggested, as
well as a bunch of conflicting suggestions from others, with no success.
I've narrowed the problem down to the idmap --> ad settings in smb.conf and
the best information I have right now suggests that something went wonky in
the app sometime after 3.4.8. So right now my immediate objective is to get
3.4.8 running and see if the problem still occurs. A particular help would
be at least getting some error in syslog or the samba logs to find out why
the binary won't start.

Randy

-Original Message-
From: Jonathan Buzzard [mailto:jonat...@buzzard.me.uk] 
Sent: Wednesday, July 11, 2012 1:29 AM
To: Randy Rue
Subject: Re: [Samba] compiling samba 3.4.8 on CentOS_6.2

On 11/07/12 00:32, Randy Rue wrote:
> Hello All.
>
> Been trying without avail to make idmap work with my AD so I can get
"real"
> UID/GID for SSH logins on a CentOS_6 box. Have heard from several 
> sources that idmap has seen some serious changes since 3.5 and decided 
> to roll back from the "stock" 3.5 that comes with CentOS_6 to 3.4.8. 
> I'd like to see if it has the same problems.

Why, it works just fine at least with the packages in CentOS 6.2. I cannot
speak for CentOS 6.3 because it is just out, but I very much doubt it has
broken it.


JAB.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can't get idmap connected to AD unix attribs

2012-07-11 Thread Rowland Penny 

On 11/07/12 17:38, Nick Triantos wrote:

Hi Rowland,

Yes, I've added their unix attributes.

It looks like there is a long-open bug in winbind/samba 3.6.x that may be 
causing the error below (https://bugzilla.samba.org/show_bug.cgi?id=8676). I'm 
now stuck behind that so I'm trying to downgrade to 3.5.x.

regards,
-Nick

On Jul 11, 2012, at 7:05 AM, Rowland Penny wrote:


On 11/07/12 01:57, Nick Triantos wrote:

Thanks Robert.

I've tried switching over to the AD back-end (which does sound like what I 
want), but I still receive only the errors:
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

I restarted both winbind and smbd after changing the config. Is there some 
cache I have to flush, or some other config that needs to be changed beyond the 
settings in smb.conf?

thanks again!
-Nick

My updated smb.conf:

workgroup = CORP
security = ADS
#password server = 192.168.77.251
realm = CORP.MYCOMPANY.COM
allow trusted domains = yes
winbind use default domain = yes
winbind nested groups = YES
idmap config CORP : backend = ad
idmap config CORP : default = yes
idmap config CORP : schema_mode = rfc2307
idmap config CORP : range = 800 - 9


On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nick,

I think what you may be looking for is the ad backend:

https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html

Since you are using tdb in your config, it is using a local database
and allocates UID/GIDs on the fly...first come, first served.  So a
user may not get the same UID from one machine to the next.

Robert

On 07/10/2012 12:20 AM, Nick Triantos wrote:

Hi,

I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and
Winbind to map userids and groups to the unix attributes in an AD
2008 server. I can see that when I perform an ldapsearch, I'm able
to read the attributes, and for one of my accounts, the id should
be 1001. However, when I run 'wbinfo -i', I get back
something like 920.

At one point, I was setting the idmap range to start at 900, but
I've since removed that from my config, and restarted winbindd and
smbd. I've also tried to 'net cache flush'.

I also see wbinfo -i   usually returns: failed to call
wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user


The relevant parts of my smb.conf are below. I've tried patching
this together from various tuts and help pages. Any guidance would
be very helpful.

thanks! -Nick

[global] workgroup = CORP security = ADS password server =
192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains =
yes winbind use default domain = yes winbind nested groups = YES
idmap config CORP : backend = tdb idmap config CORP : default = yes
idmap config CORP : schema_mode = rfc2307 idmap config CORP : range
= 1000 -  idmap config * : backend = tdb encrypt passwords =
true obey pam restrictions = yes client use spnego = yes client
ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2
unix password sync = yes winbind enum groups = yes winbind enum
users = yes winbind nss info = rfc2307



- - --


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36


- -BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
=yLz3
- -END PGP SIGNATURE-
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+
3iQAoLndWChQKGLDkeGGTRaCM00LwHKb
=eagU
-END PGP SIGNATURE-

Hi, just a thought, have you added the RFC2307 uid/gid values to your users on 
the AD server? if you haven't, there will be nothing to find and it may throw 
the error that you are getting.

Rowland


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba





I am playing about with this on a Xubuntu 12.04 client against a Samba4 
server (Ubuntu 12.04 server) and it seems to be working for me (mostly)


I have:
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config HOME:schema_mode = rfc2307
idmap config HOME:range = 21-310
idmap config HOME:backend = ad
idmap config * : range = 21-310
idmap config * : backend = tdb

in /etc/samba/smb.conf

wbinfo -u returns all AD users
wbinfo -g returns all AD groups
getent passwd returns all local & AD

Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

2012-07-11 Thread Ritter, Marcel - RRZE 
Hi Quinn,

thanks for your hint: I still had an old out-of-date /etc/krb5.keytab
from a former installation of samba4 :-(

I simply copied  secrets.keytab to /etc/krb5.keytab an everything
worked as described.

I'd really be interested in your progress concerning NFS4 - I've
tried to get this working some time ago - with mixed results in
a "real" Active Directory environment, so maybe I can repay my
debt ;-)

However, doing secure NFS using Samba4 DC would be pretty
cool :-)

Bye,
   Marcel

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im 
Auftrag von Quinn Plattel
Gesendet: Mittwoch, 11. Juli 2012 10:08
An: samba
Betreff: Re: [Samba] How do I get an ssh client to authenticate with samba4's 
kerberos GSSAPI? [Solved]

Btw, forgot to mention, when testing, make sure on the client you do a "kinit 
" to get a valid ticket before doing your ssh login.  You can check if 
you have a valid ticket with the "klist" command.

br,
Quinn

On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel  wrote:

> Hi Marcel,
>
> On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) :
> ii  krb5-config
> 2.2 Configuration files for Kerberos
> Version 5
> ii  krb5-locales
> 1.10+dfsg~beta1-2ubuntu0.1  Internationalization support for
> MIT Kerberos
> ii  krb5-user
> 1.10+dfsg~beta1-2ubuntu0.1  Basic programs to authenticate
> using MIT Kerberos
> ii  libgssapi-krb5-2
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal
> 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries
> ii  libkrb5-3
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries
> ii  libkrb5support0
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
> Support library
> ii  libpam-krb5
> 4.5-3   PAM module for MIT Kerberos
> ii  openssh-client
> 1:5.9p1-5ubuntu1secure shell (SSH) client, for
> secure access to remote machines
>
> On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l):
> ii  krb5-config
> 2.2 Configuration files for Kerberos
> Version 5
> ii  krb5-locales
> 1.10+dfsg~beta1-2ubuntu0.1  Internationalization support for
> MIT Kerberos
> ii  krb5-user
> 1.10+dfsg~beta1-2ubuntu0.1  Basic programs to authenticate
> using MIT Kerberos
> ii  libgssapi-krb5-2
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal
> 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries
> ii  libkrb5-3
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries
> ii  libkrb5support0
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
> Support library
> ii  openssh-client
> 1:5.9p1-5ubuntu1secure shell (SSH) client, for
> secure access to remote machines
> ii  openssh-server
> 1:5.9p1-5ubuntu1secure shell (SSH) server, for
> secure access from remote machines
>samba Version 4.0.0beta3-GIT-UNKNOWN
>
> Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients 
> /etc/hosts file and have all the principals needed added to the 
> servers keytab file, but this is not necessary if you use the parameter.
> With the parameter, the only thing you need is to make sure is that on 
> the server /var/lib/samba/secrets.keytab is copied or linked to 
> /etc/krb5.keytab (sshd looks for it).  You can use the keytab file as 
> it is without copying any extra principals into it.
>
> You can have a very simple /etc/hosts on the client such as:
> 127.0.0.1localhost
> 127.0.1.1ubuntu-test
>
> This setup probably only works for ssh kerberos. nfsv4, pam logins, 
> and other kerberos aware services may need strict checking.  That is 
> my next research project.
>
> For ssh debugging, on the server I used -ddd for sshd and looked at 
> both syslog and auth.log under /var/log.  On the client, I used ssh 
> -vvvl   For kerberos samba4 debugging, start samba with 
> "-d 5" parameter and then "tail -f /var/log/samba/log.samba|grep 
> Kerberos:"
>
> br,
> Quinn
>
>
>
> On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE < 
> marcel.rit...@rrze.fau.de> wrote:
>
>> Hi Quinn,
>>
>> I just tried your solution (my machine is also multi-homed). However 
>> it doesn't work for me. The man-page of sshd_config also states, that 
>> the behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
>> krb5 libraries.
>>
>> Could you please have a look at the krb5 and openssh versions you're 
>> using (and perhaps the linux distribution/version)?
>>
>> BTW: I'm running:
>>  Ubuntu 12.04 LTS
>> openssh-server 5.9p1-5ubuntu1
>> libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1
>>
>> auth.log mentions (during failed login):
>> Unspecified GSS failure

Re: [Samba] Can't get idmap connected to AD unix attribs

2012-07-11 Thread Rowland Penny 

On 11/07/12 01:57, Nick Triantos wrote:

Thanks Robert.

I've tried switching over to the AD back-end (which does sound like what I 
want), but I still receive only the errors:
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

I restarted both winbind and smbd after changing the config. Is there some 
cache I have to flush, or some other config that needs to be changed beyond the 
settings in smb.conf?

thanks again!
-Nick

My updated smb.conf:

workgroup = CORP
security = ADS
#password server = 192.168.77.251
realm = CORP.MYCOMPANY.COM
allow trusted domains = yes
winbind use default domain = yes
winbind nested groups = YES
idmap config CORP : backend = ad
idmap config CORP : default = yes
idmap config CORP : schema_mode = rfc2307
idmap config CORP : range = 800 - 9


On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nick,

I think what you may be looking for is the ad backend:

https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html

Since you are using tdb in your config, it is using a local database
and allocates UID/GIDs on the fly...first come, first served.  So a
user may not get the same UID from one machine to the next.

Robert

On 07/10/2012 12:20 AM, Nick Triantos wrote:

Hi,

I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and
Winbind to map userids and groups to the unix attributes in an AD
2008 server. I can see that when I perform an ldapsearch, I'm able
to read the attributes, and for one of my accounts, the id should
be 1001. However, when I run 'wbinfo -i', I get back
something like 920.

At one point, I was setting the idmap range to start at 900, but
I've since removed that from my config, and restarted winbindd and
smbd. I've also tried to 'net cache flush'.

I also see wbinfo -i  usually returns: failed to call
wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user


The relevant parts of my smb.conf are below. I've tried patching
this together from various tuts and help pages. Any guidance would
be very helpful.

thanks! -Nick

[global] workgroup = CORP security = ADS password server =
192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains =
yes winbind use default domain = yes winbind nested groups = YES
idmap config CORP : backend = tdb idmap config CORP : default = yes
idmap config CORP : schema_mode = rfc2307 idmap config CORP : range
= 1000 -  idmap config * : backend = tdb encrypt passwords =
true obey pam restrictions = yes client use spnego = yes client
ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2
unix password sync = yes winbind enum groups = yes winbind enum
users = yes winbind nss info = rfc2307




- - --


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36


- -BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
=yLz3
- -END PGP SIGNATURE-
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+
3iQAoLndWChQKGLDkeGGTRaCM00LwHKb
=eagU
-END PGP SIGNATURE-
Hi, just a thought, have you added the RFC2307 uid/gid values to your 
users on the AD server? if you haven't, there will be nothing to find 
and it may throw the error that you are getting.


Rowland


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] splitting services in samba4

2012-07-11 Thread Ben Metcalfe 
Assuming samba 4 supports them, watch out for your FSMO roles; each role
will be specific to one server in the domain. Recovering from the loss of a
server that currenty owns one or more of the FMSO roles is a little
trickier than just booting another peer-DC to handle requests.

On Wednesday, 11 July 2012, Gémes Géza wrote:

> Hi Quinn,
>
>> Thanks for the quick response.
>>
>> So I guess if you wanted high availability, you would either have to
>> implement a PDC/BDC solution with samba4 or use samba4 on top of a
>> corosync/pacemaker cluster.  Is this correct?
>>
>> br,
>> Quinn
>>
>>
>> On Wed, Jul 11, 2012 at 10:43 AM, Gémes Géza  wrote:
>>
>>  2012-07-11 10:27 keltezéssel, Quinn Plattel írta:
>>>
>>>   Question:  Right now samba4 is great as in all-in-one solution (samba,
>>>
 kerberos, ldap, dns) into one service.
 Is it possible to split it up so that for example, I run openldap on one
 server, kerberos on another server, and then dns/samba on a third
 server?

 br,
 Quinn

  Short answer: NO
>>> Longer: Windows clients expect kerberos, ldap and samba rpc+filesharing
>>> services on the same host, so if you need AD functionality you couldn't
>>> separate them. They also expect a schema (the AD schema) which is
>>> incompatible with OpenLDAP.
>>>
>>> Regards
>>>
>>> Geza
>>>
>>>
>>>
>>
> The multiple AD DC (in active directory every (non readonly) DC is a sort
> of PDC) is the tried and recommended method (even by M$)
>
> Regards
>
> Geza
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] splitting services in samba4

2012-07-11 Thread Gémes Géza 

Hi Quinn,

Thanks for the quick response.

So I guess if you wanted high availability, you would either have to
implement a PDC/BDC solution with samba4 or use samba4 on top of a
corosync/pacemaker cluster.  Is this correct?

br,
Quinn


On Wed, Jul 11, 2012 at 10:43 AM, Gémes Géza  wrote:


2012-07-11 10:27 keltezéssel, Quinn Plattel írta:

  Question:  Right now samba4 is great as in all-in-one solution (samba,

kerberos, ldap, dns) into one service.
Is it possible to split it up so that for example, I run openldap on one
server, kerberos on another server, and then dns/samba on a third server?

br,
Quinn


Short answer: NO
Longer: Windows clients expect kerberos, ldap and samba rpc+filesharing
services on the same host, so if you need AD functionality you couldn't
separate them. They also expect a schema (the AD schema) which is
incompatible with OpenLDAP.

Regards

Geza






The multiple AD DC (in active directory every (non readonly) DC is a 
sort of PDC) is the tried and recommended method (even by M$)


Regards

Geza
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 and phpldapadmin

2012-07-11 Thread Quinn Plattel 
Hi,

I am currently trying out phpldapadmin against samba4's ldap server.  I
copied the necessary attributes from samba/private/phpldapadmin-config.php
to phpldapadmin's config.php and I am successfully logging in as
Administrator via the tool.
The samba4 ldap tree comes up on the left window and I can expand all the
items in the tree, but whenever I click on an item to view it's attributes,
I get the error "There was a problem with the request" during the
"Retrieving DN..." operation.
The log.samba file just repeats the following line many times:

ldb_request BASE
dn=CN=Aggregate,CN=Schema,CN=Configuration,DC=velocytech,DC=net
filter=(objectClass=*)

Any ideas what is going on here?

br,
Quinn
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can't get idmap connected to AD unix attribs

2012-07-11 Thread Nick Triantos 
Thanks Robert.

I've tried switching over to the AD back-end (which does sound like what I 
want), but I still receive only the errors:
   failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

I restarted both winbind and smbd after changing the config. Is there some 
cache I have to flush, or some other config that needs to be changed beyond the 
settings in smb.conf?

thanks again!
-Nick

My updated smb.conf:

   workgroup = CORP
   security = ADS
   #password server = 192.168.77.251
   realm = CORP.MYCOMPANY.COM
   allow trusted domains = yes
   winbind use default domain = yes
   winbind nested groups = YES
   idmap config CORP : backend = ad
   idmap config CORP : default = yes
   idmap config CORP : schema_mode = rfc2307
   idmap config CORP : range = 800 - 9


On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> - -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Nick,
> 
> I think what you may be looking for is the ad backend:
> 
> https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
> 
> Since you are using tdb in your config, it is using a local database
> and allocates UID/GIDs on the fly...first come, first served.  So a
> user may not get the same UID from one machine to the next.
> 
> Robert
> 
> On 07/10/2012 12:20 AM, Nick Triantos wrote:
>> Hi,
>> 
>> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and 
>> Winbind to map userids and groups to the unix attributes in an AD 
>> 2008 server. I can see that when I perform an ldapsearch, I'm able 
>> to read the attributes, and for one of my accounts, the id should 
>> be 1001. However, when I run 'wbinfo -i ', I get back 
>> something like 920.
>> 
>> At one point, I was setting the idmap range to start at 900, but 
>> I've since removed that from my config, and restarted winbindd and 
>> smbd. I've also tried to 'net cache flush'.
>> 
>> I also see wbinfo -i  usually returns: failed to call 
>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user 
>> 
>> 
>> The relevant parts of my smb.conf are below. I've tried patching 
>> this together from various tuts and help pages. Any guidance would 
>> be very helpful.
>> 
>> thanks! -Nick
>> 
>> [global] workgroup = CORP security = ADS password server = 
>> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = 
>> yes winbind use default domain = yes winbind nested groups = YES 
>> idmap config CORP : backend = tdb idmap config CORP : default = yes
>> idmap config CORP : schema_mode = rfc2307 idmap config CORP : range
>> = 1000 -  idmap config * : backend = tdb encrypt passwords =
>> true obey pam restrictions = yes client use spnego = yes client
>> ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2
>> unix password sync = yes winbind enum groups = yes winbind enum
>> users = yes winbind nss info = rfc2307
>> 
>> 
> 
> 
> - - --
> 
> 
> Robert Freeman-Day
> 
> https://launchpad.net/~presgas
> GPG Public Key:
> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
> 
> 
> - -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
> AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
> =yLz3
> - -END PGP SIGNATURE-
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+
> 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb
> =eagU
> -END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] splitting services in samba4

2012-07-11 Thread Quinn Plattel 
Thanks for the quick response.

So I guess if you wanted high availability, you would either have to
implement a PDC/BDC solution with samba4 or use samba4 on top of a
corosync/pacemaker cluster.  Is this correct?

br,
Quinn


On Wed, Jul 11, 2012 at 10:43 AM, Gémes Géza  wrote:

> 2012-07-11 10:27 keltezéssel, Quinn Plattel írta:
>
>  Question:  Right now samba4 is great as in all-in-one solution (samba,
>> kerberos, ldap, dns) into one service.
>> Is it possible to split it up so that for example, I run openldap on one
>> server, kerberos on another server, and then dns/samba on a third server?
>>
>> br,
>> Quinn
>>
> Short answer: NO
> Longer: Windows clients expect kerberos, ldap and samba rpc+filesharing
> services on the same host, so if you need AD functionality you couldn't
> separate them. They also expect a schema (the AD schema) which is
> incompatible with OpenLDAP.
>
> Regards
>
> Geza
>
>


-- 
Best regards/Med venlig hilsen,
Quinn Plattel
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] splitting services in samba4

2012-07-11 Thread Quinn Plattel 
Question:  Right now samba4 is great as in all-in-one solution (samba,
kerberos, ldap, dns) into one service.
Is it possible to split it up so that for example, I run openldap on one
server, kerberos on another server, and then dns/samba on a third server?

br,
Quinn
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

2012-07-11 Thread Quinn Plattel 
Btw, forgot to mention, when testing, make sure on the client you do a
"kinit " to get a valid ticket before doing your ssh login.  You can
check if you have a valid ticket with the "klist" command.

br,
Quinn

On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel  wrote:

