-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
> Hi,
>
> I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf:
>
> use kerberos keytabe = true
>
> and as mentioned in man smb.conf i have set in krb5.conf
>
> default_keytab_name = FILE:/etc/krb5/krb5.keytab
>
> after a "net join ads" the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong?

Have you tried "net ads keytab create" ?

Guenther

- --
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner@redhat.com
Samba Team gd@samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP
WjEvra9U//Tj25Y8hFjnDwg=
=peli
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

not yet? does it create a keytab file?

i tested the same thing on rhel4 with MIT kerberos and here it creates the krb5.keytab file under /etc/krb5.keytab i then linked it to /etc/krb5/krb5.keytab and now i can see all the keys with klist -k, but i can't use them:

[root@rhel4wbtest2 etc]# klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET
2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET
2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET
2 host/RHEL4WBTEST2@VEGAGROUP.NET
2 host/RHEL4WBTEST2@VEGAGROUP.NET
2 host/RHEL4WBTEST2@VEGAGROUP.NET
2 RHEL4WBTEST2$@VEGAGROUP.NET
2 RHEL4WBTEST2$@VEGAGROUP.NET
2 RHEL4WBTEST2$@VEGAGROUP.NET

[root@rhel4wbtest2 etc]# kinit -k host/rhel4wbtest2.vegagroup.net
kinit(v5): Cannot find KDC for requested realm while getting initial credentials

-----Original Message-----
From: Guenther Deschner [mailto:gd@samba.org]
Sent: 02 April 2008 11:39
To: Oliver Weinmann
Cc: samba@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
> Hi,
>
> I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf:
>
> use kerberos keytabe = true
>
> and as mentioned in man smb.conf i have set in krb5.conf
>
> default_keytab_name = FILE:/etc/krb5/krb5.keytab
>
> after a "net join ads" the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong?

Have you tried "net ads keytab create" ?

Guenther

- --
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner@redhat.com
Samba Team gd@samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP
WjEvra9U//Tj25Y8hFjnDwg=
=peli
-----END PGP SIGNATURE-----

__________________________________________________ ____________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email __________________________________________________ ____________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Yes the "net ads keytab create" created the keytab file now. But in the logs i can see that the encryption type used is not good:

Apr 2 12:37:18 rhel4wbtest1 sshd[4542]: pam_krb5: error reading keys for host/rhel4wbtest2.vegagroup.net from /etc/krb5/krb5.keytab: Bad encryption type
Apr 2 12:37:18 rhel4wbtest1 sshd[4542]: pam_krb5: authentication fails for `tuser'

does winbind by default use: rc4-hmac?

-----Original Message-----
From: Guenther Deschner [mailto:gd@samba.org]
Sent: 02 April 2008 11:39
To: Oliver Weinmann
Cc: samba@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
> Hi,
>
> I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf:
>
> use kerberos keytabe = true
>
> and as mentioned in man smb.conf i have set in krb5.conf
>
> default_keytab_name = FILE:/etc/krb5/krb5.keytab
>
> after a "net join ads" the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong?

Have you tried "net ads keytab create" ?

Guenther

- --
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner@redhat.com
Samba Team gd@samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP
WjEvra9U//Tj25Y8hFjnDwg=
=peli
-----END PGP SIGNATURE-----

__________________________________________________ ____________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email __________________________________________________ ____________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
| Yes the "net ads keytab create" created the keytab file now. But in
the logs i can see that the encryption type used is not good:
|
| Apr 2 12:37:18 rhel4wbtest1 sshd[4542]: pam_krb5: error reading keys
for host/rhel4wbtest2.vegagroup.net from /etc/krb5/krb5.keytab: Bad
encryption type
| Apr 2 12:37:18 rhel4wbtest1 sshd[4542]: pam_krb5: authentication
fails for `tuser'

You probably need the single DES keys here. Run ktutil
and list -e to make sure you have the right enctypes in the
keytab file.

| does winbind by default use: rc4-hmac?

In newer versions, Yes.

ut why use pam_krb5 at all ? Why not simply use pam_winbind?



jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH84XFIR7qMdg1EfYRAjdFAKCHNeKcXSErQ2D1dKLwyL jKPG2ZhACfQv0c
MEqiTLo9diBsElEYBIybG9o=
=3kjk
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
| Hi,
|
| I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos.
Everything works fine so far. Now i need to have the host keytab
generated by winbind to be in the default /etc/krb5/krb5.keytab in order
to use nfs with kerberos security. The problem is i have set the
parameter in smb.conf:
|
| use kerberos keytabe = true

DOn't use this if you use Samba to joined the domain.
It is really on;y useful for non-MS realms.





jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH84WZIR7qMdg1EfYRAk6iAJ0d04pZey+cqgyzfOGbB6 cmW+nhWwCgpOjV
U+A6DB3LB7IZMlqBxWv0u6s=
=MlpW
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Hi and thanks for you answer.

here is the output about the encryption used:

[root@rhel4wbtest2 krb5]# klist -e -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
----
------------------------------------------------------------------------
--
2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (DES cbc mode with
CRC-32)
2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (DES cbc mode with
RSA-MD5)
2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (ArcFour with
HMAC/md5)
2 host/RHEL4WBTEST2@VEGAGROUP.NET (DES cbc mode with CRC-32)
2 host/RHEL4WBTEST2@VEGAGROUP.NET (DES cbc mode with RSA-MD5)
2 host/RHEL4WBTEST2@VEGAGROUP.NET (ArcFour with HMAC/md5)
2 RHEL4WBTEST2$@VEGAGROUP.NET (DES cbc mode with CRC-32)
2 RHEL4WBTEST2$@VEGAGROUP.NET (DES cbc mode with RSA-MD5)
2 RHEL4WBTEST2$@VEGAGROUP.NET (ArcFour with HMAC/md5)

i have to use pam_krb5 because i need to mount nfs shares with kerberos
security. So when a user logs in he gets a valid TGT and is able to
mount the share.

if the keytab created cannot be used for this... can i somehow delete
the host principal created by winbind, create a new one, that will work
for pam_krb5 and let winbind use the newly created one?

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
Sent: 02 April 2008 15:10
To: Oliver Weinmann
Cc: samba@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
| Hi,
|
| I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos.
Everything works fine so far. Now i need to have the host keytab
generated by winbind to be in the default /etc/krb5/krb5.keytab in order
to use nfs with kerberos security. The problem is i have set the
parameter in smb.conf:
|
| use kerberos keytabe = true

DOn't use this if you use Samba to joined the domain.
It is really on;y useful for non-MS realms.





jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH84WZIR7qMdg1EfYRAk6iAJ0d04pZey+cqgyzfOGbB6 cmW+nhWwCgpOjV
U+A6DB3LB7IZMlqBxWv0u6s=
=MlpW
-----END PGP SIGNATURE-----

__________________________________________________ ____________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__________________________________________________ ____________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
> Hi and thanks for you answer.
>
> here is the output about the encryption used:
>
> [root@rhel4wbtest2 krb5]# klist -e -k
> Keytab name: FILE:/etc/krb5/krb5.keytab
> KVNO Principal

Enctypes look fine.

> i have to use pam_krb5 because i need to mount nfs
> shares with kerberos security. So when a user logs in he
> gets a valid TGT and is able to mount the share.

pam_winbind will do that for you as well.

> if the keytab created cannot be used for this... can i somehow delete
> the host principal created by winbind, create a new one, that will work
> for pam_krb5 and let winbind use the newly created one?




jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH843HIR7qMdg1EfYRAmDhAKC9ZLpFfsiBRZGqOS1uJD dke7r4qwCePF6D
mYwG/R3TyRnd9DHFhhFLUpE=
=Iu9j
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

how? when i use pam_winbind to login and automount to mount a users home
with kerberos security i dont get a TGT at login. So this doesn't seem
to work with pam_winbind or?

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
Sent: 02 April 2008 15:45
To: Oliver Weinmann
Cc: samba@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
> Hi and thanks for you answer.
>
> here is the output about the encryption used:
>
> [root@rhel4wbtest2 krb5]# klist -e -k
> Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal

Enctypes look fine.

> i have to use pam_krb5 because i need to mount nfs shares with
> kerberos security. So when a user logs in he gets a valid TGT and is
> able to mount the share.

pam_winbind will do that for you as well.

> if the keytab created cannot be used for this... can i somehow delete
> the host principal created by winbind, create a new one, that will
> work for pam_krb5 and let winbind use the newly created one?




jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH843HIR7qMdg1EfYRAmDhAKC9ZLpFfsiBRZGqOS1uJD dke7r4qwCePF6D
mYwG/R3TyRnd9DHFhhFLUpE=
=Iu9j
-----END PGP SIGNATURE-----

__________________________________________________ ____________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__________________________________________________ ____________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
> how? when i use pam_winbind to login and automount to mount a users home
> with kerberos security i dont get a TGT at login. So this doesn't seem
> to work with pam_winbind or?

Install examples/pam_winbind/pam_winbind.conf to /etc/security/
and enable the krb5_auth option.

Also set "winbind refresh tickets = yes" in smb.conf.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1 CjgUMlHQCfcJ7k
XPb8CJDfP62ida5MuNjbEn4=
=/0bH
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Sounds cool.

i made the changes. When i login as an ad user i don't get a ticket? Is
there anything else i need to set?

Cheers

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
Sent: 02 April 2008 16:08
To: Oliver Weinmann
Cc: samba@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
> how? when i use pam_winbind to login and automount to mount a users
> home with kerberos security i dont get a TGT at login. So this doesn't

> seem to work with pam_winbind or?

Install examples/pam_winbind/pam_winbind.conf to /etc/security/ and
enable the krb5_auth option.

Also set "winbind refresh tickets = yes" in smb.conf.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1 CjgUMlHQCfcJ7k
XPb8CJDfP62ida5MuNjbEn4=
=/0bH
-----END PGP SIGNATURE-----

__________________________________________________ ____________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__________________________________________________ ____________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Ok. i got it. I had to change the parameter for:

krb5_ccache_type = FILE

now the users get a "cached" ticket at login. COOL

but when the automount daemon tries to mount their home it fails:

Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
gss_init_sec_context: (major) Miscellaneous failure - (minor) No
credentials found with supported encryption types

Cheers,
Oli
-----Original Message-----
From: samba-bounces+oliver.weinmann=vega.de@lists.samba.org
[mailto:samba-bounces+oliver.weinmann=vega.de@lists.samba.org] On Behalf
Of Oliver Weinmann
Sent: 02 April 2008 16:31
To: Gerald (Jerry) Carter
Cc: samba@lists.samba.org
Subject: RE: [Samba] Urgent... winbind and keytab file creation

Sounds cool.

i made the changes. When i login as an ad user i don't get a ticket? Is
there anything else i need to set?

Cheers

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
Sent: 02 April 2008 16:08
To: Oliver Weinmann
Cc: samba@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
> how? when i use pam_winbind to login and automount to mount a users
> home with kerberos security i dont get a TGT at login. So this doesn't

> seem to work with pam_winbind or?

Install examples/pam_winbind/pam_winbind.conf to /etc/security/ and
enable the krb5_auth option.

Also set "winbind refresh tickets = yes" in smb.conf.





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1 CjgUMlHQCfcJ7k
XPb8CJDfP62ida5MuNjbEn4=
=/0bH
-----END PGP SIGNATURE-----

__________________________________________________ ____________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__________________________________________________ ____________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

__________________________________________________ ____________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__________________________________________________ ____________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Hi

I have recently figured that nfs supports only only "des-cbc-crc:normal".
encryption type.

Regards

On Wed, Apr 2, 2008 at 8:11 PM, Oliver Weinmann
wrote:

> Ok. i got it. I had to change the parameter for:
>
> krb5_ccache_type = FILE
>
> now the users get a "cached" ticket at login. COOL
>
> but when the automount daemon tries to mount their home it fails:
>
> Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
> krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
> Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
> gss_init_sec_context: (major) Miscellaneous failure - (minor) No
> credentials found with supported encryption types
>
> Cheers,
> Oli
> -----Original Message-----
> From: samba-bounces+oliver.weinmann=vega.de@lists.samba.org
> [mailto:samba-bounces+oliver.weinmann =
> vega.de@lists.samba.org] On Behalf
> Of Oliver Weinmann
> Sent: 02 April 2008 16:31
> To: Gerald (Jerry) Carter
> Cc: samba@lists.samba.org
> Subject: RE: [Samba] Urgent... winbind and keytab file creation
>
> Sounds cool.
>
> i made the changes. When i login as an ad user i don't get a ticket? Is
> there anything else i need to set?
>
> Cheers
>
> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
> Sent: 02 April 2008 16:08
> To: Oliver Weinmann
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Urgent... winbind and keytab file creation
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Oliver Weinmann wrote:
> > how? when i use pam_winbind to login and automount to mount a users
> > home with kerberos security i dont get a TGT at login. So this doesn't
>
> > seem to work with pam_winbind or?
>
> Install examples/pam_winbind/pam_winbind.conf to /etc/security/ and
> enable the krb5_auth option.
>
> Also set "winbind refresh tickets = yes" in smb.conf.
>
>
>
>
>
> cheers, jerry
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1 CjgUMlHQCfcJ7k
> XPb8CJDfP62ida5MuNjbEn4=
> =/0bH
> -----END PGP SIGNATURE-----
>
> __________________________________________________ ____________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> __________________________________________________ ____________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
> __________________________________________________ ____________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> __________________________________________________ ____________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Weinmann wrote:
> Ok. i got it. I had to change the parameter for:
>
> krb5_ccache_type = FILE
>
> now the users get a "cached" ticket at login. COOL
>
> but when the automount daemon tries to mount their home it fails:
>
> Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
> krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
> Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
> gss_init_sec_context: (major) Miscellaneous failure - (minor) No
> credentials found with supported encryption types


I expect the nfsv4 service is trying to use 3des or aes.
I always set these enc types in /etc/krb5.conf

[libdefaults]
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC







cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH86i/IR7qMdg1EfYRAiQcAJ9PoxRrBKYjWxhDcqc8pKsRAok8nQCeMI OF
Y9bRg2KlV5qXK9u65e0WK6U=
=Cgv+
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Wed, 2008-04-02 at 10:39 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Oliver Weinmann wrote:
> > Ok. i got it. I had to change the parameter for:
> >
> > krb5_ccache_type = FILE
> >
> > now the users get a "cached" ticket at login. COOL
> >
> > but when the automount daemon tries to mount their home it fails:
> >
> > Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
> > krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
> > Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
> > gss_init_sec_context: (major) Miscellaneous failure - (minor) No
> > credentials found with supported encryption types
>
>
> I expect the nfsv4 service is trying to use 3des or aes.
> I always set these enc types in /etc/krb5.conf
>
> [libdefaults]
> default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
> default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
> preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>

Currently linux nfs server requires that both server and client use ONLY
des keys
Any other combination will simply fail.

There are kernel patches reaching upstream that are adding 3des and aes
but not yet rc4-hmac IIRC.

Simo.

--
Simo Sorce
Samba Team GPL Compliance Officer
Senior Software Engineer at Red Hat Inc.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Hi again and I really apreciate all your help. Thanks.

By the way I was just reading a book called "Using Samba" yesterday.
While looking at the book cover I fell over the name "Gerarld
Carter".... what a small world. It's a great book. Couldn't stop
reading. I found that with the command "net ads keytab add NFS".

maybe that will solve the problem? I will give it a try and also append
the prefered enctypes to krb5.conf.

Regards,
Oli

-----Original Message-----
From: simo [mailto:idra@samba.org]
Sent: 02 April 2008 17:47
To: Gerald (Jerry) Carter
Cc: Oliver Weinmann; samba@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation


On Wed, 2008-04-02 at 10:39 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Oliver Weinmann wrote:
> > Ok. i got it. I had to change the parameter for:
> >
> > krb5_ccache_type = FILE
> >
> > now the users get a "cached" ticket at login. COOL
> >
> > but when the automount daemon tries to mount their home it fails:
> >
> > Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to
> > create
> > krb5 context for user with uid 82967 for server
> > ds-san-02.vegagroup.net Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]:
rpcsec_gss:
> > gss_init_sec_context: (major) Miscellaneous failure - (minor) No
> > credentials found with supported encryption types
>
>
> I expect the nfsv4 service is trying to use 3des or aes.
> I always set these enc types in /etc/krb5.conf
>
> [libdefaults]
> default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
> default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
> preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>

Currently linux nfs server requires that both server and client use ONLY
des keys Any other combination will simply fail.

There are kernel patches reaching upstream that are adding 3des and aes
but not yet rc4-hmac IIRC.

Simo.

--
Simo Sorce
Samba Team GPL Compliance Officer Senior Software
Engineer at Red Hat Inc.


__________________________________________________ ____________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__________________________________________________ ____________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Hi,

the server is not linux. It's a NETAPP Filer.

Regards,
Oli

-----Original Message-----
From: simo [mailto:idra@samba.org]
Sent: 02 April 2008 17:47
To: Gerald (Jerry) Carter
Cc: Oliver Weinmann; samba@lists.samba.org
Subject: Re: [Samba] Urgent... winbind and keytab file creation


On Wed, 2008-04-02 at 10:39 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Oliver Weinmann wrote:
> > Ok. i got it. I had to change the parameter for:
> >
> > krb5_ccache_type = FILE
> >
> > now the users get a "cached" ticket at login. COOL
> >
> > but when the automount daemon tries to mount their home it fails:
> >
> > Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to
> > create
> > krb5 context for user with uid 82967 for server
> > ds-san-02.vegagroup.net Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]:
rpcsec_gss:
> > gss_init_sec_context: (major) Miscellaneous failure - (minor) No
> > credentials found with supported encryption types
>
>
> I expect the nfsv4 service is trying to use 3des or aes.
> I always set these enc types in /etc/krb5.conf
>
> [libdefaults]
> default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
> default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
> preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
>

Currently linux nfs server requires that both server and client use ONLY
des keys Any other combination will simply fail.

There are kernel patches reaching upstream that are adding 3des and aes
but not yet rc4-hmac IIRC.

Simo.

--
Simo Sorce
Samba Team GPL Compliance Officer Senior Software
Engineer at Red Hat Inc.


__________________________________________________ ____________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__________________________________________________ ____________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba