Results 1 to 6 of 6

Thread: Problem with kerberos in openSUSE joined to samba domain

  1. #1
    Join Date
    Jun 2008
    Location
    Managua, Nicaragua
    Posts
    417

    Default Problem with kerberos in openSUSE joined to samba domain

    I am having this problem with kerberos in opensuse leap 42.3 when joined to a samba domain controller version 4.7, it has joined and created the machine account in the server and I can chgrp with the "domain users" group.

    Code:
    administrator@linux-xg8g:~> klist                
    klist: Credentials cache permissions incorrect
    administrator@linux-xg8g:~> kinit
    Password for administrator@SIENIC.SITE: 
    kinit: Internal credentials cache error while storing credentials while getting initial credentials
    administrator@linux-xg8g:~> wbinfo -u                    
    dns-smb4server01
    administrator
    krbtgt
    guest
    administrator@linux-xg8g:~> wbinfo -g
    allowed rodc password replication group
    enterprise read-only domain controllers
    denied rodc password replication group
    read-only domain controllers
    group policy creator owners
    ras and ias servers
    domain controllers
    enterprise admins
    domain computers
    cert publishers
    dnsupdateproxy
    domain admins
    domain guests
    schema admins
    domain users
    dnsadmins
    administrator@linux-xg8g:~> getent passwd "administrator"    
    administrator:*:10000:10002::/home/SIENIC/administrator:/bin/bash                                              
    administrator@linux-xg8g:~> getent group
    root:x:0:                                                                                                      
    bin:x:1:daemon                                                                                                 
    daemon:x:2:
    sys:x:3:
    tty:x:5:
    disk:x:6:
    lp:x:7:
    www:x:8:
    kmem:x:9:
    wheel:x:10:
    mail:x:12:postfix
    news:x:13:
    uucp:x:14:
    shadow:x:15:vnc
    dialout:x:16:
    audio:x:17:pulse
    floppy:x:19:
    cdrom:x:20:
    console:x:21:
    utmp:x:22:
    public:x:32:
    video:x:33:
    games:x:40:
    xok:x:41:
    trusted:x:42:
    modem:x:43:
    ftp:x:49:
    lock:x:54:
    man:x:62:
    users:x:100:
    nobody:x:65533:
    nogroup:x:65534:nobody
    messagebus:x:499:
    sshd:x:498:
    tape:x:497:
    polkitd:x:496:
    nscd:x:495:
    mysql:x:494:
    avahi-autoipd:x:493:
    systemd-journal:x:492:
    systemd-bus-proxy:x:490:
    systemd-timesync:x:491:
    input:x:489:
    svn:x:488:
    pesign:x:487:
    ntp:x:486:
    tftp:x:485:tftp,dnsmasq
    at:x:25:
    vnc:x:484:
    ntadmin:x:71:
    rtkit:x:483:
    pulse:x:482:
    pulse-access:x:481:
    postfix:x:51:
    maildrop:x:59:postfix
    avahi:x:480:
    nm-openvpn:x:479:
    sddm:x:478:
    adm:x:477:
    nagios:x:476:
    nagcmd:x:475:nagios,wwwrun
    quagga:x:474:
    winbind:x:473:
    allowed rodc password replication group:x:10011:
    enterprise read-only domain controllers:x:10012:
    denied rodc password replication group:x:10004:
    read-only domain controllers:x:10013:
    group policy creator owners:x:10007:
    ras and ias servers:x:10014:
    domain controllers:x:10015:
    enterprise admins:x:10006:
    domain computers:x:10016:
    cert publishers:x:10017:
    dnsupdateproxy:x:10018:
    domain admins:x:10003:
    domain guests:x:10019:
    schema admins:x:10005:
    domain users:x:10002:
    dnsadmins:x:10020:
    administrator@linux-xg8g:~> getent passwd
    at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
    avahi:x:481:480:User for Avahi:/run/avahi-daemon:/bin/false
    avahi-autoipd:x:493:493:User for Avahi IPv4LL:/var/lib/avahi-autoipd:/bin/false
    bin:x:1:1:bin:/bin:/bin/bash
    daemon:x:2:2:Daemon:/sbin:/bin/bash
    dnsmasq:x:486:65534:dnsmasq:/var/lib/empty:/bin/false
    ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
    games:x:12:100:Games account:/var/games:/bin/bash
    lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
    mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
    man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
    messagebus:x:499:499:User for D-Bus:/run/dbus:/bin/false
    mysql:x:60:494:MySQL database admin:/var/lib/mysql:/bin/false
    news:x:9:13:News system:/etc/news:/bin/bash
    nm-openvpn:x:480:479:NetworkManager user for OpenVPN:/var/lib/openvpn:/sbin/nologin
    nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
    nscd:x:496:495:User for nscd:/run/nscd:/sbin/nologin
    ntp:x:74:486:NTP daemon:/var/lib/ntp:/bin/false
    openslp:x:494:2:openslp daemon:/var/lib/empty:/sbin/nologin
    pesign:x:488:487:PE-COFF signing daemon:/var/lib/pesign:/bin/false
    polkitd:x:497:496:User for polkitd:/var/lib/polkit:/sbin/nologin
    postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
    pulse:x:482:482:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
    root:x:0:0:root:/root:/bin/bash
    rpc:x:495:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
    rtkit:x:483:483:RealtimeKit:/proc:/bin/false
    sddm:x:479:478:SDDM daemon:/var/lib/sddm:/bin/false
    sshd:x:498:498:SSH daemon:/var/lib/sshd:/bin/false
    statd:x:484:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
    svn:x:489:488:user for Apache Subversion svnserve:/srv/svn:/sbin/nologin
    systemd-bus-proxy:x:490:490:systemd Bus Proxy:/:/sbin/nologin
    systemd-timesync:x:491:491:systemd Time Synchronization:/:/sbin/nologin
    tftp:x:487:485:TFTP account:/srv/tftpboot:/bin/false
    uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
    vnc:x:485:484:user for VNC:/var/lib/empty:/sbin/nologin
    wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
    eduardo:x:1000:100:Eduardo Sotomayor:/home/eduardo:/bin/bash
    nagios:x:478:476:User for Nagios:/var/lib/nagios:/bin/false
    quagga:x:477:474:Quagga routing daemon:/run/quagga:/usr/bin/false
    dns-smb4server01:*:10001:10002::/home/SIENIC/dns-smb4server01:/bin/bash
    administrator:*:10000:10002::/home/SIENIC/administrator:/bin/bash
    krbtgt:*:10002:10002::/home/SIENIC/krbtgt:/bin/bash
    guest:*:10003:10002::/home/SIENIC/guest:/bin/bash
    administrator@linux-xg8g:~>
    Code:
    # smb.conf is the main Samba configuration file. You find a full commented
    # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
    # samba-doc package is installed.
    [global]
        workgroup = SIENIC
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        kerberos method = secrets and keytab
        security = ADS
        realm = SIENIC.SITE
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind offline logon = yes
        winbind refresh tickets = yes
        bind interfaces only = yes
        interfaces = lo eth0
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
    [homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
    [profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
    [users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
    [groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
    [printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
    [print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

    Code:
    [libdefaults]
            dns_lookup_realm = false
            dns_lookup_kdc = true 
        default_realm = SIENIC.SITE
        default_ccache_name = FILE:/tmp/krb5cc_%{uid}
        clockskew = 300
    #    default_realm = EXAMPLE.COM 
    
    [realms]
    SIENIC.SITE = {
        kdc = smb4server01.sienic.site
        default_domain = sienic.site
        admin_server = smb4server01.sienic.site
    }
    #    EXAMPLE.COM = {
    #                kdc = kerberos.example.com
    #        admin_server = kerberos.example.com
    #    }
    
    [logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
    [domain_realm]
        .sienic.site = SIENIC.SITE
    [appdefaults]
    pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
    }

  2. #2
    Join Date
    Jun 2008
    Location
    Managua, Nicaragua
    Posts
    417

    Default Re: Problem with kerberos in openSUSE joined to samba domain

    I did as follows

    Code:
    linux-xg8g:/tmp # chown administrator krb5cc_10000
    and now

    Code:
    administrator@linux-xg8g:/tmp> ls -l
    total 284
    drwx------ 2 eduardo       users        4096 ago 25 07:41 akonadi-eduardo.7uZ4Fl
    drwxr-xr-x 2 eduardo       users        4096 ago 28 12:16 DraftSight_eduardo_autosave
    drwxr-xr-x 2 eduardo       users        4096 sep 16 07:41 DraftSight_eduardo_temp
    drwx------ 2 eduardo       users        4096 sep 29 14:28 firefox_eduardo
    drwx------ 2 eduardo       users        4096 ago 28 11:03 gpg-7E0bLa
    drwxr-xr-x 2 eduardo       users        4096 sep 21 08:50 hsperfdata_eduardo
    drwx------ 2 eduardo       users        4096 sep 15 17:33 kde-eduardo
    -rw------- 1 root          root         1520 oct  3 15:47 krb5cc_0
    -rw------- 1 administrator domain users 1520 oct  3 16:30 krb5cc_10000
    Code:
    administrator@linux-xg8g:~> klist
    Ticket cache: FILE:/tmp/krb5cc_10000
    Default principal: Administrator@SIENIC.SITE
    
    Valid starting     Expires            Service principal
    03/10/17 16:28:45  04/10/17 02:28:45  krbtgt/SIENIC.SITE@SIENIC.SITE
            renew until 10/10/17 16:28:45
    03/10/17 16:28:45  04/10/17 02:28:45  LINUX-XG8G$@SIENIC.SITE
            renew until 10/10/17 16:28:45

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: Problem with kerberos in openSUSE joined to samba domain

    Quote Originally Posted by Easgs View Post
    I did as follows

    Code:
    linux-xg8g:/tmp # chown administrator krb5cc_10000
    and now

    Code:
    administrator@linux-xg8g:/tmp> ls -l
    total 284
    drwx------ 2 eduardo       users        4096 ago 25 07:41 akonadi-eduardo.7uZ4Fl
    drwxr-xr-x 2 eduardo       users        4096 ago 28 12:16 DraftSight_eduardo_autosave
    drwxr-xr-x 2 eduardo       users        4096 sep 16 07:41 DraftSight_eduardo_temp
    drwx------ 2 eduardo       users        4096 sep 29 14:28 firefox_eduardo
    drwx------ 2 eduardo       users        4096 ago 28 11:03 gpg-7E0bLa
    drwxr-xr-x 2 eduardo       users        4096 sep 21 08:50 hsperfdata_eduardo
    drwx------ 2 eduardo       users        4096 sep 15 17:33 kde-eduardo
    -rw------- 1 root          root         1520 oct  3 15:47 krb5cc_0
    -rw------- 1 administrator domain users 1520 oct  3 16:30 krb5cc_10000
    Code:
    administrator@linux-xg8g:~> klist
    Ticket cache: FILE:/tmp/krb5cc_10000
    Default principal: Administrator@SIENIC.SITE
    
    Valid starting     Expires            Service principal
    03/10/17 16:28:45  04/10/17 02:28:45  krbtgt/SIENIC.SITE@SIENIC.SITE
            renew until 10/10/17 16:28:45
    03/10/17 16:28:45  04/10/17 02:28:45  LINUX-XG8G$@SIENIC.SITE
            renew until 10/10/17 16:28:45
    What were the permissions before you "change owner" ?
    And, did you read something that suggests doing that?
    The only solutions I can Google are to change permissions, not ownership.

    It looks like you're logged in as an account "administrator" which appears to be a member of all Domain admin accounts, so I guess it can be considered a Domain Admin? And, are you logging in locally on the SAMBA machine?

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  4. #4
    Join Date
    Jun 2008
    Location
    Managua, Nicaragua
    Posts
    417

    Default Re: Problem with kerberos in openSUSE joined to samba domain

    Quote Originally Posted by tsu2 View Post
    What were the permissions before you "change owner" ?
    And, did you read something that suggests doing that?
    The only solutions I can Google are to change permissions, not ownership.

    It looks like you're logged in as an account "administrator" which appears to be a member of all Domain admin accounts, so I guess it can be considered a Domain Admin? And, are you logging in locally on the SAMBA machine?

    TSU
    before changing the permissions were root:root, administrator is account of a domain, and the machine is a Samba domain member, I created another machine and it didn't had the issue.

  5. #5
    Join Date
    Jun 2008
    Location
    Managua, Nicaragua
    Posts
    417

    Default Re: Problem with kerberos in openSUSE joined to samba domain

    this is in a fresh install, it worked without any modification, check the permissions of krb5cc_10001


    Code:
    administrator@linuxws02:/tmp> ls -l  
    total 32
    -rw------- 1 administrator root         2733 oct  5 11:03 krb5cc_10001
    -rw-r----- 1 administrator domain users    0 oct  5 11:04 qipc_sharedmemory_soliddiskinfomem4e3bb5257a37ac07f01e3f0633da722a63794719
    -rw-r----- 1 administrator domain users    0 oct  5 11:04 qipc_systemsem_soliddiskinfomem4e3bb5257a37ac07f01e3f0633da722a63794719
    -rw-r----- 1 administrator domain users    0 oct  5 11:04 qipc_systemsem_soliddiskinfosemd436dc0e64ac271ed1ad1276c02534422ffe8815
    drwx------ 2 root          root         4096 oct  3 23:19 runtime-root
    srwx------ 1 sddm          sddm            0 oct  5 10:25 sddm-:0-RxwitR
    srwxr-xr-x 1 root          root            0 oct  5 10:25 sddm-auth312beaef-0196-4b32-b901-3e8078b80364
    srwxr-xr-x 1 root          root            0 oct  3 20:49 sddm-auth5b12c8ed-1246-41ac-b521-601bb5955337
    srwxr-xr-x 1 root          root            0 oct  3 19:49 sddm-authb9eb3803-c001-408d-9760-1871024543d9
    srwxr-xr-x 1 root          root            0 oct  4 06:14 sddm-authc86319b4-5819-4489-803a-7168bfdbb57d
    srwxr-xr-x 1 root          root            0 oct  3 22:55 sddm-authd1a5160f-1341-4a9f-9f4d-c6bd60db049d
    drwx------ 3 root          root         4096 oct  5 10:25 systemd-private-c79fa941b032496998a9ea3f114eeff5-ntpd.service-aFlbBJ
    drwx------ 3 root          root         4096 oct  5 11:04 systemd-private-c79fa941b032496998a9ea3f114eeff5-rtkit-daemon.service-l0om9L
    drwx------ 2 root          root         4096 oct  3 19:49 vmware-root
    -rw------- 1 root          root           54 oct  3 23:19 xauth-0-_0
    -rw------- 1 eduardo01     users          55 oct  3 20:49 xauth-1000-_0
    -rw------- 1 administrator domain users   54 oct  5 11:04 xauth-10001-_0
    administrator@linuxws02:/tmp> klist
    Ticket cache: FILE:/tmp/krb5cc_10001
    Default principal: Administrator@SIENIC.SITE
    
    Valid starting     Expires            Service principal
    05/10/17 11:03:50  05/10/17 21:03:50  krbtgt/SIENIC.SITE@SIENIC.SITE
            renew until 12/10/17 11:03:50
    05/10/17 11:03:51  05/10/17 21:03:50  LINUXWS02$@SIENIC.SITE
            renew until 12/10/17 11:03:50
    administrator@linuxws02:/tmp> kinit
    Password for Administrator@SIENIC.SITE: 
    Warning: Your password will expire in 34 days on mié 08 nov 2017 16:55:53 CST
    administrator@linuxws02:/tmp>

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: Problem with kerberos in openSUSE joined to samba domain

    You might try removing the machine from the Domain, remove the Machine account and then re-joining the Domain.

    Also,
    I personally tend to have better luck creating the machine account on a DC before joining instead of trying to create the machine account automatically when joining.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •