[CentOS] Windows 2008R2 AD, kerberos, NFSv4
janice.psyop
janice.psyop at gmail.com
Wed Apr 25 17:07:07 UTC 2012
Hi James,
(Sorry, I was on digest mode, but have switched it off...) Here are the
respective smb.conf and krb5.conf files.
[root at bk001 ~]# smbd -V
Version 3.5.10-0.107.el5
[root at bk001 ~]# cat /etc/samba/smb.conf
[global]
workgroup = MYCOMPANY
realm = MYCOMPANY.TV
server string = bk001 v %v
log file = /var/log/samba/log.smbd
security = ADS
client NTLMv2 auth = yes
encrypt passwords = yes
#password server = *
password server = 10.100.1.11 10.100.1.10
allow trusted domains = No
passdb backend = tdbsam
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
load printers = no
show add printer wizard = no
disable spoolss = yes
kernel oplocks = no
printing = sysv
printcap name = /dev/null
unix extensions = no
preferred master = No
local master = No
#use kerberos keytab = yes
kerberos method = system keytab
client ldap sasl wrapping = sign
idmap backend = tdb
idmap uid = 200001-999999
idmap gid = 200001-999999
idmap config MYCOMPANY: backend = rid
idmap config MYCOMPANY: base_range = 2000
idmap config MYCOMPANY: range = 2000-200000
winbind use default domain = Yes
winbind nss info = template
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
log level = winbind:1 idmap:3
syslog = 1
max log size = 50
smb ports = 445
mangled names = No
client use spnego = yes
client use spnego principal = yes
[dist]
comment = share for dist
path = /array/dist
veto files = /autorun.inf/Thumbs.db/.TemporaryItems/
browseable = yes
read only = no
guest ok = yes
create mask = 0664
security mask = 0664
directory mask = 0775
force directory mode = 0775
directory security mask = 0775
map acl inherit = Yes
[root at bk001 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYCOMPANY.TV
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 3d
forwardable = true
clockskew = 120
default_keytab_name = FILE:/etc/krb5.keytab
default_tkt_enctypes = des-cbc-crc rc4-hmac
default_tgs_enctypes = des-cbc-crc rc4-hmac
permitted_enctypes = des-cbc-crc rc4-hmac
allow_weak_crypto = true
udp_preference_limit = 1
[realms]
MYCOMPANY.TV = {
kdc = dc02.mycompany.tv:88
kdc = dc01.mycompany.tv:88
admin_server = dc02.mycompany.tv:749
master_kdc = dc02.mycompany.tv
default_domain = mycompany.tv
}
[domain_realm]
.mycompany.tv = MYCOMPANY.TV
mycompany.tv = MYCOMPANY.TV
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
kinit = {
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
}
----
[root at nas002 ~]# smbd -V
Version 3.3.8-0.52.el5_5.2
[root at nas002 ~]# cat /etc/samba/smb.conf
[global]
workgroup = MYCOMPANY
realm = MYCOMPANY.TV
server string = nas002 v %v
name resolve order = host bcast wins lmhosts
security = ADS
client NTLMv2 auth = yes
encrypt passwords = yes
allow trusted domains = No
passdb backend = tdbsam
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
load printers = no
show add printer wizard = no
disable spoolss = yes
kernel oplocks = no
printing = sysv
printcap name = /dev/null
unix extensions = no
preferred master = No
local master = No
use kerberos keytab = yes
idmap backend = rid
idmap uid = 2000-200000
idmap gid = 2000-200000
winbind use default domain = Yes
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind refresh tickets = yes
log file = /var/log/samba/log.smbd
max log size = 50
log level = winbind:1 idmap:1
syslog = 1
smb ports = 445
mangled names = No
client use spnego = yes
[nfs4test]
comment = Work Area
path = /array/nfs4test
veto files = /autorun.inf/Thumbs.db/.TemporaryItems/
browseable = yes
read only = yes
guest ok = yes
create mask = 0664
security mask = 0664
directory mask = 0775
force directory mode = 0775
directory security mask = 0775
map acl inherit = Yes
[root at nas002 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYCOMPANY.TV
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 3d
forwardable = true
clockskew = 120
default_keytab_name = FILE:/etc/krb5.keytab
default_tkt_enctypes = des-cbc-crc rc4-hmac
default_tgs_enctypes = des-cbc-crc rc4-hmac
permitted_enctypes = des-cbc-crc rc4-hmac
allow_weak_crypto = true
udp_preference_limit = 1
[realms]
MYCOMPANY.TV = {
kdc = dc02.mycompany.tv:88
kdc = dc01.mycompany.tv:88
admin_server = dc02.mycompany.tv:749
master_kdc = dc02.mycompany.tv
default_domain = mycompany.tv
}
[domain_realm]
.mycompany.tv = MYCOMPANY.TV
mycompany.tv = MYCOMPANY.TV
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
kinit = {
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
}
When I did the 'net ads join -U <username>' command (no createupn option),
the W2008K R2 DC only created the SPNs, there was no UPN attrib. created.
[root at bk001 ~]# ldapsearch -LLL '(samaccountname=bk001$)' | grep Name
SASL/GSSAPI authentication started
SASL username: administrator at MYCOMPANY.TV
SASL SSF: 56
SASL installing layers
distinguishedName: CN=bk001,CN=Computers,DC=MYCOMPANY,DC=TV
sAMAccountName: bk001$
dNSHostName: bk001.mycompany.tv
servicePrincipalName: HOST/bk001.mycompany.tv
servicePrincipalName: HOST/BK001
thanks again,
Janice
> Please provide your smb.conf and krb5.conf files as well. BTW: the
createupn is not required on Win2K8R2 as this credential is passed now
(according to MS)
[snip]
More information about the CentOS
mailing list