System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring kerberos for CIFS

SOLVED
Go to solution
Oscar Garcia
Regular Advisor

Configuring kerberos for CIFS

Hi Guys,

I am having some problems trying to joing the domain from a 11.23 server. The master KDC is a windows 2003 server that also acts as ntp server.
I have managed to configure it in SLES 10 but with HPUX, I am really lost.
This is the error I am getting:

# /opt/samba/bin/net ads join -U administrator
administrator's password:
/usr/lib/dld.sl: Unresolved symbol: krb5_cc_close (code) from /opt/samba/bin/net
Abort(coredump)

and this is what I have installed:

# swlist -l fileset |grep erberos
# KRB5-Client B.11.23 Kerberos V5 Client Versio
n 1.0
KRB5-Client.KRB5-64SLIB B.11.23 Kerberos Client 64 bit sh
ared libraries (PA-RISC)
KRB5-Client.KRB5-PRG B.11.23 Kerberos Client header fi
les and sample programs
KRB5-Client.KRB5-RUN B.11.23 Kerberos Client commands
(PA-RISC)
KRB5-Client.KRB5-SHLIB B.11.23 Kerberos Client 32 bit sh
ared libraries (PA-RISC)
# PAM-Kerberos C.01.23 PAM-Kerberos Version 1.23

PAM-Kerberos.PAM-KRB-64SLIB C.01.23 PAM-Kerberos 64 bit Share
d Library
PAM-Kerberos.PAM-KRB-DEMO C.01.23 PAM-Kerberos Demonstratio
n
PAM-Kerberos.PAM-KRB-MAN C.01.23 PAM-Kerberos Man Page
PAM-Kerberos.PAM-KRB-RUN C.01.23 PAM-Kerberos Runtime
PAM-Kerberos.PAM-KRB-SHLIB C.01.23 PAM-Kerberos 32 bit Share
d Library

Thanks in advance for any suggestion.
12 REPLIES
John Guster
Trusted Contributor

Re: Configuring kerberos for CIFS

what is the goal for you to join the domain? do you try to configure CIFS server on HP-UX using authentication through ADS?
Oscar Garcia
Regular Advisor

Re: Configuring kerberos for CIFS

Hi John,

I am trying to map some shares from a SLES 10 box using CIFS. So I am trying to set up a CIFS client in HP-UX.
I understand I need kerberos client to establish some security.
John Guster
Trusted Contributor

Re: Configuring kerberos for CIFS

Normally between UNIX/Linux and UNIX/Linux, one will use NFS mount or NFS automount to share file systems; Between UNIX/Linux and Non-UNIX/Linnux systems, one will use SAMBA/CIFS. You can use NFS mount to share your file systems between HP-UX and your SLES.
Horia Chirculescu
Honored Contributor

Re: Configuring kerberos for CIFS

>I am trying to map some shares from a SLES 10 box using CIFS. So I am trying to set up a CIFS client in HP-UX.

Then share your directories from SLES10 by running a nfsd server.

Then mount on your HP-UX server the exported volume with mount

Horia.
Best regards from Romania,
Horia.
Oscar Garcia
Regular Advisor

Re: Configuring kerberos for CIFS

Thanks Guys for your replies.

So in short, it is not possible to share files between SLES & HPUX using CIFS?

I have used NFS in the past, but I thought CIFS was the way forward...
eric roseme
Respected Contributor

Re: Configuring kerberos for CIFS

Hi Oscar,

Yes you can use CIFS. But if your HP-UX server is the CIFS Client, then the SLES server will have to be a CIFS (Samba) server. If that is the case, then the HP-UX server does not need to be joined to the domain. You can use the CIFS Client cifslogin command to authenticate. You asked about this stuff back in 2007 (http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1155754). So on HP-UX you will need the latest CIFS Client (A.02.02.02) and the latest Kerberos client (1.6.2.06). And your SLES server will need to share the target directories out with Samba. On the CIFS Client you will do a cifsmount to mount the remote share, and a cifslogin to authenticate a user (with Kerberos). Or you can use NFS.

Eric Roseme
Oscar Garcia
Regular Advisor

Re: Configuring kerberos for CIFS

Thanks again Eric,

I have finally managed to install the latest software, not without having some delay as HP website was down for a couple of days.
As you pointed out I have tried to implement kerberos with different versions of HPUX and SLES but I have to abandon it to sort out other things at work.

Well I am stuck again, and this is the point now:
I mount the share with
#cifsmount //lindev10/home/oscar /home/oscar -U oscar
and after typing the password comes back with
oscar's password on lindev10:
SRV: Invalid netname

When I cd to the directory I cannot see any of files of the share. But if I do a mount command it shows in the last line:

/home/oscar on lindev10:/home:/ soft,noac,novj,retrans=3,timeo=50,acregmin=0,acregmax=0,acdirmin=0,acdirmax=0,proto=udp,NFSv3,dev=4000021 on Fri Apr 9 15:49:56 2010

What am I doing wrong?
eric roseme
Respected Contributor
Solution

Re: Configuring kerberos for CIFS

Hi Oscar,

So you are going to use CIFS Client on HP-UX to mount a CIFS share on a remote server that is either a native Windows server or a Samba server exporting a directory for CIFS/SMB protocol.

Here is the best way to do this:

cifsmount //targetserver.org.com/targetdirectory /hpuxmountpoint -U administrator

The cifsmount establishes the target server and directory and the local mountpoint. you will need a user on the target server with admin rights to mount the share. But so far no one has local access to the share - each user has to authenticate to the remote share.

cifslogin //targetserver.org.com/targetdirectory /hpuxmountpoint -U username

username is a user on the target server (Windows or Samba) who has read or write or both access to the share.
Oscar Garcia
Regular Advisor

Re: Configuring kerberos for CIFS

Hi Eric,

Thanks for your help, it is sort of working. The only problem is that I am only able to mount the whole share rather than a subdirectory from the share, which is a bit of a pain.

So I ran this command as root:

cifsmount //targetserver.org.com/share /hpuxmountpoint

and when logged as a user:
cifslogin //targetserver.org.com/share /hpuxmountpoint -U username

Do you know any way of mounting only the desired directory rather than the whole share?

Cheers,
eric roseme
Respected Contributor

Re: Configuring kerberos for CIFS

Hi Oscar,

The CIFS Client can only mount the mountpoint that is exported by the CIFS/SMB server (Windows or Samba). So if /home/oscar is exported, then the client can mount it. If /home/oscar/data is exported, then the client can mount it. If /home/oscar is exported and you want to mount /home/oscar/data, the CIFS client does not know that it exists because it is not exported, so you have to mount the share and cd to /data.

Eric
Oscar Garcia
Regular Advisor

Re: Configuring kerberos for CIFS

Yes Eric, that seems to be the case.
Anyway, now that I have mounted the shares, I want to be able to use the same user names and passwords that a Win server (my KDC)is that possible with PAM? I've been reading about but it is just adding more confusion.
Basically I want to eliminate the manual cifslogin for the users or make it thru the login or something like that. Can you recommend me something?
eric roseme
Respected Contributor

Re: Configuring kerberos for CIFS

Yes - it is possible. But it will take some work.

First, you need to set up your local HP-UX logins to authenticate using krb5 to your Windows KDC. For the CIFS Client, the KDC needs to be W2003R2 or earlier. To find out how to set up that environment, it's in the whitepaper at:

http://docs.hp.com/en/16322/CIFSUnifiedLoginV2.pdf

Second, your CIFS Client has to be configured to use krb5 for logins. That's in the CIFS Client Admin Guide:

http://docs.hp.com/en/B8724-90079/B8724-90079.pdf

Third, you need to follow the guidelines in the CIFS Client Release Notes on page 11:

http://docs.hp.com/en/B8724-90105/B8724-90105.pdf

To test this without doing the script, login to HP-UX as a normal user (buffy) and make sure that you have a krb5 ticket (klist). Your CIFS Client mountpoint should already be mounted by Administrator or someone. Now go to /tmp and look for the krb5 temp credentials file for buffy - it will be named krb5cc_###_####. Copy that file to krb5_buffy's_UID (do an "id buffy"). Then chown and chgrp the file to buffy. Now on the buffy HP-UX local user logon try to cd to the CIFS Client mountpoint. Remember that the W2003R2 (or whatever) share that the CIFS Client is mounting must have access set up for buffy. You can check that out in the whitepaper listed above.

Once you know that you can access the share by kludging the krb5 credentials file, you can implement the script that is shown in the release notes.

Eric