[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Wed Apr 13 09:54:52 UTC 2011
Alain Péan <alain.pean at lpp.polytechnique.fr>

Le 13/04/2011 11:35, John Hodrien a écrit :
> On Tue, 12 Apr 2011, Alain Péan wrote:
>
>> Le 12/04/2011 22:03, John Hodrien a écrit :
>>> On Tue, 12 Apr 2011, Alain Péan wrote:
>>>
>>>> Indeed, nothing fails now. I want my users to authenticate against
>>>> Active directory, and it works, and I would like them to be able to 
>>>> use
>>>> their kerberos credentials, if they need, to access domain ressources,
>>>> as shares. But I have still to see a problem there..
>>>>
>>>> Thanks again for your help and your comments !
>>>
>>> So is it all working after taking out the ldap auth?  With it in
>>> you'll not be
>>> generating kerberos tickets if there's anything wrong with your 
>>> kerberos
>>> setup.
>>>
>>> jh
>>
>> No, you are right, things do not work as I expect. When I disable
>> ldapauth, I cannot authenticate. So kerberos is not working.
>> I have kerberos error messages with samba when I try to join AD domain
>> with net ads join. But net rpc join succeeds.
>> # net ads join -U pean -d3
>> ....
>> [2011/04/12 22:19:45.797972,  3] libads/sasl.c:790(ads_sasl_spnego_bind)
>>   ads_sasl_spnego_bind: got server principal name =
>> pc-2003-test$@TEST-LPP.LOCAL
>> [2011/04/12 22:19:45.798331,  3] libsmb/clikrb5.c:698(ads_krb5_mk_req)
>>   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
>> found)
>> [2011/04/12 22:19:45.811493,  1] libsmb/clikrb5.c:710(ads_krb5_mk_req)
>>   ads_krb5_mk_req: smb_krb5_get_credentials failed for
>> pc-2003-test$@TEST-LPP.LOCAL (Cannot find ticket for requested realm)
>> ....
>>
>> Why 'no credential cache found' ?
>> I would like to solve this annoying problem. Why it is no more working
>> after upgrading to 5.6 ?
>
> I'm afraid you've cooked my brain with all the realms you've 
> mentioned, so I'm
> not entirely clear what's going on.
>
> It's complaining about your kdc.
>
> Is pc-2003-test the KDC for the TEST-LPP.LOCAL realm, or is it KDC for 
> the
> LAB-LPP.LOCAL realm?  Is its FQDN pc-2003-test.test-lpp.local?
>
> Without worrying about the join, does 'kinit <username>' work?
>
> jh

Hi John,

There are only two realms I mentionned, LAB-LPP.LOCAL, and 
TEST-LPP.LOCAL. I am currently doing test with the latter, and indeed, 
pc-2003-test is the AD DC, so the KDC for TEST-LPP.LOCAL. The fdqn is 
also pc-2003-test.test-lpp.local.

'kinit <username>' works,
[root at centos-test etc]# kinit pean
Password for pean at TEST-LPP.LOCAL:
[root at centos-test etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: pean at TEST-LPP.LOCAL

Valid starting     Expires            Service principal
04/13/11 11:41:09  04/13/11 18:21:09  krbtgt/TEST-LPP.LOCAL at TEST-LPP.LOCAL


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

But nevertheless, it is asking for password when I issue the 'net ads 
join -U pean' command...

As you understood, my KDC server is a windows 2003 R2 Active directory 
server. I don't understand where it is looking for the credentials. I 
tried to create the krb5.keytab with ktpass on the windows server, and 
replace the one on the centos-test, but it does not work either. There 
is something, perhaps obvious, I miss. I also tried with 'validate = 
true' in /etc/krb5.conf, but with no success.

I found also that there is a 'krb5.conf.TEST-LPP' file in 
/var/lib/samba/smb_krb5, and this one is certainly used by samba (I 
replaced old version with samba3x, 3.5.4, and put 'kerberos method = 
secrets and keytab', instead of 'use kerberos keytab = true' that I used 
previously.

I don't know if you have, or anyone else, an idea ?

Alain

-- 
==========================================================
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==========================================================