[cifs-discuss] adjoin-s10u5 solaris cifs (smbadm join breaks system kerberos)

HUGE | Rob Terhaar rterhaar at hugeinc.com
Thu May 29 07:54:51 PDT 2008 

I figured it out with the help of the krb-diag script!
The problem was so obvious, no idea why we didn't think of it sooner.

Here were the basic steps that I took in configuring this server for AD/krb
authentication:

1. run adjoin
2. run ldapclient to setup attribute mapping
3. ssh to machine, confirm that I can access the machine with my ad user and
my UID/GID is correct
4. run smbadm join to configure solaris cifs
5. run idmap to map ldap UID/GIDs to cifs UID/GIDs
6. connect via cifs, create some files, confirm UID/GID is correct
7. ssh to machine (and received the strange kerberos message)

The problem was that everytime I got to step 3, I was issued a kerberos
ticket for the machine (I use openssh in OS x with gssapi enabled). Then
when I got to step 6, I was using the same (non-valid) kerberos ticket.
Since smbadm join deletes and re-adds the computer object in the domain, my
local machine thought the kerberos ticket was valid, but the solaris server
didn't agree. Once I ran kdestroy (or waited for the kerberos ticket to
expire) I was able to ssh to nymp3 using kerberos.

Amazing product, and thank you very much for your help!!!



 
On 5/28/08 10:39 AM, "Natalie Li" <Natalie.Li at Sun.COM> wrote:

