> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark > Phalan > Sent: Tuesday, April 01, 2008 6:19 AM > To: Leopold, Corey > Cc: [email protected] > Subject: Re: [storage-discuss] B85 CIFS - Active Directory - Kerberos > > > On Mon, 2008-03-31 at 17:28 -0400, Leopold, Corey wrote: > > Hello, > > > > > > > > I’ve got CIFS working against my MS Active Directory infrastructure, > > additionally I have successfully configured the LDAP client to access > > the unix Active Directory attributes for UID/GID/Home Directory, which > > allows me to use idmap to access the files as the same user from > > Solaris or Windows without managing separate account databases. > > > > > > > > The problem I’m having is when I used smbadm to join the domain it > > apparently creates the krb5.keytab file. The keytab that gets created > > does not work for enabling Active Directory authentication for > > interactive logon to the machine. I have set up the pam.conf for > > this, but when I attempt to log in I get this error: > > > > > > > > Mar 31 16:19:22 XXXX sshd[822]: [ID 308913 auth.error] PAM-KRB5 > > (auth): krb5_verify_init_creds failed: Key table entry > > "host/XXXX.XXXX.com" not found in FILE:/etc/krb5/krb5.keytab > > I'm not a CIFS expert but do know something about Kerberos. In order to > use pam_krb5 you need to have a host key in the keytab file. You can > disable this behaviour by setting "verify_ap_req_nofail" to "false" > in /etc/krb5/krb5.conf. > I don't know what keys are in your keytab. In order to list the keys in > the default keytab (/etc/krb5/krb5.keytab) run "klist -k" as root. > You should be able to create the host principal on the Microsft AD using > the "Ktpass" command. Then securely transfer the resulting keytab file > over to the host and add the principal to the default keytab using the > "ktutil" command. > > You may be also interested in the kclientv2 project - > http://opensolaris.org/os/project/kerberos/current/. It's currently in > code-review and will likely go into Nevada soon. > If you have more kerberos questions a good place to ask is > [EMAIL PROTECTED] > > -Mark >
It works fine if I turn off host key checking, but that is probably not ideal. If I list the current keys in the keytab there are several different host principals already put in place by the smbadm join -u" command: Ktutil: rkt /etc/krb5/krb5.keytab ktutil: list -e slot KVNO Principal ---- ---- ----------------------------------------------------------------- 1 2 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 2 2 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 3 2 host/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 4 2 host/[EMAIL PROTECTED] (AES-128 CTS mode with 96-bit SHA-1 HMAC) 5 2 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 6 2 nfs/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 7 2 nfs/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 8 2 nfs/[EMAIL PROTECTED] (AES-128 CTS mode with 96-bit SHA-1 HMAC) 9 2 HTTP/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 10 2 HTTP/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 11 2 HTTP/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 12 2 HTTP/[EMAIL PROTECTED] (AES-128 CTS mode with 96-bit SHA-1 HMAC) 13 2 root/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 14 2 root/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) 15 2 root/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 16 2 root/[EMAIL PROTECTED] (AES-128 CTS mode with 96-bit SHA-1 HMAC) I'm not sure if I really should be adding more host principals generated with the "ktpass" command? Thanks for the information on kclientv2 it will be interesting to see how that interoperates with the CIFS support for AD participation. Corey _______________________________________________ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
