topic Re: CIFS client & Kerberos in Operating System - HP-UX

CIFS client & Kerberos

Oscar Garcia — Fri, 24 Aug 2007 10:29:55 GMT

Hi Guys,

I might be over complicating things with this configuration but I have reached an stuck point.
I am trying to share a directory in HPUX 11i v1 (A) with CIFS. My goal is to be able to mount it to another HPUX 11i v1 (B).
To achive this, I have installed Kerberos Server T1417AA in other server 11i v1 (C).
To begin with, the autoconfiguration of kerberos server behaved different from what was in the documentation. To simplify things I cannot find a /etc/krb5.conf file...
Any help, advice or suggestion would be gratefully appreciated.

Re: CIFS client & Kerberos

eric roseme — Fri, 24 Aug 2007 15:11:35 GMT

Hi Oscar,

You need a Windows KDC to use Kerberos with both the CIFS Server and Client. You need to install the HP-UX 11v1 Kerberos Client for either the CIFS Server/Client to work with krb5 authentication. Don't use the Kerberos Client that originally came with 11iv1 - go here and get the latest client:
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRB5CLIENT

All of this may be moot if you do not have a Windows 2000/2003 KDC to use.

Re: CIFS client & Kerberos

Oscar Garcia — Tue, 28 Aug 2007 04:01:23 GMT

Thanks Eric for your help.

I do not have a windows KDC. Are you sure is absolutely necessary? I've been reading quite a lot of kerberos documentation (my head is spinning around) and is never mentioned Windows...

But if that is the case I will go back to NFS, last thing I want is to get into Windows.

Re: CIFS client & Kerberos

Steven E. Protter — Tue, 28 Aug 2007 04:08:31 GMT

Shalom,

I actually have a case open on this with the HP response center in Israel.

So far, I have been advised to make sure the latest version of CIFS client and server are installed on the HP-UX system.

I will provide further update as I run a checklist and diagnose.

cifs client requires a reboot to install, so plan that one out.

Hopefully I can get back to you with good news soon.

SEP

Re: CIFS client & Kerberos

Oscar Garcia — Tue, 28 Aug 2007 05:03:38 GMT

Hi Steven,

I have installed the most recent versions in the servers. But I have to tell I am lost following the documentation. I am wandering if is a case of updating the document...

This is the dialog that I've got for the server configuration:

1) Configure as a Primary Security Server
2) Configure as a Secondary Security Server

-I chose option 1.

Do you want to stash the principal database key on your local disk (y/n)

- I replied y

Please enter the fully qualified name of the Secondary Security Server1
press 'q' if you want to skip this and proceed further:

-replied q

Enter the realm name

- I gave a name different from the default

Then it shown all these lines:

/opt/krb5/krb.conf moved to /opt/krb5/krb.conf.keep

/opt/krb5/krb.realms moved to /opt/krb5/krb.realms.keep

/opt/krb5/kpropd.ini moved to /opt/krb5/kpropd.ini.keep

Creating krb.conf and krb.realms files
Copying admin_acl_file and password.policy file onto KRB5_ROOT dir

You will be prompted for the database Master Password.
It is important that you DO NOT FORGET this password.

Enter Password:
Kerberos server has been configured successfully.

Then the next thing in the document (http://docs.hp.com/en/T1417-90001/ch03s03.html) is a description of the files that suppose to be generated automatically and that I cannot find: krb5.conf and kdc.conf.

So I hope the guys from HP come up with a nice explanation.

Thanks and regards,

Re: CIFS client & Kerberos

Heironimus — Tue, 28 Aug 2007 10:44:03 GMT

I'm not sure that you need Kerberos if you're just connecting HP to HP. I would only expect to need Kerberos for Active Directory domain authentication. I haven't done much with the HP CIFS Client, but I've used Samba (which is what HP brands as their CIFS Server) for years with local smbpasswd authentication and no Kerberos involved.

Re: CIFS client & Kerberos

Steven E. Protter — Tue, 28 Aug 2007 10:51:56 GMT

Shalom,

Still fighting with this. We are trying to avoid a Kerberos server on HP-UX for fear it will interfere with SSO, single sign on using the windows PDC.

