Kerberos Help Needed

Greg Julius fromRHIL at outtacyte.com
Fri Aug 19 22:32:33 UTC 2005 

Hi Y'all.  Greg from Texas calling.

I desperately need some help with getting my systems talking together.  I
have googled, read, and read some more.
I appologize in advance for a long email.
I tried to include everything that may be pertinent.

Abstract:
I can't seem to get kerberos configured correctly so that a windows user can
access the samba shares.

My Setup:
Windows Small Business Server 2003 ADS which is my domain PDC, and numerous
Windows workstations.
Linux Server, Fedora Core 4 (brand new install), which is to be a file
server and an internal web development server (Apache, PHP, MySQL)

I have recently needed to upgrade from a peer-peer network to a Windows SBS
ADS/PDC.  When I did, my linux server left the fray and I haven't been able
to get it to talk to windows despite working on it for some time.  I am now
at the point where I MUST GET IT WORKING (unhappy clients including an
unhappy me).

It is my understanding that in order for the Linux server to talk with the
Windows ADS that Kerberos must be working, but I am having mucho trouble
with this.  I think my biggest problem is a lack of the total picture and I
could use somebody who is familiar with kerberos and Windows ADS (and
winbind and samba) interactions.

I called Bob McClure this morning looking for help and he reminded me that
Rick Stevens monitors this list and was probably my best bet for something
of this nature. So here I am....

Progress to date (or lack of):
Windows SBS 2003 ADS/PDC installed.  This is Filesvr2 by name, x.x.x.6 by
IP.  Samba shares no longer work.
Dns and Dhcp are running on the PDC and names resolve correctly all over the
network.  ocinternal.local is the domain name.  Addresses resolve with and
without the domain name suffixed.
Fedora Core 4 installed - no problems to speak of
Linux host name is guardian and is at x.x.x.8.  I can ping this address by
name and IP, both from the machine itself and from elsewhere on the network.
Basic connectivity is achieved
Selinux is disabled unitl I get other things working correctly to remove
those potential issues.
Apache Started and talks to browsers on the network.  Virtual name servers
work and present data correctly.
Kerberos 'configured' and starts (kadmin and krb5kdc).  Krb524 not run as I
don't have any v.4 stuff at all or ever.
I created the kdc.  Realm name is OCINTERNAL.LOCAL, kdc name is
guardian.ocinternal.local
Samba starts
Winbind starts.
As root I can do a kinit, can see the results with klist, and remove them
with kdestroy.

Now for raw data.  I have tried to keep the config files pretty vanilla.
I have put comments below each config file or log file and at the end of the
file.
Here is the kdc.conf contents:

[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
 OCINTERNAL.LOCAL = {
  master_key_type = des-cbc-crc
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
 }


I'm not too sure on the master_key_type as the information available is
unclear and conflicting.  What does Windows ADS use and is it supported on
this side of the divide?  If not, then what should I use and how do I tell
windows to use it as well?



Here is krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = OCINTERNAL.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 OCINTERNAL.LOCAL = {
  kdc = guardian.ocinternal.local:88
  admin_server = guardian.ocinternal.local:749
 }

[domain_realm]
 .ocinternal.local = OCINTERNAL.LOCAL
 ocinternal.local = OCINTERNAL.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = true
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


I have tried this file with the dns settings set both ways.
And finally, the smb.conf file (some clipped for brevity):

# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2005/08/08 22:08:31

# Global parameters
[global]
	workgroup = OCINTERNAL
	realm = OCINTERNAL.LOCAL
	server string = Samba Server
	security = ADS
	password server = Filesrv2.ocinternal.local
	log file = /var/log/samba/%m.log
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	printcap name = /etc/printcap
	dns proxy = No
	ldap ssl = no
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	template shell = /bin/bash
	cups options = raw


Note that the password server here is set to Filesrv2.  This name is that of
my PDC.


Now for the logs
When I start, I get this for kadmind.log:

Aug 19 13:42:03 guardian.ocinternal.local kadmind[20252](info): Seeding
random number generator
Aug 19 13:42:03 guardian.ocinternal.local kadmind[20252](info): Seeding
random number generator
Aug 19 13:42:03 guardian.ocinternal.local kadmind[20252](info): No
dictionary file specified, continuing without one.
Aug 19 13:42:03 guardian.ocinternal.local kadmind[20252](info): No
dictionary file specified, continuing without one.
Aug 19 13:42:03 guardian.ocinternal.local kadmind[20253](info): starting
Aug 19 13:42:03 guardian.ocinternal.local kadmind[20253](info): starting



Looks ok to me but I note I get two of each line....
For krb5kdc.log I get this:

Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): setting up
network...
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): setting up
network...
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): skipping
unrecognized local address family 17
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): skipping
unrecognized local address family 17
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): listening on
fd 7: udp 10.255.20.8.750
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): listening on
fd 7: udp 10.255.20.8.750
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): listening on
fd 8: udp 10.255.20.8.88
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): listening on
fd 8: udp 10.255.20.8.88
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): listening on
fd 9: udp fe80::204:61ff:fe42:ae5e%eth0.750
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): listening on
fd 9: udp fe80::204:61ff:fe42:ae5e%eth0.750
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): listening on
fd 10: udp fe80::204:61ff:fe42:ae5e%eth0.88
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): listening on
fd 10: udp fe80::204:61ff:fe42:ae5e%eth0.88
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): set up 4
sockets
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20242](info): set up 4
sockets
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20244](info): commencing
operation
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20244](info): commencing
operation
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20244](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.255.20.8: CLIENT_NOT_FOUND:
host/GUARDIAN at OCINTERNAL.LOCAL for krbtgt/OCINTERNAL.LOCAL at OCINTERNAL.LOCAL,
Client not found in Kerberos database
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20244](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.255.20.8: CLIENT_NOT_FOUND:
host/GUARDIAN at OCINTERNAL.LOCAL for krbtgt/OCINTERNAL.LOCAL at OCINTERNAL.LOCAL,
Client not found in Kerberos database
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20244](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.255.20.8: ISSUE: authtime 1124476923, etypes
{rep=16 tkt=16 ses=16}, GUARDIAN$@OCINTERNAL.LOCAL for
krbtgt/OCINTERNAL.LOCAL at OCINTERNAL.LOCAL
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20244](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.255.20.8: ISSUE: authtime 1124476923, etypes
{rep=16 tkt=16 ses=16}, GUARDIAN$@OCINTERNAL.LOCAL for
krbtgt/OCINTERNAL.LOCAL at OCINTERNAL.LOCAL
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20244](info): DISPATCH:
repeated (retransmitted?) request from 10.255.20.8, resending previous
response
Aug 19 13:42:03 guardian.ocinternal.local krb5kdc[20244](info): DISPATCH:
repeated (retransmitted?) request from 10.255.20.8, resending previous
response
Aug 19 13:47:03 guardian.ocinternal.local krb5kdc[20244](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.255.20.8: ISSUE: authtime 1124477223, etypes
{rep=16 tkt=16 ses=16}, GUARDIAN$@OCINTERNAL.LOCAL for
krbtgt/OCINTERNAL.LOCAL at OCINTERNAL.LOCAL
** 108 identical except for the time deleted **
Aug 19 16:04:01 guardian.ocinternal.local krb5kdc[20244](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.255.20.8: ISSUE: authtime 1124485441, etypes
{rep=16 tkt=16 ses=16}, GUARDIAN$@OCINTERNAL.LOCAL for
krbtgt/OCINTERNAL.LOCAL at OCINTERNAL.LOCAL


With one exception, things looked fine above.  An apparent problem is this
line:
CLIENT_NOT_FOUND: host/GUARDIAN at OCINTERNAL.LOCAL for
krbtgt/OCINTERNAL.LOCAL at OCINTERNAL.LOCAL, Client not found in Kerberos
database



Here is my winbind.log

[2005/08/19 13:42:03, 1] nsswitch/winbindd.c:main(864)
  winbindd version 3.0.14a-2 started.
  Copyright The Samba Team 2000-2004
[2005/08/19 13:42:03, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Cannot contact any KDC for requested realm
[2005/08/19 13:42:03, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password host/GUARDIAN at OCINTERNAL.LOCAL failed: Client not
found in Kerberos database
[2005/08/19 13:42:03, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain OCINTERNAL failed: Client not found in Kerberos
database
[2005/08/19 13:42:03, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Decrypt integrity check failed

** many of the same line deleted **

[2005/08/19 15:43:01, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Decrypt integrity check failed
[2005/08/19 15:45:22, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password host/GUARDIAN at OCINTERNAL.LOCAL failed: Client not
found in Kerberos database
[2005/08/19 15:45:22, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain OCINTERNAL failed: Client not found in Kerberos
database
[2005/08/19 15:48:28, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Decrypt integrity check failed



OK,  Some general questions:
My linux server is supposed to be running Kerberos and maintaining the KDC,
correct?
My password server, as far as winbind and samba are concerned, is the
ADC/PDC machine, correct?
When I join the linux machine to the windows PDC, I issue "net join -U
administrator".  Was I supposed to do a kinit on something first?
What principals are needed and why and what roles do they need to have?
When I join the command, I get the following conflicting messages:
  ads_connect: Server not found in Kerberos database
  Joined domain OCINTERNAL.
The server then shows up in the ADS.  So I guess I sucessfully joined the
domain.  What is the ads_connect: message about?
"wbinfo -D OCINTERNAL" shows that winbind seems to know about the domain, it
knows that it is an ADS.


Thanks in advance for your help
-g
# Texas gets bigger as the price of gas goes up

More information about the Redhat-install-list mailing list