Пытаюсь настроить связку самбы+кербероса, но наткнулся на проблемы с убунтой. Итак имеется:
1. Домен на базе freeipa
2. samba сервер (федора) введен в фрииповский домен. Доменные Пользователи авторизируются, локально smbclient -k -L отрабатывает нормально.
smb.conf
[global]
netbios name = SGW
security = ads
workgroup = OFFICE
realm = OFFICE.IxxxxxE.UA
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
[homes]
browsable = no
writable = yes
[shared]
path = /home/shared
writable = yes
browsable=yes
krb5.conf
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = OFFICE.IxxxxxE.UA
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
OFFICE.IxxxxxE.UA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.office.ixxxxxe.ua = OFFICE.IxxxxxE.UA
office.ixxxxxe.ua = OFFICE.IxxxxxE.UA
3. Имеем клиент, Ubuntu 15.10 (14.04 таже фигня)
smb.conf
[global]
netbios name = SMBT
security = ads
workgroup = OFFICE
realm = OFFICE.IxxxxxE.UA
dedicated keytab file = FILE:/etc/krb5.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
krb5.conf
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = OFFICE.IxxxxxE.UA
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
OFFICE.IxxxxxE.UA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.office.ixxxxxe.ua = OFFICE.IxxxxxE.UA
office.ixxxxxe.ua = OFFICE.IxxxxxE.UA
При попытке подключиться с клиента к серверу получаем
@smbt:~$ smbclient -k -L sgw.office.ixxxxxe.ua
krb5_init_context failed (Недопустимый аргумент)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Недопустимый аргумент
session setup failed: NT_STATUS_UNSUCCESSFUL
smbt:~$ smbclient -k -L sgw.office.ixxxxxe.ua -d9
INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
scavenger: 9
dns: 9
ldb: 9
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
scavenger: 9
dns: 9
ldb: 9
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter netbios name = SMBT
doing parameter security = ads
doing parameter workgroup = OFFICE
doing parameter realm = OFFICE.IxxxxxE.UA
doing parameter dedicated keytab file = FILE:/etc/krb5.keytab
doing parameter kerberos method = dedicated keytab
doing parameter log file = /var/log/samba/log.%m
doing parameter client use spnego = yes
doing parameter client ntlmv2 auth = yes
doing parameter encrypt passwords = yes
doing parameter restrict anonymous = 2
doing parameter domain master = no
doing parameter local master = no
doing parameter preferred master = no
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=10.0.0.56 bcast=10.0.0.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SMBT"
Client started (version 4.1.17-Ubuntu).
Opening cache file at /var/cache/samba/gencache.tdb
tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Отказано в доступе
gencache_init: Opening cache file /var/cache/samba/gencache.tdb read-only.
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for OFFICE.IPSTYLE.UA
no entry for sgw.office.ipstyle.ua#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name sgw.office.ixxxxxe.ua<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name sgw.office.ixxxxxe.ua<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was Нет такого файла или каталога
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name sgw.office.ixxxxxe.ua<0x20>
namecache_store: storing 1 address for sgw.office.ixxxxxe.ua#20: 10.0.0.49
Connecting to 10.0.0.49 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
kerberos_get_principal_from_service_hostname: cannot get realm from, desthost sgw.office.ixxxxxe.ua or default ccache. Using default smb.conf realm OFFICE.IxxxxxE.UA
cli_session_setup_spnego: guessed server principal=cifs/sgw.office.ixxxxxe.ua@OFFICE.IxxxxxE.UA
Doing kerberos session setup
krb5_init_context failed (Недопустимый аргумент)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Недопустимый аргумент
SPNEGO login failed: Undetermined error
session setup failed: NT_STATUS_UNSUCCESSFUL
Тема: samba+kerberos (freeipa) (Прочитано 1619 раз)
