[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)
On 12-10-17 14:49, Alexander Bokovoy wrote: > On to, 12 loka 2017, Kees Bakker wrote: >> On 12-10-17 14:11, Alexander Bokovoy wrote: >>> On to, 12 loka 2017, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> >>> This week I tried to install Samba (which failed because of Ubuntu, but >>> that's >> another story). >> >> One of the steps was to do >>> ipa-adtrust-install. It created a cifs/myhost pricipal >> on my IPA master >>> server. >> >> But now it keeps switching my default pricipal to >>> cifs/myhost@MYREALM (and >> in this case I'm root). > What is your >>> distribution? >> Ubuntu 16.04 > Thanks. As I said, trust to AD and overall integration of FreeIPA with > Samba on Ubuntu/Debian is not there and not supported until Samba on > Ubuntu is rebuilt with MIT Kerberos. > > Yeah, and seems even to be true for Ubuntu smbclient connecting to a Fedora Samba server. :-( -- Kees Bakker ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)
On 12-10-17 14:11, Alexander Bokovoy wrote: > On to, 12 loka 2017, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> This > week I tried to install Samba (which failed because of Ubuntu, but that's >> > another story). >> >> One of the steps was to do ipa-adtrust-install. It > created a cifs/myhost pricipal >> on my IPA master server. >> >> But now it > keeps switching my default pricipal to cifs/myhost@MYREALM (and >> in this > case I'm root). > What is your distribution? Ubuntu 16.04 > > The reason I ask is because on Fedora, RHEL 7, and CentOS 7 we do have > > > Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba Yes, that's probably it. (See response to Sumit) > > line in smb.service (and in winbind.service): > > # systemctl cat > > winbind.service |grep krb5cc_samba > > > Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba > > This forces smbd > > and winbindd to use a specific Kerberos ccache file > instead of a default > > one. Since they run as root their default ccache > would otherwise be the > > one that root as user uses. Samba is not setup via systemd on Ubuntu. But I certainly can figure out what to do. Thanks anyway. > >> >> Next I do destroy -A, and a new kinit admin. >> >> root@rotte:~# > >> >> kdestroy -A >> root@rotte:~# klist >> klist: Credentials cache keyring > >> >> 'persistent:0:krb_ccache_SF0wnkh' not found >> root@rotte:~# kinit > >> >> admin >> Password for ad...@ghs.nl: >> root@rotte:~# klist >> Ticket > >> >> cache: KEYRING:persistent:0:krb_ccache_SF0wnkh >> Default principal: > >> >> ad...@ghs.nl >> >> Valid starting Expires Service principal >> 12-10-17 > >> >> 11:39:10 13-10-17 11:39:05 krbtgt/ghs...@ghs.nl >> >> Great, this is > >> >> what I expected. But ... within 5 minutes >> >> root@rotte:~# klist >> > >> >> Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh >> Default > >> >> principal: cifs/rotte.ghs...@ghs.nl >> >> Valid starting Expires > >> >> Service principal >> 12-10-17 11:42:10 13-10-17 11:42:10 > >> >> ldap/rotte.ghs...@ghs.nl >> 12-10-17 11:42:10 13-10-17 11:42:10 > >> >> krbtgt/ghs...@ghs.nl >> >> Argh, who/what is doing this? >> -- >> Kees > >> >> Bakker >> ___ >> > >> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)
On 12-10-17 12:05, Sumit Bose via FreeIPA-users wrote: > On Thu, Oct 12, 2017 at 11:47:26AM +0200, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> This week I tried to install Samba (which failed because of Ubuntu, but >> that's >> another story). >> >> One of the steps was to do ipa-adtrust-install. It created a cifs/myhost >> pricipal >> on my IPA master server. >> >> But now it keeps switching my default pricipal to cifs/myhost@MYREALM (and >> in this case I'm root). >> >> Next I do destroy -A, and a new kinit admin. >> >> root@rotte:~# kdestroy -A >> root@rotte:~# klist >> klist: Credentials cache keyring 'persistent:0:krb_ccache_SF0wnkh' not found >> root@rotte:~# kinit admin >> Password for ad...@ghs.nl: >> root@rotte:~# klist >> Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh >> Default principal: ad...@ghs.nl >> >> Valid starting Expires Service principal >> 12-10-17 11:39:10 13-10-17 11:39:05 krbtgt/ghs...@ghs.nl >> >> Great, this is what I expected. But ... within 5 minutes >> >> root@rotte:~# klist >> Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh >> Default principal: cifs/rotte.ghs...@ghs.nl >> >> Valid starting Expires Service principal >> 12-10-17 11:42:10 13-10-17 11:42:10 ldap/rotte.ghs...@ghs.nl >> 12-10-17 11:42:10 13-10-17 11:42:10 krbtgt/ghs...@ghs.nl >> >> Argh, who/what is doing this? > I guess it is smbd/winbind doing this. Correct. When I stop winbind the behavior goes away. > Please make sure the Samba > components will use an individual credential cache and not use the > default credential cache of the user they are running as. > > You do this by setting the KRB5CCNAME environment variable. E.g. on > Fedora the systemd service file looks like: > > """ > [Unit] > Description=Samba Winbind Daemon > After=syslog.target network.target nmb.service > > [Service] > Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba > Type=notify > NotifyAccess=all > PIDFile=/run/winbindd.pid > EnvironmentFile=-/etc/sysconfig/samba > ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS" > ExecReload=/usr/bin/kill -HUP $MAINPID > LimitCORE=infinity > > [Install] > WantedBy=multi-user.target > """ > > Please note the 'Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba' > line. If you are using SysV init scripts you should add 'export > KRB5CCNAME=FILE:/run/samba/krb5cc_samba' or similar at a suitable place > in the script. > > HTH Yes it does. Thanks. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)
On to, 12 loka 2017, Kees Bakker via FreeIPA-users wrote: Hey, This week I tried to install Samba (which failed because of Ubuntu, but that's another story). One of the steps was to do ipa-adtrust-install. It created a cifs/myhost pricipal on my IPA master server. But now it keeps switching my default pricipal to cifs/myhost@MYREALM (and in this case I'm root). What is your distribution? The reason I ask is because on Fedora, RHEL 7, and CentOS 7 we do have Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba line in smb.service (and in winbind.service): # systemctl cat winbind.service |grep krb5cc_samba Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba This forces smbd and winbindd to use a specific Kerberos ccache file instead of a default one. Since they run as root their default ccache would otherwise be the one that root as user uses. Next I do destroy -A, and a new kinit admin. root@rotte:~# kdestroy -A root@rotte:~# klist klist: Credentials cache keyring 'persistent:0:krb_ccache_SF0wnkh' not found root@rotte:~# kinit admin Password for ad...@ghs.nl: root@rotte:~# klist Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh Default principal: ad...@ghs.nl Valid starting Expires Service principal 12-10-17 11:39:10 13-10-17 11:39:05 krbtgt/ghs...@ghs.nl Great, this is what I expected. But ... within 5 minutes root@rotte:~# klist Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh Default principal: cifs/rotte.ghs...@ghs.nl Valid starting Expires Service principal 12-10-17 11:42:10 13-10-17 11:42:10 ldap/rotte.ghs...@ghs.nl 12-10-17 11:42:10 13-10-17 11:42:10 krbtgt/ghs...@ghs.nl Argh, who/what is doing this? -- Kees Bakker ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)
On Thu, Oct 12, 2017 at 11:47:26AM +0200, Kees Bakker via FreeIPA-users wrote: > Hey, > > This week I tried to install Samba (which failed because of Ubuntu, but that's > another story). > > One of the steps was to do ipa-adtrust-install. It created a cifs/myhost > pricipal > on my IPA master server. > > But now it keeps switching my default pricipal to cifs/myhost@MYREALM (and > in this case I'm root). > > Next I do destroy -A, and a new kinit admin. > > root@rotte:~# kdestroy -A > root@rotte:~# klist > klist: Credentials cache keyring 'persistent:0:krb_ccache_SF0wnkh' not found > root@rotte:~# kinit admin > Password for ad...@ghs.nl: > root@rotte:~# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh > Default principal: ad...@ghs.nl > > Valid starting Expires Service principal > 12-10-17 11:39:10 13-10-17 11:39:05 krbtgt/ghs...@ghs.nl > > Great, this is what I expected. But ... within 5 minutes > > root@rotte:~# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_SF0wnkh > Default principal: cifs/rotte.ghs...@ghs.nl > > Valid starting Expires Service principal > 12-10-17 11:42:10 13-10-17 11:42:10 ldap/rotte.ghs...@ghs.nl > 12-10-17 11:42:10 13-10-17 11:42:10 krbtgt/ghs...@ghs.nl > > Argh, who/what is doing this? I guess it is smbd/winbind doing this. Please make sure the Samba components will use an individual credential cache and not use the default credential cache of the user they are running as. You do this by setting the KRB5CCNAME environment variable. E.g. on Fedora the systemd service file looks like: """ [Unit] Description=Samba Winbind Daemon After=syslog.target network.target nmb.service [Service] Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba Type=notify NotifyAccess=all PIDFile=/run/winbindd.pid EnvironmentFile=-/etc/sysconfig/samba ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS" ExecReload=/usr/bin/kill -HUP $MAINPID LimitCORE=infinity [Install] WantedBy=multi-user.target """ Please note the 'Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba' line. If you are using SysV init scripts you should add 'export KRB5CCNAME=FILE:/run/samba/krb5cc_samba' or similar at a suitable place in the script. HTH bye, Sumit > -- > Kees Bakker > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org