topic Re: Cifs authentication question. in Operating System - HP-UX

Cifs authentication question.

Chris Johnson_11 — Tue, 08 Aug 2006 09:32:09 GMT

Hi everyone.

I have a slight problem understanding how ADS security works.

I have the latest version of CIFS / Kerberos and LDAP/UX

I have installed samba correctly as far as I can see.

smb.conf / kinit / krb5.conf / net ads join etc all work correctly as far as I can see.

However, when I use syncsmbpasswd
/var/opt/samba/private/smbpasswd does indeed get populated from the windows 2003 PDC but all state similar to the following:-

AFLAVELL$:10244:NOPASSWORDXXXXXXXXXXXXXXXXXXXXX:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX[NU ]:LCT-00000000:

I admit it has taken me a while to get this far so backtracking would be difficult. As far as I understand, running syncsmbpasswd should pull all users and passwords from the Windows domain controller. Is this correct?

All shares do not work at all at present. Any user immediately is greeted with a password prompt.

I will post all configs if needed but I am sure this is a simple step I have missed.

Cheers
Chris

Re: Cifs authentication question.

Steven E. Protter — Tue, 08 Aug 2006 09:42:18 GMT

Shalom,

My understanding is that syncsmbpasswd should do as you expect.

You seem to be having a problem with the way one of the users is configured in ADS. This looks like a Windows issue.

SEP

Re: Cifs authentication question.

Chris Johnson_11 — Wed, 09 Aug 2006 01:48:22 GMT

I have no idea if it's a Windows problem.

Has anyone else had this?

Here are the conf files in case anyone spots the obvious.

*kerberos

[libdefaults]
default_realm = HUFUK.COM
default_tkt_enctypes = DES-CBC-CRC
default_tgs_enctypes = DES-CBC-CRC
ccache_type = 2
[realms]
HUFUK.COM = {
kdc = apdc.hufuk.com:88
admin_server = apdc.hufuk.com
}
[domain realm]
.COM = HUFUK.COM
[logging]
kdc = FILE:/var/log/krb5dc.log
admin_server = FILE:/var/logkadmin.log
default = FILE:/var/log/krb5lib.log

smb.conf.

# Global parameters
[global]
workgroup = HUFUK
realm = HUFUK.COM
server string = Huferpu1 Samba Server
security = ADS
password server = apdc.hufuk.com
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
preferred master = No
domain master = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enable local accounts = Yes
winbind use default domain = Yes
valid users = cjohnson aflavell
read only = No
hosts allow = 192.0.0.0/255.255.0.0
short preserve case = No
dos filetime resolution = Yes

# ./net ads join -U cjohnson%mypass
Using short domain name -- HUFUK
Joined 'HUFERPU1' to realm 'HUFUK.COM
#

Very short and sweet, nothing special going on.

I really could do with some suggestions people?

Cheers
Chris

Re: Cifs authentication question.

TEC-HP — Wed, 09 Aug 2006 02:54:08 GMT

Hi Chris,

Did you change the "authenticationLevel" parameter to kerberos (instead of ntlm) in the /etc/opt/cifsclient/cifsclient.cfg file?

An xtra question: is your ADS the 2003 R2 version with the RF2307 scheme implemented or do you use the MS SFU scheme extensions?

Re: Cifs authentication question.

Chris Johnson_11 — Thu, 10 Aug 2006 02:06:16 GMT

Hi Chris,

Now we may be getting somewhere. I didnt even know that cifsclient.cfg existed. I didn't see a reference to that in the admin guide.

The authentication is set to ntlm. Is this correct?

Cheers
Chris

Re: Cifs authentication question.

TEC-HP — Thu, 10 Aug 2006 02:55:42 GMT

Chris

I'm just checking the possibilities at this moment. I haven't a working environment aither at this point. But if you want to use kerberos authentication: thenyou need to change parameter to kerberos instead of NTLM (check also your PAM config). Anyway: I'm currently following this guide:
http://docs.hp.com/en/B8724-90067/ch03.html?btnNext=next%A0%BB

I'm currently at this point:
#kinit
...
#/opt/cifsclient/bin/cifsgettkt -s af0002
cifsgettkt: acquired service ticket for server af0002
default cache: FILE:/tmp/krb5cc_809_833
ticket data:
client name: id075213
client realm: BGC.NET
server name: af0002
server realm: BGC.NET
authtime: Thu Aug 10 09:39:50 2006
starttime: Thu Aug 10 09:39:50 2006
endtime: Thu Aug 10 19:39:50 2006
ticket length: 1725 bytes

so far so good, but when:

#cifsmount //af0002/id075213$ /home/id075213 -U id075213
Remote user id075213's password:
Logging in User: Unknown error class 999
...
will keep you informed if progress is made

Re: Cifs authentication question.

Michael Gildersleeve — Thu, 14 Sep 2006 16:25:14 GMT

Chris, I have been going through the same process for a few weeks. Today I have successfuly configured my HP-UX 11i server with SAMBA and AD and was able to sync up with the AD server using the command - /opt/samba/bin/syncsmbpasswd
I used Winbind for this.
HERE ARE MY STEPS -
Do you have the current Patches neede and the following product installed -
# swlist -l product |grep -i CIFS
CIFS-Client A.02.02 CIFS Client
CIFS-Development A.02.02.01 HP CIFS Server Source Code Files
CIFS-Server A.02.02.01 HP CIFS Server (Samba) File and Print Services
# swlist -l product |grep -i ldap
LdapUxClient B.04.00.02 LDAP-UX Client Services
NisLdapServer B.04.00.02 The NIS/LDAP Gateway (ypldapd)
# swlist -l product |grep -i pam
PAM-Kerberos B.11.11.14 PAM-Kerberos Version 1.24
PAM-NTLM A.02.02 HP NTLM Pluggable Authentication Module
PHCO_27064 1.0 libpam cumulative patch
PHCO_34214 1.0 libpam_unix cumulative patch

make sure that you have the NTP server running. I used my AD server as the NTP server.
Add these lines to your pam.conf file for each grouping -
# ADDED BY MTG 9/8/06
login auth required /usr/lib/security/libpam_updbe.1
login auth sufficient /usr/lib/security/libpam_krb5.1 forwardable renewable=5d10h
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
# END ADD
make sure that you change the file permissions back to 444.
Make sure that these lines are in your smb.conf file -
security = ADS
realm = YourREALM.COM
encrypt passwords = Yes
allow trusted domains = No
password server = MyADServer *
domain master = no
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
server signing = auto
client use spnego = No
announce version = 3.2
name resolve order = wins host lmhosts bcast
wins server = yes
wins server = 10.1.2.34
ldap ssl = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

Make sure that /etc/services is correct with the following entries:

Services changes
# Kerberos (Project Athena/MIT) services
#
# ADD BELOW MTG 09/08/2006 FOR AD/CIFS
# PAM Kerberos services
#
kerberos 88/udp kdc # Kerberos V5 kdc
kerberos 88/tcp kdc # Kerberos V5 kdc
klogin 543/tcp # Kerberos rlogin -kfall
kshell 544/tcp cmd # Kerberos remote
shell
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 464/udp # Kerberos Password Change protocol
kerberos-cpw 464/tcp # Kerberos Password Change protocol
#
# END PAM Kerberos services
swat 901/tcp # SAMBA Web-based Admin Tool
Make these changes to the nsswitch.conf file.
# cat /etc/nsswitch.conf
#
# /etc/nsswitch.files:
#
# @(#)B.11.11_LR
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any name services.
#
# MTG Commented 2 lines below and
# ADDED 9/14/2006 for SAMBA/WINBIND/AD
#passwd: files
#group: files

passwd: files winbind
shadow: files
group: files winbind
# END MTG 9/14/2006

host: files [NOTFOUND=continue] dns
services: files
networks: files
protocols: files
rpc: files
publickey: files
netgroup: files
automount: files
aliases: files
ipnodes : dns files

Create or Change the krb5.conf file like Unix server below â
# cat krb5.conf
# Kerberos Configuration #
# #
# This krb5.conf file is intended as an example only. #
# See krb5.conf(4) for more details. #
#
# Please verify that you have created the directory /var/log.#
# #
# Replace MYREALM.XYZ.COM with your kerberos Realm. #
# Replace adsdc.myrealm.xyz.com with your Windows ADS DC full#
# domain name. #
# MyREALM and my AD server are the same #
[libdefaults]
default_realm = MyREALM.COM
# MTG ADDED 9/11/2006
dns_lookup_realm = true
dns_lookup_kdc = true
# END ADD
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
ccache_type = 2
[realms]
MyREALM.COM = {
kdc = MY-ADserver.mydomain.com:88
admin_server = MY-ADserver.mydomain.com
}
[domain_realm]
.COM = MyDomain.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

THIS REGISTERS AND CREATES THE KRB5 KEYTAB FILE ON THE UNIX SERVER-
# ktutil
ktutil: rkt /Dump/AD-Keypass/unixMyUnixserver.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: quit

NOW USE KLIST TO SEE THAT THE KEY TAB FILE IS REGISTERED -
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/MyUnixServer.MyDomain.com@MyREALM.COM

VALIDATE THE PAM and KERBEROS FILEs WITH THE FOLLOWING COMMAND -
# pamkrbval -v --> Re-validate the PAM-KRB setup
** LOOK FOR ERRORS OR WARNINGS **