> Hi Marcel,
>
> On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) :
> ii  krb5-config
> 2.2 Configuration files for Kerberos
> Version 5
> ii  krb5-locales
> 1.10+dfsg~beta1-2ubuntu0.1  Internationalization support for
> MIT Kerberos
> ii  krb5-user
> 1.10+dfsg~beta1-2ubuntu0.1  Basic programs to authenticate
> using MIT Kerberos
> ii  libgssapi-krb5-2
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal
> 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries
> ii  libkrb5-3
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries
> ii  libkrb5support0
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
> Support library
> ii  libpam-krb5
> 4.5-3   PAM module for MIT Kerberos
> ii  openssh-client
> 1:5.9p1-5ubuntu1secure shell (SSH) client, for
> secure access to remote machines
>
> On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l):
> ii  krb5-config
> 2.2 Configuration files for Kerberos
> Version 5
> ii  krb5-locales
> 1.10+dfsg~beta1-2ubuntu0.1  Internationalization support for
> MIT Kerberos
> ii  krb5-user
> 1.10+dfsg~beta1-2ubuntu0.1  Basic programs to authenticate
> using MIT Kerberos
> ii  libgssapi-krb5-2
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii  libkrb5-26-heimdal
> 1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries
> ii  libkrb5-3
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries
> ii  libkrb5support0
> 1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
> Support library
> ii  openssh-client
> 1:5.9p1-5ubuntu1secure shell (SSH) client, for
> secure access to remote machines
> ii  openssh-server
> 1:5.9p1-5ubuntu1secure shell (SSH) server, for
> secure access from remote machines
>samba Version 4.0.0beta3-GIT-UNKNOWN
>
> Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients
> /etc/hosts file and have all the principals needed added to the servers
> keytab file, but this is not necessary if you use the parameter.
> With the parameter, the only thing you need is to make sure is that on the
> server /var/lib/samba/secrets.keytab is copied or linked to
> /etc/krb5.keytab (sshd looks for it).  You can use the keytab file as it is
> without copying any extra principals into it.
>
> You can have a very simple /etc/hosts on the client such as:
> 127.0.0.1localhost
> 127.0.1.1ubuntu-test
>
> This setup probably only works for ssh kerberos. nfsv4, pam logins, and
> other kerberos aware services may need strict checking.  That is my next
> research project.
>
> For ssh debugging, on the server I used -ddd for sshd and looked at both
> syslog and auth.log under /var/log.  On the client, I used ssh -vvvl 
> 
> For kerberos samba4 debugging, start samba with "-d 5" parameter and then
> "tail -f /var/log/samba/log.samba|grep Kerberos:"
>
> br,
> Quinn
>
>
>
> On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE <
> marcel.rit...@rrze.fau.de> wrote:
>
>> Hi Quinn,
>>
>> I just tried your solution (my machine is also multi-homed). However it
>> doesn't work for me. The man-page of sshd_config also states, that the
>> behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
>> krb5 libraries.
>>
>> Could you please have a look at the krb5 and openssh versions you're
>> using (and perhaps the linux distribution/version)?
>>
>> BTW: I'm running:
>>  Ubuntu 12.04 LTS
>> openssh-server 5.9p1-5ubuntu1
>> libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1
>>
>> auth.log mentions (during failed login):
>> Unspecified GSS failure.
>> Minor code may provide more information:
>> Wrong principal in request
>>
>> Thanks,
>> Marcel
>>
>> -Ursprüngliche Nachricht-
>> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
>> Im Auftrag von Quinn Plattel
>> Gesendet: Dienstag, 10. Juli 2012 16:08
>> An: samba
>> Betreff: Re: [Samba] How do I get an ssh client to authenticate with
>> samba4's kerberos GSSAPI? [Solved]
>>
>> Hi,
>>
>> I solved my ssh GSSAPI problem.  There were a lot of solutions on google
>> referring to a proper fqdn in the /etc/hosts file and having the
>> fqdn's/principals in the kerberos server's keytab file but I found out that
>> my problem was that the samba4/kerberos server was running on a multi-homed
>> machine and that the ssh server kerberos authentication

Re: [Samba] How do I get an ssh client to authenticate with samba4's kerberos GSSAPI? [Solved]

