Sorry was a bit too fast in replying: first you already documented the verification steps
(sorry), second I broke it again :)
And I'm back in a state of confusion:
If the keytab is written and krb5.conf is good, I should be able to verify this with
"kinit", not?
I re-setup that machine and wanted to rejoin it, so I removed it from the AD via
Users&Computer and a dead-body entry from the LDAP
(CN=pontus,CN=Computers,DC=example,DC=com).
Then I did a net ads join which succeeded with keytab generated:
# klist -kte
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- -----------------------------------------------------
2 11/24/11 23:48:24 host/pontus.example.com(a)EXAMPLE.COM (des-cbc-crc)
2 11/24/11 23:48:25 host/pontus.example.com(a)EXAMPLE.COM (des-cbc-md5)
2 11/24/11 23:48:25 host/pontus.example.com(a)EXAMPLE.COM (arcfour-hmac)
2 11/24/11 23:48:25 host/pontus(a)EXAMPLE.COM (des-cbc-crc)
2 11/24/11 23:48:25 host/pontus(a)EXAMPLE.COM (des-cbc-md5)
2 11/24/11 23:48:25 host/pontus(a)EXAMPLE.COM (arcfour-hmac)
2 11/24/11 23:48:25 PONTUS$(a)EXAMPLE.COM (des-cbc-crc)
2 11/24/11 23:48:25 PONTUS$(a)EXAMPLE.COM (des-cbc-md5)
2 11/24/11 23:48:25 PONTUS$(a)EXAMPLE.COM (arcfour-hmac)
But using this ticket now fails, in sssd and also with kinit, both with 'cred. not
found':
# kinit -V -k -t /etc/krb5.keytab host/pontus.example.com(a)EXAMPLE.COM
Using default cache: /tmp/krb5cc_0
Using principal: host/pontus.example.com(a)EXAMPLE.COM
Using keytab: /etc/krb5.keytab
kinit: Client 'host/pontus.example.com(a)EXAMPLE.COM' not found in Kerberos database
while getting initial credentials
SSSD: (Thu Nov 24 23:54:03 2011) [[sssd[ldap_child[931]]]] [ldap_child_get_tgt_sync] (0):
Failed to init credentials: Client 'host/pontus(a)EXAMPLE.COM' not found in Kerberos
database
Principal is listed in "klist", but not found by "kinit"? What did I
do wrong this time?
I'm both times using FC16/x64 netinstall (sssd-1.6.3, smb-3.6.1 &
krb5-workstation-1.9.1), restored smb.conf, krb5.conf and of coarse sssd.conf (which seems
to be missing by basic minimal fc16 install?)
I assume krb5.conf is right since "kinit myuser" succeeds, only fails when using
the keytab.
Cheers
Josh
-----Ursprüngliche Nachricht-----
Von: sssd-devel-bounces(a)lists.fedorahosted.org
[mailto:sssd-devel-bounces@lists.fedorahosted.org] Im Auftrag von Josh Geisser
Gesendet: Donnerstag, 24. November 2011 18:26
An: Development of the System Security Services Daemon
Betreff: Re: [SSSD] GSSAPI and Kerberos - understanding question
Adding your tip to the smb.conf did the trick.
[global]
client signing = mandatory
client use spnego = yes
kerberos method = secrets and keytab
net join ads and the keytab is written and can be used by sssd. Also the timestamps are
from now and not the 70ties. So seems to work with 2003 SFU.
Perfect & thanks a lot :)
You might add "klist -kte" and "net ads status/info" also to the
documentation as they help a lot verifying what's happening.
Sorry question anyway: using the keytab just eases the issue with plaintext binding
credentials, but is actually still an 'weakness': stealing this key enables you to
the active-directory from anywhere, anyway, not?
Is there a scenario where the 'challenging' username/passwd is taken to
authenticate against the AD? E.g. the credentials I just ssh/pam-entered are used against
LDAP instead of any pre-configured credentials?
Cheers
Josh
-----Ursprüngliche Nachricht-----
Von: sssd-devel-bounces(a)lists.fedorahosted.org
[mailto:sssd-devel-bounces@lists.fedorahosted.org] Im Auftrag von John Hodrien
Gesendet: Mittwoch, 23. November 2011 23:33
An: Development of the System Security Services Daemon
Betreff: Re: [SSSD] GSSAPI and Kerberos - understanding question
On Wed, 23 Nov 2011, Josh Geisser wrote:
Thanks for the answer will check soon.
Joining the machine actually works as far as I understand: it creates the
computer object in LDAP and is visible in the AD management utility.
But it doesn't write any local /etc/krb5.keytab, which I assume SSSD or the
krb5-tools will use, not?
Want to try your additional smb.conf parameters and I'll come back to you
Will update the article with some more notes on this tomorrow. My config was
for samba 3.5, I don't know what version you're running. You definitely need
the keytab line in your config (that line is different in 3.0 but you'll find
it in the man page).
Once you've done that, join the domain again, and /etc/krb5.keytab should be
created, and yes, that's what sssd uses.
jh
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
--
----
ASG at hnet
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
--
----
ASG at hnet