Samba winbind keytab unusable?
Von: oli (oliver.weinmann@vega.de) [Profil]
Datum: 02.04.2008 15:30
Message-ID: <f557def9-ce2f-4e43-817a-225a54650ece@s37g2000prg.googlegroups.com>
Newsgroup: de.comp.os.unix.networking.samba
Datum: 02.04.2008 15:30
Message-ID: <f557def9-ce2f-4e43-817a-225a54650ece@s37g2000prg.googlegroups.com>
Newsgroup: de.comp.os.unix.networking.samba
Hi, I'm using Samba 3.0.28a and MIT Kerberos5 with Winbind on a RHEL4 machine. It's connected to a 2003 AD domain. Everything works fine so far. Now I need to use nfs with kerberos security enabled. The good thing is that the winbind domain join already created a host account in the active directory with a kerberos principal. The problem is I can't seem to make any use of it. i set the following paramter in /etc/samba/smb.conf to have a keytab file created while joining the domain: use kerberos keytab = true after a net ads join i cann see the created keytab file unter /etc/ krb5/krb5.keytab [root@rhel4wbtest2 krb5]# klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (DES cbc mode with CRC-32) 3 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (DES cbc mode with RSA-MD5) 3 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (ArcFour with HMAC/ md5) 3 host/rhel4wbtest2@VEGAGROUP.NET (DES cbc mode with CRC-32) 3 host/rhel4wbtest2@VEGAGROUP.NET (DES cbc mode with RSA-MD5) 3 host/rhel4wbtest2@VEGAGROUP.NET (ArcFour with HMAC/md5) 3 RHEL4WBTEST2$@VEGAGROUP.NET (DES cbc mode with CRC-32) 3 RHEL4WBTEST2$@VEGAGROUP.NET (DES cbc mode with RSA-MD5) 3 RHEL4WBTEST2$@VEGAGROUP.NET (ArcFour with HMAC/md5) it's just strange that winbind creates so many entries. now when i start the /etc/init.d/rpcgssd daemon i can see errors in the logfile: Apr 2 15:04:43 rhel4wbtest2 rpc.gssd[3147]: ERROR: No usable keytab entries found in keytab '/etc/krb5.keytab' Apr 2 15:04:43 rhel4wbtest2 rpc.gssd[3147]: Do you have a valid keytab entry for nfs/<your.host>@<YOUR.REALM> in keytab file /etc/ krb5.keytab ? Apr 2 15:04:43 rhel4wbtest2 rpc.gssd[3147]: Continuing without (machine) credentials - nfs4 mounts with Kerberos will fail Apr 2 15:04:43 rhel4wbtest2 rpcgssd: rpc.gssd startup succeeded i then created a nfs/rhel4wbtest2.vegagroup.net SPN on the Domain Controller and merged it into /etc/krb5/krb5.keytab with the opensource tool css_adkadmin from the rhel4 machine: [root@rhel4wbtest2 krb5]# klist -e -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (DES cbc mode with CRC-32) 2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (DES cbc mode with RSA-MD5) 2 host/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (ArcFour with HMAC/ md5) 2 host/RHEL4WBTEST2@VEGAGROUP.NET (DES cbc mode with CRC-32) 2 host/RHEL4WBTEST2@VEGAGROUP.NET (DES cbc mode with RSA-MD5) 2 host/RHEL4WBTEST2@VEGAGROUP.NET (ArcFour with HMAC/md5) 2 RHEL4WBTEST2$@VEGAGROUP.NET (DES cbc mode with CRC-32) 2 RHEL4WBTEST2$@VEGAGROUP.NET (DES cbc mode with RSA-MD5) 2 RHEL4WBTEST2$@VEGAGROUP.NET (ArcFour with HMAC/md5) 2 nfs/rhel4wbtest2.vegagroup.net@VEGAGROUP.NET (DES cbc mode with RSA-MD5) the log shows no more errors now. however when I login as a AD user is see this in the logs: Apr 2 15:29:22 rhel4wbtest2 sshd[3311]: pam_krb5: error reading keys for host/rhel4wbtest2.vegagroup.net from /etc/krb5/krb5.keytab: Bad encryption type Apr 2 15:29:22 rhel4wbtest2 sshd[3311]: pam_krb5: authentication fails for `tuser' i have to use the pam_krb5 module for the nfs with kerberos mount. It seems that the keytab created by winbind is useless here? any ideas?[ Auf dieses Posting antworten ]