2012-07-11 Thread Quinn Plattel 
Hi Marcel,

On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) :
ii  krb5-config
2.2 Configuration files for Kerberos
Version 5
ii  krb5-locales
1.10+dfsg~beta1-2ubuntu0.1  Internationalization support for
MIT Kerberos
ii  krb5-user
1.10+dfsg~beta1-2ubuntu0.1  Basic programs to authenticate
using MIT Kerberos
ii  libgssapi-krb5-2
1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal
1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries
ii  libkrb5-3
1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries
ii  libkrb5support0
1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
Support library
ii  libpam-krb5
4.5-3   PAM module for MIT Kerberos
ii  openssh-client
1:5.9p1-5ubuntu1secure shell (SSH) client, for
secure access to remote machines

On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l):
ii  krb5-config
2.2 Configuration files for Kerberos
Version 5
ii  krb5-locales
1.10+dfsg~beta1-2ubuntu0.1  Internationalization support for
MIT Kerberos
ii  krb5-user
1.10+dfsg~beta1-2ubuntu0.1  Basic programs to authenticate
using MIT Kerberos
ii  libgssapi-krb5-2
1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal
1.6~git20120311.dfsg.1-2Heimdal Kerberos - libraries
ii  libkrb5-3
1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries
ii  libkrb5support0
1.10+dfsg~beta1-2ubuntu0.1  MIT Kerberos runtime libraries -
Support library
ii  openssh-client
1:5.9p1-5ubuntu1secure shell (SSH) client, for
secure access to remote machines
ii  openssh-server
1:5.9p1-5ubuntu1secure shell (SSH) server, for
secure access from remote machines
   samba Version 4.0.0beta3-GIT-UNKNOWN

Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients
/etc/hosts file and have all the principals needed added to the servers
keytab file, but this is not necessary if you use the parameter.
With the parameter, the only thing you need is to make sure is that on the
server /var/lib/samba/secrets.keytab is copied or linked to
/etc/krb5.keytab (sshd looks for it).  You can use the keytab file as it is
without copying any extra principals into it.

You can have a very simple /etc/hosts on the client such as:
127.0.0.1localhost
127.0.1.1ubuntu-test

This setup probably only works for ssh kerberos. nfsv4, pam logins, and
other kerberos aware services may need strict checking.  That is my next
research project.

For ssh debugging, on the server I used -ddd for sshd and looked at both
syslog and auth.log under /var/log.  On the client, I used ssh -vvvl 

For kerberos samba4 debugging, start samba with "-d 5" parameter and then
"tail -f /var/log/samba/log.samba|grep Kerberos:"

br,
Quinn


On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE <
marcel.rit...@rrze.fau.de> wrote:

> Hi Quinn,
>
> I just tried your solution (my machine is also multi-homed). However it
> doesn't work for me. The man-page of sshd_config also states, that the
> behavior of "GSSAPIStrictAcceptorCheck" may depend on the used
> krb5 libraries.
>
> Could you please have a look at the krb5 and openssh versions you're
> using (and perhaps the linux distribution/version)?
>
> BTW: I'm running:
>  Ubuntu 12.04 LTS
> openssh-server 5.9p1-5ubuntu1
> libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1
>
> auth.log mentions (during failed login):
> Unspecified GSS failure.
> Minor code may provide more information:
> Wrong principal in request
>
> Thanks,
> Marcel
>
> -Ursprüngliche Nachricht-
> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
> Im Auftrag von Quinn Plattel
> Gesendet: Dienstag, 10. Juli 2012 16:08
> An: samba
> Betreff: Re: [Samba] How do I get an ssh client to authenticate with
> samba4's kerberos GSSAPI? [Solved]
>
> Hi,
>
> I solved my ssh GSSAPI problem.  There were a lot of solutions on google
> referring to a proper fqdn in the /etc/hosts file and having the
> fqdn's/principals in the kerberos server's keytab file but I found out that
> my problem was that the samba4/kerberos server was running on a multi-homed
> machine and that the ssh server kerberos authentication needed the
> following parameter in order for it to work on multi-homed machines:
>
> GSSAPIStrictAcceptorCheck no
>
> The default is yes, using "no" will, according to the manpage "clients may
> authenticate against any service key stored in the machine's default store."
>
> I hope this helps others that have similar setups as I do.
>
> Thank you all for your input.
>
> br,
> Quinn
> --
> To unsubscribe from this list go to the following URL and read the
> inst