[CentOS] Windows 2008R2 AD, kerberos, NFSv4

Wed Apr 25 17:07:07 UTC 2012
janice.psyop <janice.psyop at gmail.com>

Hi James,

(Sorry, I was on digest mode, but have switched it off...)  Here are the
respective smb.conf and krb5.conf files.


[root at bk001 ~]# smbd -V
Version 3.5.10-0.107.el5

[root at bk001 ~]# cat /etc/samba/smb.conf

[global]
        workgroup = MYCOMPANY
        realm = MYCOMPANY.TV
        server string = bk001 v %v
        log file = /var/log/samba/log.smbd
        security = ADS
        client NTLMv2 auth = yes
        encrypt passwords = yes
        #password server = *
        password server = 10.100.1.11 10.100.1.10
        allow trusted domains = No
        passdb backend = tdbsam
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
        load printers = no
        show add printer wizard = no
        disable spoolss = yes
        kernel oplocks = no
        printing = sysv
        printcap name = /dev/null
        unix extensions = no
        preferred master = No
        local master = No
        #use kerberos keytab = yes
        kerberos method = system keytab
        client ldap sasl wrapping = sign
        idmap backend = tdb
        idmap uid = 200001-999999
        idmap gid = 200001-999999
        idmap config MYCOMPANY: backend = rid
        idmap config MYCOMPANY: base_range = 2000
        idmap config MYCOMPANY: range = 2000-200000
        winbind use default domain = Yes
        winbind nss info = template
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        log level = winbind:1 idmap:3
        syslog = 1
        max log size = 50
        smb ports = 445
        mangled names = No
        client use spnego = yes
        client use spnego principal = yes

[dist]
        comment = share for dist
        path = /array/dist
        veto files = /autorun.inf/Thumbs.db/.TemporaryItems/
        browseable = yes
        read only = no
        guest ok = yes
        create mask = 0664
        security mask = 0664
        directory mask = 0775
        force directory mode = 0775
        directory security mask = 0775
        map acl inherit = Yes


 [root at bk001 ~]# cat /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYCOMPANY.TV
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 3d
 forwardable = true
 clockskew = 120
 default_keytab_name = FILE:/etc/krb5.keytab
 default_tkt_enctypes = des-cbc-crc rc4-hmac
 default_tgs_enctypes = des-cbc-crc rc4-hmac
 permitted_enctypes = des-cbc-crc rc4-hmac
 allow_weak_crypto = true
 udp_preference_limit = 1

[realms]
 MYCOMPANY.TV = {
  kdc = dc02.mycompany.tv:88
  kdc = dc01.mycompany.tv:88
  admin_server = dc02.mycompany.tv:749
  master_kdc = dc02.mycompany.tv
  default_domain = mycompany.tv
 }

[domain_realm]
 .mycompany.tv = MYCOMPANY.TV
 mycompany.tv = MYCOMPANY.TV

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
 kinit = {
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
 }


 ----

[root at nas002 ~]# smbd -V
Version 3.3.8-0.52.el5_5.2

[root at nas002 ~]# cat /etc/samba/smb.conf

[global]
        workgroup = MYCOMPANY
        realm = MYCOMPANY.TV
        server string = nas002 v %v
        name resolve order = host bcast wins lmhosts
        security = ADS
        client NTLMv2 auth = yes
        encrypt passwords = yes
        allow trusted domains = No
        passdb backend = tdbsam
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
        load printers = no
        show add printer wizard = no
        disable spoolss = yes
        kernel oplocks = no
        printing = sysv
        printcap name = /dev/null
        unix extensions = no
        preferred master = No
        local master = No
        use kerberos keytab = yes
        idmap backend = rid
        idmap uid = 2000-200000
        idmap gid = 2000-200000
        winbind use default domain = Yes
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
         winbind refresh tickets = yes
        log file = /var/log/samba/log.smbd
        max log size = 50
        log level = winbind:1 idmap:1
        syslog = 1
        smb ports = 445
        mangled names = No
        client use spnego = yes


[nfs4test]
        comment = Work Area
        path = /array/nfs4test
        veto files = /autorun.inf/Thumbs.db/.TemporaryItems/
        browseable = yes
        read only = yes
        guest ok = yes
        create mask = 0664
        security mask = 0664
        directory mask = 0775
        force directory mode = 0775
        directory security mask = 0775
        map acl inherit = Yes



[root at nas002 ~]# cat /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYCOMPANY.TV
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 3d
 forwardable = true
 clockskew = 120
 default_keytab_name = FILE:/etc/krb5.keytab
 default_tkt_enctypes = des-cbc-crc rc4-hmac
 default_tgs_enctypes = des-cbc-crc rc4-hmac
 permitted_enctypes = des-cbc-crc rc4-hmac
 allow_weak_crypto = true
 udp_preference_limit = 1

[realms]
 MYCOMPANY.TV = {
  kdc = dc02.mycompany.tv:88
  kdc = dc01.mycompany.tv:88
  admin_server = dc02.mycompany.tv:749
  master_kdc = dc02.mycompany.tv
  default_domain = mycompany.tv
 }

[domain_realm]
 .mycompany.tv = MYCOMPANY.TV
 mycompany.tv = MYCOMPANY.TV

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
 kinit = {
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
 }



When I did the 'net ads join -U <username>' command (no createupn option),
the W2008K R2 DC only created the SPNs, there was no UPN attrib. created.

[root at bk001 ~]# ldapsearch -LLL '(samaccountname=bk001$)' | grep Name
SASL/GSSAPI authentication started
SASL username: administrator at MYCOMPANY.TV
SASL SSF: 56
SASL installing layers
distinguishedName: CN=bk001,CN=Computers,DC=MYCOMPANY,DC=TV
sAMAccountName: bk001$
dNSHostName: bk001.mycompany.tv
servicePrincipalName: HOST/bk001.mycompany.tv
servicePrincipalName: HOST/BK001


thanks again,
Janice



> Please provide your smb.conf and krb5.conf files as well. BTW: the
createupn is not required on Win2K8R2 as this credential is passed now
(according to MS)

[snip]