|
»
Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?
by Paul Sobey-3
::
Rate this Message:
Good Morning,
We have a network of Solaris 10 machines authenticating and doing name lookups via a Windows 2008 (SP2) domain using the Solaris ldap client and self/gssapi credentials. Each machine has a machine account that is prepared via a script with the following attributes: userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH) msDS-SupportedEncryptionTypes: 23 (KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 | KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_DES_CBC_MD5 | KERB_ENCTYPE_DES_CBC_CRC) We would like to install a new Samba file server and have it play nicely with this setup, using the system keytab, ideally taking a password from the keytab or being able to control the password used in the joining process. Is there a prescribed/supported way to have Samba 'fit in' to an existing setup like this? We've tried running net ads join after the host keytab is created, and note that the KVNO on the computer account increases, the userAccountControl flag gets overwritten with DONT_REQ_PREAUTH (seems to be needed for Solaris kinit -k), and the resulting keytab is unusable by Solaris kinit: before net ads join: Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 18 host/fqdn@REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) HMAC/md5) 18 host/fqdn@REALM (ArcFour with HMAC/md5) 18 host/fqdn@REALM (DES cbc mode with RSA-MD5) 18 host/fqdn@REALM (DES cbc mode with CRC-32) kinit -k Default principal: host/fqdn@REALM Valid starting Expires Service principal 05/11/2009 11:46:16 05/11/2009 21:46:16 krbtgt/REALM@REALM renew until 12/11/2009 11:46:16, Etype(skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC after net ads join (Samba added entries are KVNO 19) 18 host/fqdn@REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 18 host/fqdn@REALM (ArcFour with HMAC/md5) 18 host/fqdn@REALM (DES cbc mode with RSA-MD5) 18 host/fqdn@REALM (DES cbc mode with CRC-32) 19 host/fqdn@REALM (DES cbc mode with CRC-32) 19 host/fqdn@REALM (DES cbc mode with RSA-MD5) 19 host/fqdn@REALM (ArcFour with HMAC/md5) 19 host/HOST@REALM (DES cbc mode with CRC-32) 19 host/HOST@REALM (DES cbc mode with RSA-MD5) 19 host/HOST@REALM (ArcFour with HMAC/md5) 19 HOST$@REALM (DES cbc mode with CRC-32) 19 HOST$@REALM (DES cbc mode with RSA-MD5) 19 HOST$@REALM (ArcFour with HMAC/md5) kinit -k kinit(v5): Clients credentials have been revoked while getting initial credentials after removal of kvno 18 tickets with ktutil: kinit(v5): Key table entry not found while getting initial credentials Should I just give up and use pam_winbind and nss_winbind, or is there a way to make this work? Also, is there a way to make net ads join request or write aes256 entries to the keytab? Our krb5.conf explicitly specifies this as a permitted enc type. Cheers, Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
|
|
Re: Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?
by Douglas E. Engert
::
Rate this Message:
Paul Sobey wrote: > Good Morning, > > We have a network of Solaris 10 machines authenticating and doing name > lookups via a Windows 2008 (SP2) domain using the Solaris ldap client > and self/gssapi credentials. Each machine has a machine account that is > prepared via a script with the following attributes: > > userAccountControl: 4263936 (WORKSTATION_TRUST_ACCOUNT | > DONT_EXPIRE_PASSWORD | DONT_REQ_PREAUTH) > msDS-SupportedEncryptionTypes: 23 (KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 > | KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_DES_CBC_MD5 | > KERB_ENCTYPE_DES_CBC_CRC) > > We would like to install a new Samba file server and have it play nicely > with this setup, using the system keytab, ideally taking a password from > the keytab or being able to control the password used in the joining > process. > > Is there a prescribed/supported way to have Samba 'fit in' to an > existing setup like this? This could be an issue with older Solaris systems supporting AES-128 but not AES-256 because of policy. http://docs.sun.com/app/docs/doc/816-4557/egric?a=view says: "In releases prior to Solaris 10 8/07 release, the aes256-cts-hmac-sha1-96 encryption type can be used with the Kerberos service if the unbundled Strong Cryptographic packages are installed." See: http://www.sun.com/software/solaris/security.jsp > > We've tried running net ads join after the host keytab is created, and > note that the KVNO on the computer account increases, the > userAccountControl flag gets overwritten with DONT_REQ_PREAUTH (seems to > be needed for Solaris kinit -k), and the resulting keytab is unusable by > Solaris kinit: > > before net ads join: > > Keytab name: FILE:/etc/krb5/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 18 host/fqdn@REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) HMAC/md5) > 18 host/fqdn@REALM (ArcFour with HMAC/md5) > 18 host/fqdn@REALM (DES cbc mode with RSA-MD5) > 18 host/fqdn@REALM (DES cbc mode with CRC-32) > > kinit -k > > Default principal: host/fqdn@REALM > > Valid starting Expires Service principal > 05/11/2009 11:46:16 05/11/2009 21:46:16 krbtgt/REALM@REALM > renew until 12/11/2009 11:46:16, Etype(skey, tkt): AES-256 CTS > mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC > > > after net ads join (Samba added entries are KVNO 19) > > 18 host/fqdn@REALM (AES-256 CTS mode with 96-bit SHA-1 HMAC) > 18 host/fqdn@REALM (ArcFour with HMAC/md5) > 18 host/fqdn@REALM (DES cbc mode with RSA-MD5) > 18 host/fqdn@REALM (DES cbc mode with CRC-32) > 19 host/fqdn@REALM (DES cbc mode with CRC-32) > 19 host/fqdn@REALM (DES cbc mode with RSA-MD5) > 19 host/fqdn@REALM (ArcFour with HMAC/md5) > 19 host/HOST@REALM (DES cbc mode with CRC-32) > 19 host/HOST@REALM (DES cbc mode with RSA-MD5) > 19 host/HOST@REALM (ArcFour with HMAC/md5) > 19 HOST$@REALM (DES cbc mode with CRC-32) > 19 HOST$@REALM (DES cbc mode with RSA-MD5) > 19 HOST$@REALM (ArcFour with HMAC/md5) > > kinit -k > > kinit(v5): Clients credentials have been revoked while getting initial > credentials > > after removal of kvno 18 tickets with ktutil: > > kinit(v5): Key table entry not found while getting initial credentials > > > Should I just give up and use pam_winbind and nss_winbind, or is there a > way to make this work? Also, is there a way to make net ads join request > or write aes256 entries to the keytab? Our krb5.conf explicitly > specifies this as a permitted enc type. > > Cheers, > Paul > -- Douglas E. Engert <DEEngert@...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
|
|
Re: Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?
by Paul Sobey-3
::
Rate this Message:
> This could be an issue with older Solaris systems supporting AES-128 but
> not AES-256 because of policy. All our Solaris boxes seem to be ok with AES256 support - e.g.: cryptoadm list User-level providers: Provider: /usr/lib/security/$ISA/pkcs11_kernel.so Provider: /usr/lib/security/$ISA/pkcs11_softtoken_extra.so Kernel software providers: des aes256 arcfour2048 blowfish448 sha1 sha2 md5 rsa swrand We set all our Solaris keytabs to this algo only and they work well. Thanks for replying though. Problem seems to be specifically that Samba's net ads join only requests arc4/des - is there a 'behave like a Windows 2008 member server' option? Or is all this going to come with Samba 4? Cheers, Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
| Free embeddable forum powered by Nabble | Forum Help |