I will read your doc, run your configuration script and see what it gets me. I'm thinking I may need to install the server product to make this work.

SEP

Re: CIFS client & Kerberos

Oscar Garcia — Tue, 28 Aug 2007 11:22:03 GMT

Well, I was looking for the list of prerequisites to show to Hieronimus, when I found this perl (http://www.docs.hp.com/en/B8724-90044/B8724-90044.pdf):
Kerberos Key Distribution Center and CIFS Servers
For this release, only Windows 2000 is supported for Kerberos authentication.
Specifically, Key Distribution Centers (KDCs) and CIFS file servers
that participate in Kerberos authentication with the HP CIFS Client
must be Windows 2000 systems. Any other supported server platform
can be used for traditional NTLM authentication.

After all it seems that Eric was right...

I think I did some work with Samba in Suse 8, but I was not happy with the results and as my favourites servers are HP, I was just dreaming with CIFS replacing the awful NFS.

Re: CIFS client & Kerberos

Heironimus — Tue, 28 Aug 2007 12:44:16 GMT

I may have missed something in your question, but is there a reason you can't use NTLM? It looks like the CIFS Client isn't quite so picky about NTLM servers.

I'm not sure that HP CIFS Client is up to the task of replacing NFS. My (brief) dealings with it did not give me confidence. It worked, but it seemed a little quirky and very poorly documented.

Re: CIFS client & Kerberos

Oscar Garcia — Wed, 29 Aug 2007 09:30:35 GMT

Thanks Hieronimus,

I am going to give it another shot without touching kerberos. I think I got so confused reading here and there, that I lost the plot completely.

It may be a bit academic, but the question is still valid for that kerberos configuration script...

Re: CIFS client & Kerberos

Heironimus — Wed, 29 Aug 2007 10:55:46 GMT

When a vendor is really just providing a tested/supported version of an open source app I usually use the original documentation and just check the vendor docs to see where they made changes. You may be better off reading the documentation on http://samba.org/ instead of HP's CIFS Server manuals.

I don't know about the Kerberos configuration script, but most of the HP-supplied setup scripts I've looked at were outdated, had undocumented limitations, or had no documentation at all. It wouldn't surprise me if the documentation was wrong or the script was broken.

Re: CIFS client & Kerberos

eric roseme — Wed, 29 Aug 2007 18:07:52 GMT

Hi Oscar,

yes - I am absolutely sure that to authenticate either HP CIFS Server or HP CIFS Client with Kerberos, you must use a Windows KDC.

The HP-UX Kerberos server can auth-n HP-UX applications, Inet-Services, or PAM-Kerberos, but not either CIFS product.

Sorry for the misunderstanding. I can post the links in the docs that explain this, if you like. You can look at the Samba list for postings where users try to hack in an MIT or Heimdal KDC, but that's not a "supported" Samba config.

Eric Roseme
Hewlett-Packard

Re: CIFS client & Kerberos

Oscar Garcia — Thu, 30 Aug 2007 04:19:31 GMT

Thanks Eric for the reply.

This then settles it down. I was wrong trying to use kerberos for what I intended to do.
I will wait for Steve to write his findings before closing the thread.

Re: CIFS client & Kerberos

eric roseme — Thu, 30 Aug 2007 11:49:21 GMT

Okay. Given that we have ruled out krb5, if you want to config your CIFS server to just share out a directory for your CIFS client, you can just use a basic CIFS Server setup. You can make it a stand-alone CIFS server, or a PDC of it's own domain. "security = user" will work fine, no need for an LDAP backend - you can just use the /var/opt/samba/private/smbpasswd file. After you do the basic config from the samba_setup script, just run /opt/samba/bin/samba_setup. When you're done, run /opt/samba/bin/syncsmbpasswd and all of your /etc/passwd users will be copied to your smbpasswd file. You can just edit out the ones that should not have CIFS access and you're ready to go.

Re: CIFS client & Kerberos

Kiran Kr — Fri, 16 Nov 2007 05:48:20 GMT

I was just looking into the Kerberos Server documentation. I guess you are using the wrong version of the document, here's the correct version:
http://docs.hp.com/en/T1417-90003/ch05s03.html