1748223 Members
4806 Online
108759 Solutions
New Discussion юеВ

Re: Samba/CIFS 3.01

 
enrico.nic
Regular Advisor

Samba/CIFS 3.01

Hi,

I encountered a (hopefully small) problem.
I downloaded Samba/CIFS A.03.01 on HP-UX 11.23. The CIFS server is a member of a Windows AD.

In the older A.02.04.02 version, I created a "krb5.keytab" file as described in the manual, and in the smb.conf configuration file I used the "use kerberos keytab = yes" option.
All was working nicely: users were authenticated through the Windows AD, and accessing their shares in the correct manner.
In the new release unfortunately the "use kerberos keytab" option doesn't exist anymore.
In this situation, Samba tries to return to the "old", "local" passwords, and none of the AD (non-local) users can access the shares anymore.

How to solve the problem ?

At present, I have restored the older release of Samba/CIFS.

Thank you

Enrico
2 REPLIES 2
Shibin_2
Honored Contributor

Re: Samba/CIFS 3.01

Have you updated this patch ? This is required patch for CIFS version 3.0i and above.

PHSS_33389 KRB5-Client version 1.0 cumulative patch.

Here is the steps taken from documentations. Have you followed these steps ?

Configuring kerb5.keytab

Here are the required components to configure HP CIFS Server with HP-UX Internet Services co-existence:
├в ┬в HP-UX Kerberos Client version 1.3.5 or newer
├в ┬в /etc/krb5.conf file
├в ┬в /etc/opt/samba/smb.conf file
├в ┬в /etc/krb5.keytab file
├в ┬в net ads keytab create command
The first task is to configure HP CIFS Server for Kerberos authentication and join it to a Windows domain. This configuration will disable HP-UX Internet Services access to the HP-UX system temporarily until all the configuration steps are completed. Use the following steps to generate a valid keytab file and to configure an HP CIFS Server to access the keytab file:

1. Add the default_keytab_name parameter with the WRFILE attribute in the
/etc/krb5.conf file. HP-UX Kerberos Client version 1.3.5 is required for WRFILE.
An example of /etc/krb5.conf for HP CIFS Server keytab creation is as follows:
# Kerberos configuration
[libdefaults]
default_realm = MYREALM.HP.COM
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
default_keytab_name = "WRFILE:/etc/krb5.keytab"
[realms]
MYREALM.HP.COM = {
kdc = HPWIN2K4.MYREALM.HP.COM:88
admin_server = HPWIN2K4.MYREALM.HP.COM
}
[domain_realm]
.hp.com = MYREALM.HP.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

2. Run the net ads keytab create -U administrator command to generate an
/etc/krb5.keytab file.

3. To configure the HP CIFS Server to read /etc/krb5.keytab, set the use kerberos
keytab parameter in /etc/opt/samba/smb.conf to yes.
An example of /etc/opt/samba/smb.confis as follows:
[global]
workgroup = MYREALM
realm = MYREALM.HP.COM
netbios name = atcux5
server string = Samba Server
interfaces = 15.43.214.58
bind interfaces only = Yes
security = ADS
password server = HPATCWIN2K4.MYREALM.HP.COM
use kerberos keytab = yes

4. Validate your configuration by starting the HP CIFS Server, logging on to the domain with clients, and mounting an HP CIFS share.
Now the HP CIFS Server can authorize the Windows client to access the server share, using Kerberos in the Windows domain and the keytab file on the HP CIFS Server. However, an HP-UX Internet Services user cannot gain system access using Kerberos with the system in this state.
Regards
Shibin
enrico.nic
Regular Advisor

Re: Samba/CIFS 3.01

Thank you for the reply.

I don't have this specific patch, but another one (PHSS_41167) that supersedes it.

The documentation reported refers to the A.02.04.x version, that is the one I am currently running.
With this version, kerberos validation works perfectly, before and after the creation of the krb5.keytab file.

The problem is that with the later release (03.01) there isn't (already ?) such documentation. The installation guide simply reports that the "use kerberos keytab" isn't a valid option in samba's configuration file anymore.