samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] samba and kerberos tickets

[Samba] samba and kerberos tickets

From: Nico De Ranter <nico_at_nospam>
Date: Fri Aug 20 2010 - 12:43:38 GMT


I'm running a mixed linux/Windows network with authentication done using
Active Directory. The Linux clients use Samba/Winbind for
authentication (with help from the list, thanks!). I've setup smb.conf
such that doing 'net ads join -Uadministrator' populates
my /etc/krb5.keytab (see configuration files below).

klist shows me a nice set of principals from /etc/krb5.keytab

klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- -------------------------------------------------------------------------- 2 host/ 2 host/ 2 host/ 2 host/ubuntu@EDEN.SONYTEL.BE 2 host/ubuntu@EDEN.SONYTEL.BE 2 host/ubuntu@EDEN.SONYTEL.BE 2 UBUNTU$@EDEN.SONYTEL.BE 2 UBUNTU$@EDEN.SONYTEL.BE 2 UBUNTU$@EDEN.SONYTEL.BE If I look on the AD server using ADSI edit I see the following values in the servicePrincipalName field for the clients Computer object: HOST/UBUNTU HOST/ However when I try to use any of the principals using 'kinit -k principalname' I get: kinit host/ kinit: Client not found in Kerberos database while getting initial credentials Why doesn't this work? The reason why I'm asking is because I'm also trying to get NFSv4 with kerberos going, however when I try to mount a remote filesystem I see the following error messages and the mount gets a permission denied: handling krb5 upcall Full hostname for '' is '' Full hostname for '' is '' Key table entry not found while getting keytab entry for 'root/' Key table entry not found while getting keytab entry for 'nfs/' Success getting keytab entry for 'host/' WARNING: Client not found in Kerberos database while getting initial ticket for principal 'host/' using keytab 'WRFILE:/etc/krb5.keytab' ERROR: No credentials found for connection to server doing error downcall destroying client clnt19 Any idea what might be wrong? Nico --------------------------------------------------------------------------- ==== /etc/samba/smb.conf [global] server string = %h server (Samba, Ubuntu) wide links = yes unix extensions = no server signing = mandatory security = ads workgroup = EDEN realm = EDEN.SONYTEL.BE kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes pam password change = yes map to guest = bad user socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 idmap backend = ad idmap config EDEN:backend = ad idmap config EDEN:default = yes idmap config EDEN:schema_mode = rfc2307 idmap config EDEN:range = 999-999999 winbind nss info = rfc2307 winbind enum groups = yes winbind enum users = yes winbind use default domain = yes winbind offline logon = true winbind refresh tickets = true usershare allow guests = no ==== /etc/krb5.conf [libdefaults] default_realm = EDEN.SONYTEL.BE krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] EDEN.SONYTEL.BE = { kdc = admin_server = } [domain_realm] = EDEN.SONYTEL.BE = EDEN.SONYTEL.BE = EDEN.SONYTEL.BE = EDEN.SONYTEL.BE [login] krb4_convert = true krb4_get_tickets = false ====== environment Linux clients: Ubuntu 9.10 or 10.04 running Samba 3.4.x Windows server: 2008 R2 -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone: +32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail: A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 -- To unsubscribe from this list go to the following URL and read the instructions: