Prev: [Samba] can't replace existing file
Next: Error connecting WinXP client to Samba PDC: DNS name does not exist / RCODE_NAME_ERROR
From: Paul Sobey on 5 Nov 2009 07:30
Good Morning,

We have a network of Solaris 10 machines authenticating and doing name
lookups via a Windows 2008 (SP2) domain using the Solaris ldap client and
self/gssapi credentials. Each machine has a machine account that is
prepared via a script with the following attributes:

userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT |
DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH)
msDS-SupportedEncryptionTypes: 23 (KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 |
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_DES_CBC_MD5 |
KERB_ENCTYPE_DES_CBC_CRC)

We would like to install a new Samba file server and have it play nicely
with this setup, using the system keytab, ideally taking a password from
the keytab or being able to control the password used in the joining
process.

Is there a prescribed/supported way to have Samba 'fit in' to an existing
setup like this?

We've tried running net ads join after the host keytab is created, and
note that the KVNO on the computer account increases, the
userAccountControl flag gets overwritten with DONT_REQ_PREAUTH (seems to
be needed for Solaris kinit -k), and the resulting keytab is unusable by
Solaris kinit:

before net ads join:

Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
18 host/fqdn(a)REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) HMAC/md5)
18 host/fqdn(a)REALM (ArcFour with HMAC/md5)
18 host/fqdn(a)REALM (DES cbc mode with RSA-MD5)
18 host/fqdn(a)REALM (DES cbc mode with CRC-32)

kinit -k

Default principal: host/fqdn(a)REALM

Valid starting Expires Service principal
05/11/2009 11:46:16 05/11/2009 21:46:16
krbtgt/REALM(a)REALM
renew until 12/11/2009 11:46:16, Etype(skey, tkt): AES-256 CTS
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC


after net ads join (Samba added entries are KVNO 19)

18 host/fqdn(a)REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
18 host/fqdn(a)REALM (ArcFour with HMAC/md5)
18 host/fqdn(a)REALM (DES cbc mode with RSA-MD5)
18 host/fqdn(a)REALM (DES cbc mode with CRC-32)
19 host/fqdn(a)REALM (DES cbc mode with CRC-32)
19 host/fqdn(a)REALM (DES cbc mode with RSA-MD5)
19 host/fqdn(a)REALM (ArcFour with HMAC/md5)
19 host/HOST(a)REALM (DES cbc mode with CRC-32)
19 host/HOST(a)REALM (DES cbc mode with RSA-MD5)
19 host/HOST(a)REALM (ArcFour with HMAC/md5)
19 HOST$@REALM (DES cbc mode with CRC-32)
19 HOST$@REALM (DES cbc mode with RSA-MD5)
19 HOST$@REALM (ArcFour with HMAC/md5)

kinit -k

kinit(v5): Clients credentials have been revoked while getting initial
credentials

after removal of kvno 18 tickets with ktutil:

kinit(v5): Key table entry not found while getting initial credentials


Should I just give up and use pam_winbind and nss_winbind, or is there a
way to make this work? Also, is there a way to make net ads join request
or write aes256 entries to the keytab? Our krb5.conf explicitly specifies
this as a permitted enc type.

Cheers,
Paul

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: [Samba] can't replace existing file
Next: Error connecting WinXP client to Samba PDC: DNS name does not exist / RCODE_NAME_ERROR