NOW JOIN THE AD ENVIRONMENT -
# /opt/samba/bin/net ads join -U Intrepid
'MyUnixServer' 's password: %AD0nxrrE1d_0

[2006/09/08 15:04:13, 0] libads/ldap.c:ads_add_machine_acct(1404)
ads_add_machine_acct: Host account for MyUnixServer already exists - modifying old account
Using short domain name -- MyDomain
Joined 'MyUnixServer' to realm 'MyDomain/MyREALM.COM'

How to Un-Join or LEAVE the AD Server -
# /opt/samba/bin/net ads leave
Removed ' MyUnixServer ' from realm 'DVWF.COM'

Stop and start the services.
I did this through SAMBA/SWAT http://{MyUnixServer}:901

stop smbd, nmbd, and wins
start smbs, nmbd, and wins

Now Sync up with AD
# /opt/samba/bin/syncsmbpasswd
Backing up your /var/opt/samba/private/smbpasswd file to /var/opt/samba/private/smbpasswd.backup
Adding MyREALM\_dv to smbpasswd file.

I hope that this will help you. I wish I found something like this when I was searching.

Regards,
Mike

Re: Cifs authentication question.

Chris Johnson_11 — Fri, 15 Sep 2006 01:51:32 GMT

Hi Michael,

Now THAT is the sort of superb, concise answer to a fairly difficult problem everyone needs.

Well done sir and I hope future threads point to this.

Very nice.

Re: Cifs authentication question.

Michael Gildersleeve — Mon, 25 Sep 2006 11:44:13 GMT

In my last reply I have an incorrect pam.conf file which will cause logins to prompt several times before allowing access. I have a correction for this and an apology for not noticing this prior to my post. Sorry to all and here is the correction -
cat /etc/pam.conf
# cat pam.conf
#
# PAM Configuration
#
# Account Management
#
dtaction account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_unix.1
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_unix.1
#
# Authentication Management
#
dtaction auth required /usr/lib/security/libpam_unix.1
dtlogin auth required /usr/lib/security/libpam_unix.1
ftp auth required /usr/lib/security/libpam_unix.1
# login auth required /usr/lib/security/libpam_unix.1
su auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1
# ADDED BY MTG 9/8/06
login auth required /usr/lib/security/libpam_updbe.1
login auth sufficient /usr/lib/security/libpam_krb5.1 forwardable renewable=5d10h
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
# END ADD
#
# Password Management
#
dtaction password required /usr/lib/security/libpam_unix.1
dtlogin password required /usr/lib/security/libpam_unix.1
login password required /usr/lib/security/libpam_unix.1
# passwd password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1
# ADDED BY MTG 9/8/06
passwd password required /usr/lib/security/libpam_updbe.1
passwd password required /usr/lib/security/libpam_ntlm.1
passwd password required /usr/lib/security/libpam_unix.1 try_first_pass
# END ADD
#
# Session Management
#
dtaction session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_unix.1
login session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1
# ADDED BY MTG 9/8/06
login session required /usr/lib/security/libpam_updbe.1

Re: Cifs authentication question.

Nobody's Hero — Mon, 25 Sep 2006 11:47:27 GMT

Please post smb config file.

To authenticate from the windoze side you must have winbind daemon running.

Re: Cifs authentication question.

Michael Gildersleeve — Mon, 25 Sep 2006 13:54:04 GMT

Sure, here is my smb.conf file -
# cat opt/samba/smb.conf
# Samba config file created using SWAT
# from 10.1.9.5 (10.1.9.5)
# Date: 2006/09/22 15:06:47

# Global parameters
[global]
workgroup = FLOWER
realm = FLOWER.COM
server string = MyServerName
security = ADS
allow trusted domains = No
password server = MYADserver *
log file = /var/opt/samba/log.%m
max log size = 1000
announce version = 3.2
name resolve order = wins host lmhosts bcast
server signing = auto
client use spnego = No
domain master = No
wins server = 10.1.2.34
ldap ssl = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
read only = No
create mask = 0766
directory mask = 0777
short preserve case = No
dos filetime resolution = Yes

[homes]
comment = Home Directories
browseable = No

[tmp]
path = /tmp

[Dump]
path = /Dump
guest ok = Yes

[Labels]
comment = Label dump
path = /Dump/Labels
guest ok = Yes

[Code]
path = /LANShare/Code
write list = MyNTID-here
read only = Yes
guest ok = Yes

[AppServ]
path = /LANShare/Code/appserv
guest ok = Yes

[Import]
path = /Dump/Import
guest ok = Yes

Hope that this will help you.

Regards,
Mike