> Your network trace indicates that you are using OpenSSH.  Are you
> actually using our krb5 mech?
> 
> Natalie
> 
> HUGE | Rob Terhaar wrote:
>> Hi Natalie-
>> Sorry about the delay, hope you still remember the problem?
>> Anyhow, kinit -k host/nymp3.ad.domain.com returns nothing.
>> 
>> And I'll send you a snoop dump off the list.
>> 
>> 
>> On 5/21/08 2:58 PM, "Natalie Li" <Natalie.Li at Sun.COM> wrote:
>> 
>>  
>>> Rob,
>>> 
>>> I'm trying to see if the local keytab and the database are out of sync
>>> or not.  Could you run the following command?
>>> 
>>> kinit -k host/nymp3.ad.domain.com
>>> 
>>> Does it work?  What's the output of `klist`?
>>> 
>>> BTW, could you also provide me with a trace that captures the network
>>> traffic between the domain controller and your test system while running
>>> ssh command?
>>> 
>>> thanks,
>>> 
>>> Natalie
>>> 
>>> Natalie Li wrote:
>>>    
>>>> Rob,
>>>> 
>>>> Thanks for the information! We'll setup a system with win2k3 R2 and try
>>>> to reproduce the problem here in the lab.
>>>> 
>>>> Natalie
>>>> 
>>>> HUGE | Rob Terhaar wrote:
>>>> 
>>>>  
>>>>      
>>>>> On 5/20/08 2:37 PM, "Natalie Li" <Natalie.Li at Sun.COM> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>>    
>>>>>        
>>>>>> HUGE | Rob Terhaar wrote:
>>>>>> 
>>>>>>   
>>>>>> 
>>>>>>      
>>>>>>          
>>>>>>>>> Hi All,
>>>>>>>>> Not really sure how to explain the problem, or even search for the
>>>>>>>>> answer-
>>>>>>>>> so I apologize if I'm asking a very easy question.
>>>>>>>>> 
>>>>>>>>> I'm able to successfully join my opensolaris machine to my AD using
>>>>>>>>> the
>>>>>>>>> winchester script "adjoin-s10u5". Once joined, I'm able to
>>>>>>>>> successfully
>>>>>>>>> use
>>>>>>>>> ldapclient -v manual to setup the LDAP domain for mapping UIDs/GIDs.
>>>>>>>>> (using this doc
>>>>>>>>> http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp )
>>>>>>>>> 
>>>>>>>>> I'm able to ssh into the system using GSSAPI/kerberos authentication.
>>>>>>>>> 
>>>>>>>>> But my question is, when I use smbadm join to bring the solaris cifs
>>>>>>>>> server
>>>>>>>>> onto the domain
>>>>>>>>> 
>>>>>>>>>         
>>>>>>>>> 
>>>>>>>>>          
>>>>>>>>>          
>>>>>> - Which OS version is your domain controller running?
>>>>>> - Have you experienced any problem while joining the AD domain via
>>>>>> smbadm? Did it return with a successful status?
>>>>>> - What's the output of `klist -k` after you run smbadm CLI?
>>>>>> - What's the output of `klist -k` after you run the adjoin script?
>>>>>> 
>>>>>>   
>>>>>> 
>>>>>>      
>>>>>>          
>>>>> Domain Controllers are all win2k3 R2 with the NIS server install (sfu
>>>>> schema).
>>>>> 
>>>>> I first ran the adjoin script, and then ran klist -k,
>>>>> 
>>>>> klist -k
>>>>> Keytab name: FILE:/etc/krb5/krb5.keytab
>>>>> KVNO Principal
>>>>> ----
>>>>> --------------------------------------------------------------------------
>>>>>   4 host/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   4 host/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   4 host/NYMP3 at AD.domain.COM
>>>>>   5 host/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   5 host/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   5 host/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   5 host/NYMP3 at AD.DOMAIN.COM
>>>>>   5 host/NYMP3 at AD.DOMAIN.COM
>>>>>   5 host/NYMP3 at AD.DOMAIN.COM
>>>>>   5 NYMP3$@AD.DOMAIN.COM
>>>>>   5 NYMP3$@AD.DOMAIN.COM
>>>>>   5 NYMP3$@AD.DOMAIN.COM
>>>>>   4 host/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   4 host/NYMP3 at AD.DOMAIN.COM
>>>>>   4 host/NYMP3 at AD.DOMAIN.COM
>>>>>   4 NYMP3$@AD.DOMAIN.COM
>>>>>   4 NYMP3$@AD.DOMAIN.COM
>>>>>   4 NYMP3$@AD.DOMAIN.COM
>>>>> 
>>>>> Then I ran smbadm join -u rterhaar ad.domain.com
>>>>> " Successfully joined domain 'ad.domain.com'"
>>>>> 
>>>>> But on the console I got a message that says:
>>>>> Smbd ads: Retry kinit to acquire credential
>>>>> 
>>>>> 
>>>>> and now after smbadm join, klist -k says:
>>>>> 
>>>>> klist -k
>>>>> Keytab name: FILE:/etc/krb5/krb5.keytab
>>>>> KVNO Principal
>>>>> ----
>>>>> --------------------------------------------------------------------------
>>>>>   6 host/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 host/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   4 host/NYMP3 at AD.DOMAIN.COM
>>>>>   6 nfs/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 nfs/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 host/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   5 host/NYMP3 at AD.DOMAIN.COM
>>>>>   5 host/NYMP3 at AD.DOMAIN.COM
>>>>>   5 host/NYMP3 at AD.DOMAIN.COM
>>>>>   5 NYMP3$@AD.DOMAIN.COM
>>>>>   5 NYMP3$@AD.DOMAIN.COM
>>>>>   5 NYMP3$@AD.DOMAIN.COM
>>>>>   6 host/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   4 host/NYMP3 at AD.DOMAIN.COM
>>>>>   4 host/NYMP3 at AD.DOMAIN.COM
>>>>>   4 NYMP3$@AD.DOMAIN.COM
>>>>>   4 NYMP3$@AD.DOMAIN.COM
>>>>>   4 NYMP3$@AD.DOMAIN.COM
>>>>>   6 nfs/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 nfs/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 HTTP/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 HTTP/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 HTTP/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 HTTP/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 root/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 root/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 root/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>>   6 root/nymp3.ad.domain.com at AD.DOMAIN.COM
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>    
>>>>>        
>>>>>>>>> , ssh/kerberos authentication breaks.
>>>>>>>>> 
>>>>>>>>>         
>>>>>>>>> 
>>>>>>>>>          
>>>>>>>>>          
>>>>>> Could you tell us the exact error message you've seen on either the
>>>>>> console or the syslog regarding sshd?
>>>>>> 
>>>>>> thanks,
>>>>>> 
>>>>>> Natalie
>>>>>> 
>>>>>>   
>>>>>> 
>>>>>>      
>>>>>>          
>>>>> After I run smbadm join, I can successfully connect to the cifs share from
>>>>> a
>>>>> windows computer, but when I try to ssh to the maching using kerberos I
>>>>> get
>>>>> this:
>>>>> 
>>>>> Localhost# ssh nymp3
>>>>> GSSAPI Error:
>>>>> Invalid credential was supplied
>>>>> No error
>>>>> 
>>>>> And on the console:
>>>>> sshd: fatal: accept_ctx died
>>>>> 
>>>>> 
>>>>> Seems like it's one service or the other for me...
>>>>> 
>>>>> 
>>>>> 
>>>>>    
>>>>>        
>>>> _______________________________________________
>>>> cifs-discuss mailing list
>>>> cifs-discuss at opensolaris.org
>>>> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
>>>>  
>>>>      
>> 
>>  
>

More information about the cifs-discuss mailing list