Web lists-archives.com

Re: [Samba] openindiana GSSAPI failure to samba 4.6.6




2017-07-31 17:41 GMT+02:00 Greg Dickie via samba <samba@xxxxxxxxxxxxxxx>:

> Hey guys,
>
>  Thanks for the ideas. I made life easier for myself and just replaced the
> SunOS (illumos) implementation with real samba. That works very well so
> we're all good. Is it just me or is kerberos complicated?
>

At first, no it is not you : )
But after a while (and thanks to en.wikipedia.org) it can become quite
clear and almost simple.


>
> Thanks,
> Greg
>
> On Mon, Jul 31, 2017 at 8:25 AM, L.P.H. van Belle via samba <
> samba@xxxxxxxxxxxxxxx> wrote:
>
> > Hai,
> >
> > You have 3 places to look where you keytab can be found.
> >
> > When kerberos method is set to "dedicated keytab" see the parameter.
> >  dedicated keytab file = /where/your/krb5.keytab is configured.
> >
> > The system default keytab ( on my debian system ) /etc/krb5.keytab
> > Yours might be in :  /etc/krb5/krb5.keytab
> >
> > The samba keytab if  "dedicated keytab file"  is not used.
> > ( on my debian system )
> > /var/lib/samba/private/secret.keytab
> >
> > And check them all
> > klist -ke /var/lib/samba/private/secret.keytab
> > klist -ke /etc/krb5/krb5.keytab
> >
> >
> >
> > Greetz,
> >
> > Louis
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> > > mathias dufresne via samba
> > > Verzonden: maandag 31 juli 2017 10:59
> > > Aan: Greg Dickie
> > > CC: samba
> > > Onderwerp: Re: [Samba] openindiana GSSAPI failure to samba 4.6.6
> > >
> > > 2017-07-28 15:20 GMT+02:00 Greg Dickie via samba
> > > <samba@xxxxxxxxxxxxxxx>:
> > >
> > > > Hi,
> > > >
> > > >  We recently updated our AD servers to 4.6.6 and one of the things
> > > > that stopped working was our zfs server running illumos. The idmap
> > > > daemon is trying to bind to ldap using sasl/GSSAPI and is
> > > failing with
> > > >
> > > > additional info: SASL(-1): generic failure: GSSAPI Error:
> > > Unspecified
> > > > GSS failure.  Minor code may provide more information (Client not
> > > > found in Kerberos database)
> > > >
> > > > I think this is usually caused by DNS inconsistencies but everthing
> > > > looks fine and it was working before the upgrade.
> > > >
> > > > klist shows tickets
> > > >
> > >
> > > I don't think this is relevant: for what I feel to have
> > > understood Samba generates its own tickets somewhere but not
> > > in /tmp, not available with klist.
> > (Client not found in Kerberos database)
> >
> > >
> > >
> > > > and doing and ldapsearch on the command line using GSSAPI seems to
> > > > work fine.
> > > >
> > >
> > > That's a good point... until you are using same account and
> > > keytab as Samba.
> > >
> > >
> > > >
> > > > Has anyone encountered this? Any idea how to debug?
> > > >
> > >
> > > No.
> > > But machine accounts have a password and this password is
> > > supposed to change in MS AD. I'm not sure it is changing with
> > > Samba AD but it could as Samba means to reproduce MS AD behavior.
> > >
> > > No idea about illumos but the klist you mentioned as the
> > > ldapsearch using the ticket of that klist have to be tested
> > > using the very same account used by illumos and the same
> > > keytab if any.
> > >
> > > You could check that account to see it was modified since the
> > > update you mentioned (pwdLastSet, whenChanged).
> > >
> > > No idea if this could help, just a try...
> > >
> > >
> > > >
> > > > Thanks,
> > > > Greg
> > > >
> > > > --
> > > >
> > > >
> > > > Greg Dickie
> > > > just a guy
> > > > 514-983-5400
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
>
> --
>
>
> Greg Dickie
> just a guy
> 514-983-5400
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba