[Samba] Urgent... winbind and keytab file creation - Samba

This is a discussion on [Samba] Urgent... winbind and keytab file creation - Samba ; Hi, I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: [Samba] Urgent... winbind and keytab file creation

  1. [Samba] Urgent... winbind and keytab file creation

    Hi,

    I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf:

    use kerberos keytabe = true

    and as mentioned in man smb.conf i have set in krb5.conf

    default_keytab_name = FILE:/etc/krb5/krb5.keytab

    after a "net join ads" the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong?

    Help would be really apreciated.

    Thanks and Regards,


    Oliver Weinmann
    Unix/Linux Administrator

    VEGA IT GmbH
    Europaplatz 5
    D-64293 Darmstadt
    Germany
    Tel : +49 (0) 6151 8257 744
    Fax : +49 (0)6151 8257-799
    Email : oliver.weinmann@vega.de
    Web : www.vega-group.com

    Register court/Registergericht: Darmstadt, HRB No. 4096, Managing Directors/Geschäftsführer: Philip Cartmell, Susan Bygrave, John Lewis

    Notice of Confidentiality

    This transmission is intended for the named addressee only. It contains information which may be confidential and which may also be privileged. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    > Hi,
    >
    > I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf:
    >
    > use kerberos keytabe = true
    >
    > and as mentioned in man smb.conf i have set in krb5.conf
    >
    > default_keytab_name = FILE:/etc/krb5/krb5.keytab
    >
    > after a "net join ads" the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong?


    Have you tried "net ads keytab create" ?

    Guenther

    - --
    Günther Deschner GPG-ID: 8EE11688
    Red Hat gdeschner@redhat.com
    Samba Team gd@samba.org
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)
    Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

    iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP
    WjEvra9U//Tj25Y8hFjnDwg=
    =peli
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. RE: [Samba] Urgent... winbind and keytab file creation

    not yet? does it create a keytab file?

    i tested the same thing on rhel4 with MIT kerberos and here it creates the krb5.keytab file under /etc/krb5.keytab i then linked it to /etc/krb5/krb5.keytab and now i can see all the keys with klist -k, but i can't use them:

    [root@rhel4wbtest2 etc]# klist -k
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET
    2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET
    2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET
    2 host/RHEL4WBTEST2@VEGAGROUP.NET
    2 host/RHEL4WBTEST2@VEGAGROUP.NET
    2 host/RHEL4WBTEST2@VEGAGROUP.NET
    2 RHEL4WBTEST2$@VEGAGROUP.NET
    2 RHEL4WBTEST2$@VEGAGROUP.NET
    2 RHEL4WBTEST2$@VEGAGROUP.NET

    [root@rhel4wbtest2 etc]# kinit -k host/rhel4wbtest2.vegagroup.net
    kinit(v5): Cannot find KDC for requested realm while getting initial credentials

    -----Original Message-----
    From: Guenther Deschner [mailto:gd@samba.org]
    Sent: 02 April 2008 11:39
    To: Oliver Weinmann
    Cc: samba@lists.samba.org
    Subject: Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    > Hi,
    >
    > I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf:
    >
    > use kerberos keytabe = true
    >
    > and as mentioned in man smb.conf i have set in krb5.conf
    >
    > default_keytab_name = FILE:/etc/krb5/krb5.keytab
    >
    > after a "net join ads" the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong?


    Have you tried "net ads keytab create" ?

    Guenther

    - --
    Günther Deschner GPG-ID: 8EE11688
    Red Hat gdeschner@redhat.com
    Samba Team gd@samba.org
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)
    Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

    iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP
    WjEvra9U//Tj25Y8hFjnDwg=
    =peli
    -----END PGP SIGNATURE-----

    __________________________________________________ ____________________
    This email has been scanned by the MessageLabs Email Security System.
    For more information please visit http://www.messagelabs.com/email __________________________________________________ ____________________
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. winbind default encryption type for kerberos / RE: [Samba] Urgent... winbind and keytab file creation

    Yes the "net ads keytab create" created the keytab file now. But in the logs i can see that the encryption type used is not good:

    Apr 2 12:37:18 rhel4wbtest1 sshd[4542]: pam_krb5: error reading keys for host/rhel4wbtest2.vegagroup.net from /etc/krb5/krb5.keytab: Bad encryption type
    Apr 2 12:37:18 rhel4wbtest1 sshd[4542]: pam_krb5: authentication fails for `tuser'

    does winbind by default use: rc4-hmac?

