- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Cifs authentication question.
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-08-2006 02:32 AM
тАО08-08-2006 02:32 AM
I have a slight problem understanding how ADS security works.
I have the latest version of CIFS / Kerberos and LDAP/UX
I have installed samba correctly as far as I can see.
smb.conf / kinit / krb5.conf / net ads join etc all work correctly as far as I can see.
However, when I use syncsmbpasswd
/var/opt/samba/private/smbpasswd does indeed get populated from the windows 2003 PDC but all state similar to the following:-
AFLAVELL$:10244:NOPASSWORDXXXXXXXXXXXXXXXXXXXXX:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX[NU ]:LCT-00000000:
I admit it has taken me a while to get this far so backtracking would be difficult. As far as I understand, running syncsmbpasswd should pull all users and passwords from the Windows domain controller. Is this correct?
All shares do not work at all at present. Any user immediately is greeted with a password prompt.
I will post all configs if needed but I am sure this is a simple step I have missed.
Cheers
Chris
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-08-2006 02:42 AM
тАО08-08-2006 02:42 AM
Re: Cifs authentication question.
My understanding is that syncsmbpasswd should do as you expect.
You seem to be having a problem with the way one of the users is configured in ADS. This looks like a Windows issue.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-08-2006 06:48 PM
тАО08-08-2006 06:48 PM
Re: Cifs authentication question.
Has anyone else had this?
Here are the conf files in case anyone spots the obvious.
*kerberos
[libdefaults]
default_realm = HUFUK.COM
default_tkt_enctypes = DES-CBC-CRC
default_tgs_enctypes = DES-CBC-CRC
ccache_type = 2
[realms]
HUFUK.COM = {
kdc = apdc.hufuk.com:88
admin_server = apdc.hufuk.com
}
[domain realm]
.COM = HUFUK.COM
[logging]
kdc = FILE:/var/log/krb5dc.log
admin_server = FILE:/var/logkadmin.log
default = FILE:/var/log/krb5lib.log
smb.conf.
# Global parameters
[global]
workgroup = HUFUK
realm = HUFUK.COM
server string = Huferpu1 Samba Server
security = ADS
password server = apdc.hufuk.com
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
preferred master = No
domain master = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enable local accounts = Yes
winbind use default domain = Yes
valid users = cjohnson aflavell
read only = No
hosts allow = 192.0.0.0/255.255.0.0
short preserve case = No
dos filetime resolution = Yes
# ./net ads join -U cjohnson%mypass
Using short domain name -- HUFUK
Joined 'HUFERPU1' to realm 'HUFUK.COM
#
Very short and sweet, nothing special going on.
I really could do with some suggestions people?
Cheers
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-08-2006 07:54 PM
тАО08-08-2006 07:54 PM
Re: Cifs authentication question.
Did you change the "authenticationLevel" parameter to kerberos (instead of ntlm) in the /etc/opt/cifsclient/cifsclient.cfg file?
An xtra question: is your ADS the 2003 R2 version with the RF2307 scheme implemented or do you use the MS SFU scheme extensions?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-09-2006 07:06 PM
тАО08-09-2006 07:06 PM
Re: Cifs authentication question.
Now we may be getting somewhere. I didnt even know that cifsclient.cfg existed. I didn't see a reference to that in the admin guide.
The authentication is set to ntlm. Is this correct?
Cheers
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-09-2006 07:55 PM
тАО08-09-2006 07:55 PM
Re: Cifs authentication question.
I'm just checking the possibilities at this moment. I haven't a working environment aither at this point. But if you want to use kerberos authentication: thenyou need to change parameter to kerberos instead of NTLM (check also your PAM config). Anyway: I'm currently following this guide:
http://docs.hp.com/en/B8724-90067/ch03.html?btnNext=next%A0%BB
I'm currently at this point:
#kinit
...
#/opt/cifsclient/bin/cifsgettkt -s af0002
cifsgettkt: acquired service ticket for server af0002
default cache: FILE:/tmp/krb5cc_809_833
ticket data:
client name: id075213
client realm: BGC.NET
server name: af0002
server realm: BGC.NET
authtime: Thu Aug 10 09:39:50 2006
starttime: Thu Aug 10 09:39:50 2006
endtime: Thu Aug 10 19:39:50 2006
ticket length: 1725 bytes
so far so good, but when:
#cifsmount //af0002/id075213$ /home/id075213 -U id075213
Remote user id075213's password:
Logging in User: Unknown error class 999
...
will keep you informed if progress is made
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2006 09:25 AM
тАО09-14-2006 09:25 AM
SolutionI used Winbind for this.
HERE ARE MY STEPS -
Do you have the current Patches neede and the following product installed -
# swlist -l product |grep -i CIFS
CIFS-Client A.02.02 CIFS Client
CIFS-Development A.02.02.01 HP CIFS Server Source Code Files
CIFS-Server A.02.02.01 HP CIFS Server (Samba) File and Print Services
# swlist -l product |grep -i ldap
LdapUxClient B.04.00.02 LDAP-UX Client Services
NisLdapServer B.04.00.02 The NIS/LDAP Gateway (ypldapd)
# swlist -l product |grep -i pam
PAM-Kerberos B.11.11.14 PAM-Kerberos Version 1.24
PAM-NTLM A.02.02 HP NTLM Pluggable Authentication Module
PHCO_27064 1.0 libpam cumulative patch
PHCO_34214 1.0 libpam_unix cumulative patch
make sure that you have the NTP server running. I used my AD server as the NTP server.
Add these lines to your pam.conf file for each grouping -
# ADDED BY MTG 9/8/06
login auth required /usr/lib/security/libpam_updbe.1
login auth sufficient /usr/lib/security/libpam_krb5.1 forwardable renewable=5d10h
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
# END ADD
make sure that you change the file permissions back to 444.
Make sure that these lines are in your smb.conf file -
security = ADS
realm = YourREALM.COM
encrypt passwords = Yes
allow trusted domains = No
password server = MyADServer *
domain master = no
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
server signing = auto
client use spnego = No
announce version = 3.2
name resolve order = wins host lmhosts bcast
wins server = yes
wins server = 10.1.2.34
ldap ssl = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
Make sure that /etc/services is correct with the following entries:
Services changes
# Kerberos (Project Athena/MIT) services
#
# ADD BELOW MTG 09/08/2006 FOR AD/CIFS
# PAM Kerberos services
#
kerberos 88/udp kdc # Kerberos V5 kdc
kerberos 88/tcp kdc # Kerberos V5 kdc
klogin 543/tcp # Kerberos rlogin -kfall
kshell 544/tcp cmd # Kerberos remote
shell
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 464/udp # Kerberos Password Change protocol
kerberos-cpw 464/tcp # Kerberos Password Change protocol
#
# END PAM Kerberos services
swat 901/tcp # SAMBA Web-based Admin Tool
Make these changes to the nsswitch.conf file.
# cat /etc/nsswitch.conf
#
# /etc/nsswitch.files:
#
# @(#)B.11.11_LR
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any name services.
#
# MTG Commented 2 lines below and
# ADDED 9/14/2006 for SAMBA/WINBIND/AD
#passwd: files
#group: files
passwd: files winbind
shadow: files
group: files winbind
# END MTG 9/14/2006
host: files [NOTFOUND=continue] dns
services: files
networks: files
protocols: files
rpc: files
publickey: files
netgroup: files
automount: files
aliases: files
ipnodes : dns files
Create or Change the krb5.conf file like Unix server below ├в
# cat krb5.conf
# Kerberos Configuration #
# #
# This krb5.conf file is intended as an example only. #
# See krb5.conf(4) for more details. #
#
# Please verify that you have created the directory /var/log.#
# #
# Replace MYREALM.XYZ.COM with your kerberos Realm. #
# Replace adsdc.myrealm.xyz.com with your Windows ADS DC full#
# domain name. #
# MyREALM and my AD server are the same #
[libdefaults]
default_realm = MyREALM.COM
# MTG ADDED 9/11/2006
dns_lookup_realm = true
dns_lookup_kdc = true
# END ADD
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
ccache_type = 2
[realms]
MyREALM.COM = {
kdc = MY-ADserver.mydomain.com:88
admin_server = MY-ADserver.mydomain.com
}
[domain_realm]
.COM = MyDomain.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
THIS REGISTERS AND CREATES THE KRB5 KEYTAB FILE ON THE UNIX SERVER-
# ktutil
ktutil: rkt /Dump/AD-Keypass/unixMyUnixserver.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: quit
NOW USE KLIST TO SEE THAT THE KEY TAB FILE IS REGISTERED -
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/MyUnixServer.MyDomain.com@MyREALM.COM
VALIDATE THE PAM and KERBEROS FILEs WITH THE FOLLOWING COMMAND -
# pamkrbval -v --> Re-validate the PAM-KRB setup
** LOOK FOR ERRORS OR WARNINGS **
NOW JOIN THE AD ENVIRONMENT -
# /opt/samba/bin/net ads join -U Intrepid
'MyUnixServer' 's password: %AD0nxrrE1d_0
[2006/09/08 15:04:13, 0] libads/ldap.c:ads_add_machine_acct(1404)
ads_add_machine_acct: Host account for MyUnixServer already exists - modifying old account
Using short domain name -- MyDomain
Joined 'MyUnixServer' to realm 'MyDomain/MyREALM.COM'
How to Un-Join or LEAVE the AD Server -
# /opt/samba/bin/net ads leave
Removed ' MyUnixServer ' from realm 'DVWF.COM'
Stop and start the services.
I did this through SAMBA/SWAT http://{MyUnixServer}:901
stop smbd, nmbd, and wins
start smbs, nmbd, and wins
Now Sync up with AD
# /opt/samba/bin/syncsmbpasswd
Backing up your /var/opt/samba/private/smbpasswd file to /var/opt/samba/private/smbpasswd.backup
Adding MyREALM\_dv to smbpasswd file.
I hope that this will help you. I wish I found something like this when I was searching.
Regards,
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2006 06:51 PM
тАО09-14-2006 06:51 PM
Re: Cifs authentication question.
Now THAT is the sort of superb, concise answer to a fairly difficult problem everyone needs.
Well done sir and I hope future threads point to this.
Very nice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-25-2006 04:44 AM
тАО09-25-2006 04:44 AM
Re: Cifs authentication question.
cat /etc/pam.conf
# cat pam.conf
#
# PAM Configuration
#
# Account Management
#
dtaction account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_unix.1
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_unix.1
#
# Authentication Management
#
dtaction auth required /usr/lib/security/libpam_unix.1
dtlogin auth required /usr/lib/security/libpam_unix.1
ftp auth required /usr/lib/security/libpam_unix.1
# login auth required /usr/lib/security/libpam_unix.1
su auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1
# ADDED BY MTG 9/8/06
login auth required /usr/lib/security/libpam_updbe.1
login auth sufficient /usr/lib/security/libpam_krb5.1 forwardable renewable=5d10h
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
# END ADD
#
# Password Management
#
dtaction password required /usr/lib/security/libpam_unix.1
dtlogin password required /usr/lib/security/libpam_unix.1
login password required /usr/lib/security/libpam_unix.1
# passwd password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1
# ADDED BY MTG 9/8/06
passwd password required /usr/lib/security/libpam_updbe.1
passwd password required /usr/lib/security/libpam_ntlm.1
passwd password required /usr/lib/security/libpam_unix.1 try_first_pass
# END ADD
#
# Session Management
#
dtaction session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_unix.1
login session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1
# ADDED BY MTG 9/8/06
login session required /usr/lib/security/libpam_updbe.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-25-2006 04:47 AM
тАО09-25-2006 04:47 AM
Re: Cifs authentication question.
To authenticate from the windoze side you must have winbind daemon running.