Sorry was a bit too fast in replying: first you already documented the verification steps (sorry), second I broke it again :)
And I'm back in a state of confusion: If the keytab is written and krb5.conf is good, I should be able to verify this with "kinit", not? I re-setup that machine and wanted to rejoin it, so I removed it from the AD via Users&Computer and a dead-body entry from the LDAP (CN=pontus,CN=Computers,DC=example,DC=com). Then I did a net ads join which succeeded with keytab generated: # klist -kte Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- ----------------------------------------------------- 2 11/24/11 23:48:24 host/pontus.example....@example.com (des-cbc-crc) 2 11/24/11 23:48:25 host/pontus.example....@example.com (des-cbc-md5) 2 11/24/11 23:48:25 host/pontus.example....@example.com (arcfour-hmac) 2 11/24/11 23:48:25 host/pon...@example.com (des-cbc-crc) 2 11/24/11 23:48:25 host/pon...@example.com (des-cbc-md5) 2 11/24/11 23:48:25 host/pon...@example.com (arcfour-hmac) 2 11/24/11 23:48:25 PONTUS$@EXAMPLE.COM (des-cbc-crc) 2 11/24/11 23:48:25 PONTUS$@EXAMPLE.COM (des-cbc-md5) 2 11/24/11 23:48:25 PONTUS$@EXAMPLE.COM (arcfour-hmac) But using this ticket now fails, in sssd and also with kinit, both with 'cred. not found': # kinit -V -k -t /etc/krb5.keytab host/pontus.example....@example.com Using default cache: /tmp/krb5cc_0 Using principal: host/pontus.example....@example.com Using keytab: /etc/krb5.keytab kinit: Client 'host/pontus.example....@example.com' not found in Kerberos database while getting initial credentials SSSD: (Thu Nov 24 23:54:03 2011) [[sssd[ldap_child[931]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client 'host/pon...@example.com' not found in Kerberos database Principal is listed in "klist", but not found by "kinit"? What did I do wrong this time? I'm both times using FC16/x64 netinstall (sssd-1.6.3, smb-3.6.1 & krb5-workstation-1.9.1), restored smb.conf, krb5.conf and of coarse sssd.conf (which seems to be missing by basic minimal fc16 install?) I assume krb5.conf is right since "kinit myuser" succeeds, only fails when using the keytab. Cheers Josh -----Ursprüngliche Nachricht----- Von: sssd-devel-boun...@lists.fedorahosted.org [mailto:sssd-devel-boun...@lists.fedorahosted.org] Im Auftrag von Josh Geisser Gesendet: Donnerstag, 24. November 2011 18:26 An: Development of the System Security Services Daemon Betreff: Re: [SSSD] GSSAPI and Kerberos - understanding question Adding your tip to the smb.conf did the trick. [global] client signing = mandatory client use spnego = yes kerberos method = secrets and keytab net join ads and the keytab is written and can be used by sssd. Also the timestamps are from now and not the 70ties. So seems to work with 2003 SFU. Perfect & thanks a lot :) You might add "klist -kte" and "net ads status/info" also to the documentation as they help a lot verifying what's happening. Sorry question anyway: using the keytab just eases the issue with plaintext binding credentials, but is actually still an 'weakness': stealing this key enables you to the active-directory from anywhere, anyway, not? Is there a scenario where the 'challenging' username/passwd is taken to authenticate against the AD? E.g. the credentials I just ssh/pam-entered are used against LDAP instead of any pre-configured credentials? Cheers Josh -----Ursprüngliche Nachricht----- Von: sssd-devel-boun...@lists.fedorahosted.org [mailto:sssd-devel-boun...@lists.fedorahosted.org] Im Auftrag von John Hodrien Gesendet: Mittwoch, 23. November 2011 23:33 An: Development of the System Security Services Daemon Betreff: Re: [SSSD] GSSAPI and Kerberos - understanding question On Wed, 23 Nov 2011, Josh Geisser wrote: > Thanks for the answer will check soon. > > Joining the machine actually works as far as I understand: it creates the > computer object in LDAP and is visible in the AD management utility. > > But it doesn't write any local /etc/krb5.keytab, which I assume SSSD or the > krb5-tools will use, not? > > Want to try your additional smb.conf parameters and I'll come back to you Will update the article with some more notes on this tomorrow. My config was for samba 3.5, I don't know what version you're running. You definitely need the keytab line in your config (that line is different in 3.0 but you'll find it in the man page). Once you've done that, join the domain again, and /etc/krb5.keytab should be created, and yes, that's what sssd uses. jh _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel -- ---- ASG at hnet _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel -- ---- ASG at hnet _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
