Re: CIFS client on hpux 11.11 authenticating to ADS2003 using kerberos

Paul Molony · ‎05-09-2005

Hi, I am having difficulties getting this to work. I would welcome critical feedback from anyone successfully using CIFS client B8724AA (A.01.09.03) with Kerberos client KRB5CLIENT (C.1.3.5.01) to talk to ADS2003 (see attachment).

Thanks/Paul

harry d brown jr · ‎05-09-2005

what are the issues or errors you are receiving?

live free or die
harry d brown jr

Live Free or Die

Paul Molony · ‎05-09-2005

Hi Harry, as per the attachment, I've managed to successfully issue a 'kinit' to the ADS. The next step, issuing a 'cifslogin' gives me an error â Server not found in Kerberos database [krb5_get_cred_from_kdc()]â

Thank

Steven E. Protter · ‎05-10-2005

You are current on your Kerberos client?

I have not tried this, but the available documentation says that it should be possible.

This could however be a windows issue. Windows 2003 Server requires a patch to deal with Kerberos clients that are not version 5. Hence my earlier question.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

harry d brown jr · ‎05-10-2005

Sorry, I missed the other steps in the text file.

Have you tried to use the fully qualified host name of PcHostname? PcHostname.DOMAINNAME.com

live free or die
harry d brown jr

Live Free or Die

Paul Molony · ‎05-10-2005

Harry, thanks for your reply. Yes, I have tried the fully qualified name.

Regards/Paul

Paul Molony · ‎05-10-2005

Hi Steven, thanks for your reply. I will now investigate the Windows2003 Kerberos5 patch, and report progress.

Regards/Paul

Paul Molony · ‎05-10-2005

Steven, reading your mail more closely, I am already using Kerberos5, so patching Win2003 is not appropriate here.

Thanks/Paul

jack gao_1 · ‎05-11-2005

Try update to the latest krb5 client on HP-UX first.

Eric Raeburn · ‎05-11-2005

Paul,

The problem you are seeing is not related to the HP CIFS or Kerberos Clients. The error message "Server not found in Kerberos database" comes from the Windows KDC; it signifies that it cannot find the server which you are trying to mount.

Here are my suggestions:

1. First, perform the setup procedure specified in the CIFS Client Admin Guide (available at docs.hp.com). This ensures that your Kerberos infrastructure is working, _before_ introducing the CIFS Client into the equation. You will first do 'kinit', to ensure that the user-password pair is valid (you've already done this successfully, but the next step depends on it, and you want to get a fresh TGT). Then do 'cifsgettkt -s server', to ensure that the KDC will issue the user a service ticket for the server. This will most likely fail, based on the error you have documented.

2. If you can't get past 'cifsgettkt', the problem is with the domain setup. Check the ADS configuration on the KDC to ensure the server is a member. When we tested this in the lab, we found, under some undetermined circumstances, the Domain Controller had to also be configured as a DNS server, and the server we were trying to mount of course then had to be in the DC's DNS table.

2a. If 'cifsgettkt' succeeded, then there might actually be a problem on the HP-UX system, in which case you should post your results or place a support call. I noticed you have two KDCs configured in your /etc/krb5.conf. Please ensure you are using the right KDC for the server you are trying to mount

3. For additional data, you might try mapping the share from a PC client, and see if the PC user is authenticated with Kerberos. However, it seems Windows clients have a preference for NTLMSSP over Kerberos. If the PC belongs to the domain it might use Kerberos. You will have to get a network trace to know ('ethereal' is the tool of choice--visit ethereal.com or see the 'ethereal' tutorial under CIFS Related Documentation at docs.hp.com).

Please post your results.
-Eric Raeburn
HP CIFS Client Lab

Paul Molony · ‎05-12-2005

Jack, thanks for your reply, I'm on the latest kerberos client.

Regards/Paul

Paul Molony · ‎05-12-2005

Eric, thanks for your detailed and informed reply. I have been busy following up your suggestions.

1. I have performed the setup procedure specified in the client admin guide. This time, following discussions with others who know more about ADS2003 than I do, I have setup a share on a Win2003 server, rather than my PC. Again, 'kinit' works perfectly. Wonderfully, this time, 'cifsgettkt' works fine against the Win2003 server and I now get a service ticket.

2. I now attempt a 'cifslogin' and get the error 'Logging in User: UNIX: Error 999'. I will continue to dig. Any suggestions are very welcome :-)

Thanks/Paul

Eric Raeburn · ‎05-12-2005

Paul,

Your new error is a generic Unix system-call error which will be difficult to diagnose in the context of this forum. I suggest the following, but if this doesn't solve it, consider opening a support call (I'll still work with you here if we're making progress).

You must be root to do these:
1. Ensure that this directory exists: /var/opt/cifsclient/krb5_tmp .
2. Ensure that the permissions on this dir are 1777 (globally writeable, with the "sticky" bit set), should appear as drwxrwxrwt in 'ls -l' (note trailing 't').
3. Ensure the ownership of the dir is root:root .
4. In the config file, set "rmTmpKerbCredFiles = yes;"
5. Do 'kdestroy'.
6. Do 'cifsclient kdestroy -a'.
7. Do 'cifsclient restart' and try again to mount the server.
8. Do 'cifsclient klist -a' to ensure the appropriate Kerberos tickets were issued.

Please post your results.

-------
Thanks,
Eric Raeburn

Eric Raeburn · ‎05-12-2005

Paul,

As you no doubt realized, step 4 should have been set "rmTmpKerbCredFiles = no;"

-ER

Paul Molony · ‎05-13-2005

Eric, thanks for your help. I'm happy to pursue the forum as long as you feel you can help. I have attached the results of your suggestions.

Thanks/Paul

Eric Raeburn · ‎05-13-2005

Paul,

Looks like we almost have it. A few comments:

There is a subtle problem with the way in which you are mounting the CIFS server. In particular, specifying the server's full-qualified DNS name (hostname.dns.domain), as you have done, prevents the CIFS login from working, because the server's name in ADS is only its NetBIOS (Windows) name, that is, just the hostname, without the DNS domain (in your case, the server's NetBIOS name is exactly "serv3017").

There are two ways you can get around this.

First, if the CIFS Client is in the same DNS domain as the server (that is, if DNS can resolve the server's IP address from only the server's hostname), you can simply do the same 'mount' command, but with only the server's hostname (without the DNS domain appended; in your case: 'mount -F cifs serv3017:/ . . .').

However, if the client and server are in different DNS domains, you should mount the server thus:

cifsmount //server/share /mntpt -U cifs_user_name -I server_ipaddr

In this case, 'cifsmount' prompts you for a password, uses that to acquire a TGT and ST, and logs you in, transparently. So if this succeeds, you will have access to the mounted CIFS server.

Finally, assuming that the first mount options works ('mount -F cifs ...') the 'su' stuff you are doing, though harmless, is unnecessary (as you may have deduced from my discussion of 'cifsmount'). You can simply do 'kinit cifs_user_name', where, in your case, cifs_user_name is "i835". Then, when you 'cd' to the mounted directory, you will be logged in automatically: the CIFS Client will fetch you an ST and send that to the server, so you don't need to explicitly do 'cifslogin'.

After this succeeds, do 'cifslist'. It will show your remote name as "i835" and local name as "root". Hence, you can do this without 'su'. Of course, you may have another reason for doing 'su'.

Now you may be wondering what 'cifslogin' is for. In the CIFS Client, 'kinit' is the key element for autologin with Kerberos. If you don't do 'kinit', you need to login manually. That's what 'cifslogin' does.

One more point. 'cifsgettkt' is only a diagnostic tool, used to ensure the KDC will issue the user an ST for the server. So, after your environment is set up, you do not need 'cifsgettkt' for your daily logging-in procedures.

Good luck! Please post your results.
-Eric Raeburn

Paul Molony · ‎05-16-2005

Hi Eric, you have brilliantly solved the problem, and I am one happy bunny. Both solutions work;

Details as follows;

> kdestroy
> cifsclient kdestroy -a
> cifsclient restart
> cifsmount //server/share /mntpt -U cifs_user_name -I server_ipaddr
> cd /mntpt

I also then tried your first suggestion;

> kdestroy
> cifsclient kdestroy -a
> cifsclient restart
> mount -F cifs servName:/share /mntpt
(having added servName to /etc/hosts)
> kinit cifs_user_name
> cd /mntpt

As the HP CIFS Client Admin Guide (B8724-90044.pdf) indicates, cifsmount is depricated, so I'm happy to use the second option above.

Thank you very very much for your help.

Paul

p.s. autofs, here I come :-)

Eric Raeburn · ‎05-16-2005

Paul,

Excellent results! Thanks for your patience in getting the problem resolved. Please continue to post if you have any problem or questions with respect to the product.

-Eric

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: CIFS client on hpux 11.11 authenticating to ADS2003 using kerberos

CIFS client on hpux 11.11 authenticating to ADS2003 using kerberos