    -----Original Message-----
    From: Guenther Deschner [mailto:gd@samba.org]
    Sent: 02 April 2008 11:39
    To: Oliver Weinmann
    Cc: samba@lists.samba.org
    Subject: Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    > Hi,
    >
    > I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos. Everything works fine so far. Now i need to have the host keytab generated by winbind to be in the default /etc/krb5/krb5.keytab in order to use nfs with kerberos security. The problem is i have set the parameter in smb.conf:
    >
    > use kerberos keytabe = true
    >
    > and as mentioned in man smb.conf i have set in krb5.conf
    >
    > default_keytab_name = FILE:/etc/krb5/krb5.keytab
    >
    > after a "net join ads" the krb5.keytab file is not created? do i have to create it myself? Is this not really implemented? What am I doing wrong?


    Have you tried "net ads keytab create" ?

    Guenther

    - --
    Günther Deschner GPG-ID: 8EE11688
    Red Hat gdeschner@redhat.com
    Samba Team gd@samba.org
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)
    Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

    iD8DBQFH81Q/SOk3aI7hFogRAo9oAJ9olnYtnTFteNgF6jVpK/xdh9be8gCeNHVP
    WjEvra9U//Tj25Y8hFjnDwg=
    =peli
    -----END PGP SIGNATURE-----

    __________________________________________________ ____________________
    This email has been scanned by the MessageLabs Email Security System.
    For more information please visit http://www.messagelabs.com/email __________________________________________________ ____________________
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: winbind default encryption type for kerberos / RE: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    | Yes the "net ads keytab create" created the keytab file now. But in
    the logs i can see that the encryption type used is not good:
    |
    | Apr 2 12:37:18 rhel4wbtest1 sshd[4542]: pam_krb5: error reading keys
    for host/rhel4wbtest2.vegagroup.net from /etc/krb5/krb5.keytab: Bad
    encryption type
    | Apr 2 12:37:18 rhel4wbtest1 sshd[4542]: pam_krb5: authentication
    fails for `tuser'

    You probably need the single DES keys here. Run ktutil
    and list -e to make sure you have the right enctypes in the
    keytab file.

    | does winbind by default use: rc4-hmac?

    In newer versions, Yes.

    ut why use pam_krb5 at all ? Why not simply use pam_winbind?



    jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFH84XFIR7qMdg1EfYRAjdFAKCHNeKcXSErQ2D1dKLwyL jKPG2ZhACfQv0c
    MEqiTLo9diBsElEYBIybG9o=
    =3kjk
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    | Hi,
    |
    | I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos.
    Everything works fine so far. Now i need to have the host keytab
    generated by winbind to be in the default /etc/krb5/krb5.keytab in order
    to use nfs with kerberos security. The problem is i have set the
    parameter in smb.conf:
    |
    | use kerberos keytabe = true

    DOn't use this if you use Samba to joined the domain.
    It is really on;y useful for non-MS realms.





    jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFH84WZIR7qMdg1EfYRAk6iAJ0d04pZey+cqgyzfOGbB6 cmW+nhWwCgpOjV
    U+A6DB3LB7IZMlqBxWv0u6s=
    =MlpW
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  7. RE: [Samba] Urgent... winbind and keytab file creation

    Hi and thanks for you answer.

    here is the output about the encryption used:

    [root@rhel4wbtest2 krb5]# klist -e -k
    Keytab name: FILE:/etc/krb5/krb5.keytab
    KVNO Principal
    ----
    ------------------------------------------------------------------------
    --
    2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (DES cbc mode with
    CRC-32)
    2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (DES cbc mode with
    RSA-MD5)
    2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (ArcFour with
    HMAC/md5)
    2 host/RHEL4WBTEST2@VEGAGROUP.NET (DES cbc mode with CRC-32)
    2 host/RHEL4WBTEST2@VEGAGROUP.NET (DES cbc mode with RSA-MD5)
    2 host/RHEL4WBTEST2@VEGAGROUP.NET (ArcFour with HMAC/md5)
    2 RHEL4WBTEST2$@VEGAGROUP.NET (DES cbc mode with CRC-32)
    2 RHEL4WBTEST2$@VEGAGROUP.NET (DES cbc mode with RSA-MD5)
    2 RHEL4WBTEST2$@VEGAGROUP.NET (ArcFour with HMAC/md5)

    i have to use pam_krb5 because i need to mount nfs shares with kerberos
    security. So when a user logs in he gets a valid TGT and is able to
    mount the share.

