Web lists-archives.com

Re: [Samba] openindiana GSSAPI failure to samba 4.6.6




Hey guys,

 Thanks for the ideas. I made life easier for myself and just replaced the
SunOS (illumos) implementation with real samba. That works very well so
we're all good. Is it just me or is kerberos complicated?

Thanks,
Greg

On Mon, Jul 31, 2017 at 8:25 AM, L.P.H. van Belle via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> Hai,
>
> You have 3 places to look where you keytab can be found.
>
> When kerberos method is set to "dedicated keytab" see the parameter.
>  dedicated keytab file = /where/your/krb5.keytab is configured.
>
> The system default keytab ( on my debian system ) /etc/krb5.keytab
> Yours might be in :  /etc/krb5/krb5.keytab
>
> The samba keytab if  "dedicated keytab file"  is not used.
> ( on my debian system )
> /var/lib/samba/private/secret.keytab
>
> And check them all
> klist -ke /var/lib/samba/private/secret.keytab
> klist -ke /etc/krb5/krb5.keytab
>
>
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> > mathias dufresne via samba
> > Verzonden: maandag 31 juli 2017 10:59
> > Aan: Greg Dickie
> > CC: samba
> > Onderwerp: Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
> >
> > 2017-07-28 15:20 GMT+02:00 Greg Dickie via samba
> > <samba@xxxxxxxxxxxxxxx>:
> >
> > > Hi,
> > >
> > >  We recently updated our AD servers to 4.6.6 and one of the things
> > > that stopped working was our zfs server running illumos. The idmap
> > > daemon is trying to bind to ldap using sasl/GSSAPI and is
> > failing with
> > >
> > > additional info: SASL(-1): generic failure: GSSAPI Error:
> > Unspecified
> > > GSS failure.  Minor code may provide more information (Client not
> > > found in Kerberos database)
> > >
> > > I think this is usually caused by DNS inconsistencies but everthing
> > > looks fine and it was working before the upgrade.
> > >
> > > klist shows tickets
> > >
> >
> > I don't think this is relevant: for what I feel to have
> > understood Samba generates its own tickets somewhere but not
> > in /tmp, not available with klist.
> (Client not found in Kerberos database)
>
> >
> >
> > > and doing and ldapsearch on the command line using GSSAPI seems to
> > > work fine.
> > >
> >
> > That's a good point... until you are using same account and
> > keytab as Samba.
> >
> >
> > >
> > > Has anyone encountered this? Any idea how to debug?
> > >
> >
> > No.
> > But machine accounts have a password and this password is
> > supposed to change in MS AD. I'm not sure it is changing with
> > Samba AD but it could as Samba means to reproduce MS AD behavior.
> >
> > No idea about illumos but the klist you mentioned as the
> > ldapsearch using the ticket of that klist have to be tested
> > using the very same account used by illumos and the same
> > keytab if any.
> >
> > You could check that account to see it was modified since the
> > update you mentioned (pwdLastSet, whenChanged).
> >
> > No idea if this could help, just a try...
> >
> >
> > >
> > > Thanks,
> > > Greg
> > >
> > > --
> > >
> > >
> > > Greg Dickie
> > > just a guy
> > > 514-983-5400
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 


Greg Dickie
just a guy
514-983-5400
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba