[Freeipa-users] a bit off topic- samba + sssd => AD

lejeczek peljasz at yahoo.co.uk
Fri Jun 3 15:45:53 UTC 2016 


On 03/06/16 15:11, Sumit Bose wrote:
> On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote:
>> hi users,
>>
>> I have a samba and sssd trying AD, it's 7.2 Linux.
>>
>> That linux box is via sssd and samba talking to AD DC and win10 clients get
>> to samba shares, getent pass sees AD users, samba can get to DC's shares and
>> win10's clients shares, all good except...
>>
>> smbclient @samba, in other words - to itself - fails
>>
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> and with smbclient -k
>>
>> gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may
>> provide more information: Server cifs/swir.private.dom at PRIVATE.DOM not found
>> in Kerberos database]
> Which realm is PRIVATE.DOM? What does
>
>      $ klist -k -t /etc/krb5.swir.ccnr.keytab
>
> return?
$ klist -k -t /etc/krb5.swir.ccnr.keytab
Keytab name: FILE:/etc/krb5.swir.ccnr.keytab
KVNO Timestamp         Principal
---- ----------------- 
--------------------------------------------------------
    4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM
    4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM
    4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM
    4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM
    4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM

and swir runs samba, but I'm trying to sssd together AD & 
IPA, I should have mentioned.
 From DNS perspective it's AD = ccnr.dom and IPA = 
private.ccnr.dom, everything seems to resolve OK, both @AD 
and @IPA ends.
And my sssd.conf:
------------
ipa_hostname = swir.private.ccnr.dom
chpass_provider = ipa
ipa_server = swir.private.ccnr.dom
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
#krb5_keytab = /etc/krb5.private.ccnr.keytab

[domain/ccnr.dom]
ad_domain = ccnr.dom
krb5_realm = CCNR.DOM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
auth_provider = ad
krb5_keytab = /etc/krb5.swir.ccnr.keytab

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = private.ccnr.dom, ccnr.dom

[nss]
memcache_timeout = 600
homedir_substring = /home
--------------

AD DC (to which shares smbclient @swir can get to) shows:

C:\Users\Administrator.CCNR-WINSRV1>setspn -L swir
Registered ServicePrincipalNames for 
CN=SWIR,OU=private,DC=ccnr,DC=dom:
         cifs/swir.private.ccnr.dom at CCNR.DOM
         host/swir.private.ccnr.dom
         host/swir.private.ccnr.dom at CCNR.DOM
         HOST/SWIR

like I said, getnet and id see both domains
If I
$ kinit me at CCNR.DOM
$ klist
Ticket cache: KEYRING:persistent:0:krb_ccache_xoHU5iW
Default principal: me at CCNR.DOM

Valid starting     Expires            Service principal
03/06/16 16:37:06  04/06/16 02:37:06  krbtgt/CCNR.DOM at CCNR.DOM


$ smbclient -L //$(hostname) -U me at CCNR.DOM -k
gss_init_sec_context failed with [Unspecified GSS failure.  
Minor code may provide more information: Server 
cifs/swir.private.ccnr.dom at PRIVATE.CCNR.DOM not found in 
Kerberos database]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: 
NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR

what I see in last one above is - 
cifs/swir.private.ccnr.dom at PRIVATE.CCNR.DOM
I've just realized, for some reason, and maybe a valid one, 
smbclient don't do - cifs/swir.private.ccnr.dom at CCNR.DOM 
which is in the keytabs.

but smbclient fails without -k which I understand should 
then use a password and should be sufficient to authenticate.

many thanks Sumit,
L.

> bye,
> Sumit
>
>> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
>> Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
>> session setup failed: NT_STATUS_INTERNAL_ERROR
>>
>> here is a snippet from smb.conf which I thought has relevance, I set it up
>> following samba sssd wiki.
>>
>>     security = ads
>>    realm = CCNR.DOM
>>    workgroup = CCNR
>>
>>    kerberos method = secrets and keytab
>>    dedicated keytab file = /etc/krb5.swir.ccnr.keytab
>>    client signing = auto
>>    client use spnego = yes
>>    encrypt passwords = yes
>>    password server = ccnr-winsrv1.ccnr.dom
>>    netbios name = SWIR
>>
>>    template shell = /bin/bash
>>    template homedir = /home/%D/%U
>>
>>    preferred master = no
>>    dns proxy = no
>>    wins server = ccnr-winsrv1.ccnr.dom
>>    wins proxy = no
>>
>>    inherit acls = Yes
>>    map acl inherit = Yes
>>    acl group control = yes
>>
>>
>> and in samba log:
>>
>>    domain_client_validate: Domain password server not available.
>>
>> I've tried samba user list, dead silence.
>>
>> many thanks,
>>
>> L.
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list