    if the keytab created cannot be used for this... can i somehow delete
    the host principal created by winbind, create a new one, that will work
    for pam_krb5 and let winbind use the newly created one?

    -----Original Message-----
    From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
    Sent: 02 April 2008 15:10
    To: Oliver Weinmann
    Cc: samba@lists.samba.org
    Subject: Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    | Hi,
    |
    | I'm running winbind (3.0.28a) on SLES9 with heimdal Kerberos.
    Everything works fine so far. Now i need to have the host keytab
    generated by winbind to be in the default /etc/krb5/krb5.keytab in order
    to use nfs with kerberos security. The problem is i have set the
    parameter in smb.conf:
    |
    | use kerberos keytabe = true

    DOn't use this if you use Samba to joined the domain.
    It is really on;y useful for non-MS realms.





    jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFH84WZIR7qMdg1EfYRAk6iAJ0d04pZey+cqgyzfOGbB6 cmW+nhWwCgpOjV
    U+A6DB3LB7IZMlqBxWv0u6s=
    =MlpW
    -----END PGP SIGNATURE-----

    __________________________________________________ ____________________
    This email has been scanned by the MessageLabs Email Security System.
    For more information please visit http://www.messagelabs.com/email
    __________________________________________________ ____________________
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  8. Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    > Hi and thanks for you answer.
    >
    > here is the output about the encryption used:
    >
    > [root@rhel4wbtest2 krb5]# klist -e -k
    > Keytab name: FILE:/etc/krb5/krb5.keytab
    > KVNO Principal


    Enctypes look fine.

    > i have to use pam_krb5 because i need to mount nfs
    > shares with kerberos security. So when a user logs in he
    > gets a valid TGT and is able to mount the share.


    pam_winbind will do that for you as well.

    > if the keytab created cannot be used for this... can i somehow delete
    > the host principal created by winbind, create a new one, that will work
    > for pam_krb5 and let winbind use the newly created one?





    jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFH843HIR7qMdg1EfYRAmDhAKC9ZLpFfsiBRZGqOS1uJD dke7r4qwCePF6D
    mYwG/R3TyRnd9DHFhhFLUpE=
    =Iu9j
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  9. RE: [Samba] Urgent... winbind and keytab file creation

    how? when i use pam_winbind to login and automount to mount a users home
    with kerberos security i dont get a TGT at login. So this doesn't seem
    to work with pam_winbind or?

    -----Original Message-----
    From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
    Sent: 02 April 2008 15:45
    To: Oliver Weinmann
    Cc: samba@lists.samba.org
    Subject: Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    > Hi and thanks for you answer.
    >
    > here is the output about the encryption used:
    >
    > [root@rhel4wbtest2 krb5]# klist -e -k
    > Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal


    Enctypes look fine.

    > i have to use pam_krb5 because i need to mount nfs shares with
    > kerberos security. So when a user logs in he gets a valid TGT and is
    > able to mount the share.


    pam_winbind will do that for you as well.

    > if the keytab created cannot be used for this... can i somehow delete
    > the host principal created by winbind, create a new one, that will
    > work for pam_krb5 and let winbind use the newly created one?





    jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFH843HIR7qMdg1EfYRAmDhAKC9ZLpFfsiBRZGqOS1uJD dke7r4qwCePF6D
    mYwG/R3TyRnd9DHFhhFLUpE=
    =Iu9j
    -----END PGP SIGNATURE-----

    __________________________________________________ ____________________
    This email has been scanned by the MessageLabs Email Security System.
    For more information please visit http://www.messagelabs.com/email
    __________________________________________________ ____________________
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  10. Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    > how? when i use pam_winbind to login and automount to mount a users home
    > with kerberos security i dont get a TGT at login. So this doesn't seem
    > to work with pam_winbind or?


    Install examples/pam_winbind/pam_winbind.conf to /etc/security/
    and enable the krb5_auth option.

    Also set "winbind refresh tickets = yes" in smb.conf.





    cheers, jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1 CjgUMlHQCfcJ7k
    XPb8CJDfP62ida5MuNjbEn4=
    =/0bH
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  11. RE: [Samba] Urgent... winbind and keytab file creation

    Sounds cool.

    i made the changes. When i login as an ad user i don't get a ticket? Is
    there anything else i need to set?

    Cheers

    -----Original Message-----
    From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
    Sent: 02 April 2008 16:08
    To: Oliver Weinmann
    Cc: samba@lists.samba.org
    Subject: Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    > how? when i use pam_winbind to login and automount to mount a users
    > home with kerberos security i dont get a TGT at login. So this doesn't


    > seem to work with pam_winbind or?


    Install examples/pam_winbind/pam_winbind.conf to /etc/security/ and
    enable the krb5_auth option.

    Also set "winbind refresh tickets = yes" in smb.conf.





    cheers, jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1 CjgUMlHQCfcJ7k
    XPb8CJDfP62ida5MuNjbEn4=
    =/0bH
    -----END PGP SIGNATURE-----

    __________________________________________________ ____________________
    This email has been scanned by the MessageLabs Email Security System.
    For more information please visit http://www.messagelabs.com/email
    __________________________________________________ ____________________
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  12. RE: [Samba] Urgent... winbind and keytab file creation

    Ok. i got it. I had to change the parameter for:

    krb5_ccache_type = FILE

    now the users get a "cached" ticket at login. COOL

    but when the automount daemon tries to mount their home it fails:

    Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
    krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
    Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
    gss_init_sec_context: (major) Miscellaneous failure - (minor) No
    credentials found with supported encryption types

    Cheers,
    Oli
    -----Original Message-----
    From: samba-bounces+oliver.weinmann=vega.de@lists.samba.org
    [mailto:samba-bounces+oliver.weinmann=vega.de@lists.samba.org] On Behalf
    Of Oliver Weinmann
    Sent: 02 April 2008 16:31
    To: Gerald (Jerry) Carter
    Cc: samba@lists.samba.org
    Subject: RE: [Samba] Urgent... winbind and keytab file creation

    Sounds cool.

    i made the changes. When i login as an ad user i don't get a ticket? Is
    there anything else i need to set?

    Cheers

    -----Original Message-----
    From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
    Sent: 02 April 2008 16:08
    To: Oliver Weinmann
    Cc: samba@lists.samba.org
    Subject: Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    > how? when i use pam_winbind to login and automount to mount a users
    > home with kerberos security i dont get a TGT at login. So this doesn't


    > seem to work with pam_winbind or?


    Install examples/pam_winbind/pam_winbind.conf to /etc/security/ and
    enable the krb5_auth option.

    Also set "winbind refresh tickets = yes" in smb.conf.





    cheers, jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1 CjgUMlHQCfcJ7k
    XPb8CJDfP62ida5MuNjbEn4=
    =/0bH
    -----END PGP SIGNATURE-----

    __________________________________________________ ____________________
    This email has been scanned by the MessageLabs Email Security System.
    For more information please visit http://www.messagelabs.com/email
    __________________________________________________ ____________________
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

    __________________________________________________ ____________________
    This email has been scanned by the MessageLabs Email Security System.
    For more information please visit http://www.messagelabs.com/email
    __________________________________________________ ____________________
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  13. Re: [Samba] Urgent... winbind and keytab file creation

    Hi

    I have recently figured that nfs supports only only "des-cbc-crc:normal".
    encryption type.

    Regards

    On Wed, Apr 2, 2008 at 8:11 PM, Oliver Weinmann
    wrote:

    > Ok. i got it. I had to change the parameter for:
    >
    > krb5_ccache_type = FILE
    >
    > now the users get a "cached" ticket at login. COOL
    >
    > but when the automount daemon tries to mount their home it fails:
    >
    > Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
    > krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
    > Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
    > gss_init_sec_context: (major) Miscellaneous failure - (minor) No
    > credentials found with supported encryption types
    >
    > Cheers,
    > Oli
    > -----Original Message-----
    > From: samba-bounces+oliver.weinmann=vega.de@lists.samba.org
    > [mailto:samba-bounces+oliver.weinmann =
    > vega.de@lists.samba.org] On Behalf
    > Of Oliver Weinmann
    > Sent: 02 April 2008 16:31
    > To: Gerald (Jerry) Carter
    > Cc: samba@lists.samba.org
    > Subject: RE: [Samba] Urgent... winbind and keytab file creation
    >
    > Sounds cool.
    >
    > i made the changes. When i login as an ad user i don't get a ticket? Is
    > there anything else i need to set?
    >
    > Cheers
    >
    > -----Original Message-----
    > From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
    > Sent: 02 April 2008 16:08
    > To: Oliver Weinmann
    > Cc: samba@lists.samba.org
    > Subject: Re: [Samba] Urgent... winbind and keytab file creation
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Oliver Weinmann wrote:
    > > how? when i use pam_winbind to login and automount to mount a users
    > > home with kerberos security i dont get a TGT at login. So this doesn't

    >
    > > seem to work with pam_winbind or?

    >
    > Install examples/pam_winbind/pam_winbind.conf to /etc/security/ and
    > enable the krb5_auth option.
    >
    > Also set "winbind refresh tickets = yes" in smb.conf.
    >
    >
    >
    >
    >
    > cheers, jerry
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.6 (GNU/Linux)
    > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    >
    > iD8DBQFH85NJIR7qMdg1EfYRArVHAJ4sn70tRJV6uM7coc9id1 CjgUMlHQCfcJ7k
    > XPb8CJDfP62ida5MuNjbEn4=
    > =/0bH
    > -----END PGP SIGNATURE-----
    >
    > __________________________________________________ ____________________
    > This email has been scanned by the MessageLabs Email Security System.
    > For more information please visit http://www.messagelabs.com/email
    > __________________________________________________ ____________________
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >
    > __________________________________________________ ____________________
    > This email has been scanned by the MessageLabs Email Security System.
    > For more information please visit http://www.messagelabs.com/email
    > __________________________________________________ ____________________
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  14. Re: [Samba] Urgent... winbind and keytab file creation

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Oliver Weinmann wrote:
    > Ok. i got it. I had to change the parameter for:
    >
    > krb5_ccache_type = FILE
    >
    > now the users get a "cached" ticket at login. COOL
    >
    > but when the automount daemon tries to mount their home it fails:
    >
    > Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
    > krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
    > Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
    > gss_init_sec_context: (major) Miscellaneous failure - (minor) No
    > credentials found with supported encryption types



    I expect the nfsv4 service is trying to use 3des or aes.
    I always set these enc types in /etc/krb5.conf

    [libdefaults]
    default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC







    cheers, jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFH86i/IR7qMdg1EfYRAiQcAJ9PoxRrBKYjWxhDcqc8pKsRAok8nQCeMI OF
    Y9bRg2KlV5qXK9u65e0WK6U=
    =Cgv+
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  15. Re: [Samba] Urgent... winbind and keytab file creation


    On Wed, 2008-04-02 at 10:39 -0500, Gerald (Jerry) Carter wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Oliver Weinmann wrote:
    > > Ok. i got it. I had to change the parameter for:
    > >
    > > krb5_ccache_type = FILE
    > >
    > > now the users get a "cached" ticket at login. COOL
    > >
    > > but when the automount daemon tries to mount their home it fails:
    > >
    > > Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to create
    > > krb5 context for user with uid 82967 for server ds-san-02.vegagroup.net
    > > Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]: rpcsec_gss:
    > > gss_init_sec_context: (major) Miscellaneous failure - (minor) No
    > > credentials found with supported encryption types

    >
    >
    > I expect the nfsv4 service is trying to use 3des or aes.
    > I always set these enc types in /etc/krb5.conf
    >
    > [libdefaults]
    > default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    > default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    > preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
    >


    Currently linux nfs server requires that both server and client use ONLY
    des keys
    Any other combination will simply fail.

    There are kernel patches reaching upstream that are adding 3des and aes
    but not yet rc4-hmac IIRC.

    Simo.

    --
    Simo Sorce
    Samba Team GPL Compliance Officer
    Senior Software Engineer at Red Hat Inc.

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  16. RE: [Samba] Urgent... winbind and keytab file creation

    Hi again and I really apreciate all your help. Thanks.

    By the way I was just reading a book called "Using Samba" yesterday.
    While looking at the book cover I fell over the name "Gerarld
    Carter".... what a small world. It's a great book. Couldn't stop
    reading. I found that with the command "net ads keytab add NFS".

    maybe that will solve the problem? I will give it a try and also append
    the prefered enctypes to krb5.conf.

    Regards,
    Oli

    -----Original Message-----
    From: simo [mailto:idra@samba.org]
    Sent: 02 April 2008 17:47
    To: Gerald (Jerry) Carter
    Cc: Oliver Weinmann; samba@lists.samba.org
    Subject: Re: [Samba] Urgent... winbind and keytab file creation


    On Wed, 2008-04-02 at 10:39 -0500, Gerald (Jerry) Carter wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Oliver Weinmann wrote:
    > > Ok. i got it. I had to change the parameter for:
    > >
    > > krb5_ccache_type = FILE
    > >
    > > now the users get a "cached" ticket at login. COOL
    > >
    > > but when the automount daemon tries to mount their home it fails:
    > >
    > > Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to
    > > create
    > > krb5 context for user with uid 82967 for server
    > > ds-san-02.vegagroup.net Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]:

    rpcsec_gss:
    > > gss_init_sec_context: (major) Miscellaneous failure - (minor) No
    > > credentials found with supported encryption types

    >
    >
    > I expect the nfsv4 service is trying to use 3des or aes.
    > I always set these enc types in /etc/krb5.conf
    >
    > [libdefaults]
    > default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    > default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    > preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
    >


    Currently linux nfs server requires that both server and client use ONLY
    des keys Any other combination will simply fail.

    There are kernel patches reaching upstream that are adding 3des and aes
    but not yet rc4-hmac IIRC.

    Simo.

    --
    Simo Sorce
    Samba Team GPL Compliance Officer Senior Software
    Engineer at Red Hat Inc.


    __________________________________________________ ____________________
    This email has been scanned by the MessageLabs Email Security System.
    For more information please visit http://www.messagelabs.com/email
    __________________________________________________ ____________________
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  17. RE: [Samba] Urgent... winbind and keytab file creation

    Hi,

    the server is not linux. It's a NETAPP Filer.

    Regards,
    Oli

    -----Original Message-----
    From: simo [mailto:idra@samba.org]
    Sent: 02 April 2008 17:47
    To: Gerald (Jerry) Carter
    Cc: Oliver Weinmann; samba@lists.samba.org
    Subject: Re: [Samba] Urgent... winbind and keytab file creation


    On Wed, 2008-04-02 at 10:39 -0500, Gerald (Jerry) Carter wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Oliver Weinmann wrote:
    > > Ok. i got it. I had to change the parameter for:
    > >
    > > krb5_ccache_type = FILE
    > >
    > > now the users get a "cached" ticket at login. COOL
    > >
    > > but when the automount daemon tries to mount their home it fails:
    > >
    > > Apr 2 16:41:09 rhel4wbtest2 rpc.gssd[1793]: WARNING: Failed to
    > > create
    > > krb5 context for user with uid 82967 for server
    > > ds-san-02.vegagroup.net Apr 2 16:41:12 rhel4wbtest2 rpc.gssd[1793]:

    rpcsec_gss:
    > > gss_init_sec_context: (major) Miscellaneous failure - (minor) No
    > > credentials found with supported encryption types

    >
    >
    > I expect the nfsv4 service is trying to use 3des or aes.
    > I always set these enc types in /etc/krb5.conf
    >
    > [libdefaults]
    > default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    > default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    > preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
    >


    Currently linux nfs server requires that both server and client use ONLY
    des keys Any other combination will simply fail.

    There are kernel patches reaching upstream that are adding 3des and aes
    but not yet rc4-hmac IIRC.

    Simo.

    --
    Simo Sorce
    Samba Team GPL Compliance Officer Senior Software
    Engineer at Red Hat Inc.


    __________________________________________________ ____________________
    This email has been scanned by the MessageLabs Email Security System.
    For more information please visit http://www.messagelabs.com/email
    __________________________________________________ ____________________
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread