NorrPL
Reputation: 79
Samba, Apache WebDAV and delegation
I'm struggling with setup over the month and ideas are almost finish. Maybe I'll start by describing the infrastructure.
The Infrastructure
So the basic idea is to connect to Apache WebDAV with SSO through built-in Windows. Linux, Mac client. Everything worked fine in this scenario:
3. Active Directory ←-----------→ 2. Apache ←-------------→ 1. Client
- Client: Ubuntu desktop - realmd, adcli, sssd* packages have been installed
- Apache 2.4 v. 2.4.62 on Fedora Linux 40 with installed GSSAPI module
- Active Directory - Samba v. 4.21.0 on Rocky Linux 9
I have samba installed by default, so the default Kerberos server is Heimdal Kerberos.
But in my case, at the end environment will be look like this:
| ←-------------→ 2. Apache (webdav1) ←----------> 1. Client 1
|
|
3. Active Directory ←---→| ←-------------→ 2. Apache (webdav2) ←----------→ 1. Client 2
|
|
| ←-------------→ 2. Apache (webdav3) ←----------→ 1. Client 3
Each of these Apache servers will have a different URL. I'm not very familiar with Kerberos, but it turns out that each Apache server needs to have its own Service Principal Name (SPN): HTTP/webdav1, HTTP/webdav2, HTTP/webdv3 for Kerberos, after adding SPN to domain user account I need to export keytab file and distribute it to all Apache servers. And here is a problem, because I will not have access to domain controller, only what I will have is a SPN, a user with delegation enabled. So in theory it should look like this:
| ←-----→ 2. Apache (webdav1) ←---→ 1. Client 1
|
|
4. Active Directory ←----→ 3. Apache (auth) ←----→ | ←-----→ 2. Apache (webdav2) ←---→ 1. Client 2
|
|
| ←-----→ 2. Apache (webdav3) ←---→ 1. Client 3
So on 4. Apache (auth) I will be able to install MIT Kerberos and enable GssapiUseS4U2Proxy option in http *.conf file. But I don't know how to configure everything:
- How to configure
3. Apache (auth)? I read in GSSAPI_mod documentation that I need two keytab files (GssapiUseS4U2Proxy section): one for "connection" between4. Active Directoryand3. Apache(auth)and second keytab for clients - "connections" between3. Apache(auth)and2. Apache(webdavx). - Should I create a principal in
3. Apache(auth), principal with delegation enabled for2. Apache(webdavx)services? - How do I configure
2. Apache (webdavx)? How do I set up krb5.conf, should I point to domain or to3. Apache(auth)in krb5.conf?
What I did:
Approach one:
I have been installed Samba with default setup, so Samba has been installed with Heimdal Kerberos. I was able to connect 1. Client to domain, but I wasn't able to setup delegation. There is command samba-tool delegation, I was able to add flag for-any-protocol, does it mean Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account. When I tried to add add-principal flag (does it mean Add a principal to msDS-AllowedToActOnBehalfOfOtherIdentity that may delegate to an account.) I had an error "Principal not found". Now i don't know which flag i should use, this is result of samba-tool --help command:
Usage: samba-tool delegation <subcommand>
Delegation management.
Options:
-h, --help show this help message and exit
--color=always|never|auto
use colour if available (default: auto)
Available subcommands:
add-principal - Add a principal to msDS-AllowedToActOnBehalfOfOtherIdentity that may delegate to an account.
add-service - Add a service principal to msDS-AllowedToDelegateTo so that an account may delegate to it.
del-principal - Delete a principal from msDS-AllowedToActOnBehalfOfOtherIdentity that may no longer delegate to an account.
del-service - Delete a service principal from msDS-AllowedToDelegateTo so that an account may no longer delegate to it.
for-any-protocol - Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account.
for-any-service - Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
show - Show the delegation setting of an account.
for samba-tool delegation add-principal:
Usage: samba-tool delegation add-principal <accountname> <principal> [options]
Add a principal to msDS-AllowedToActOnBehalfOfOtherIdentity that may delegate
to an account.
Options:
-h, --help show this help message and exit
-H URL, --URL=URL LDB URL for database or target server
--color=always|never|auto
use colour if available (default: auto)
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
--use-kerberos=desired|required|off
Use Kerberos authentication
--use-krb5-ccache=KRB5CCNAME
Kerberos Credentials cache
-A AUTHFILE, --authentication-file=AUTHFILE
Authentication file
-k KERBEROS, --kerberos=KERBEROS
DEPRECATED: Migrate to --use-kerberos
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Version Options:
-V, --version Display version numer
Maybe just for-any-protocol I should use?
Approach two:
I have been installed samba with MIT-Kerberos, so during the configuration I added those flags: --with-system-mitkrb5 --with-experimental-mit-ad-dc. Here I can't join the client to the domain, this is the result:
sudo realm join -v mydomain.internal
[sudo] password for user jimmy:
* Resolving: _ldap._tcp.mydomain.internal
* Performing LDAP DSE lookup on: 172.16.0.1
* Successfully discovered: mydomain.internal
Password for Administrator:
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain mydomain.internal --domain-realm MYDOMAIN.INTERNAL --domain-controller 172.16.0.1 --login-type user --login-user Administrator --stdin-password
* Using domain name: mydomain.internal
* Calculated computer account name from fqdn: UBUNTU
* Using domain realm: mydomain.internal
* Sending NetLogon ping to domain controller: 172.16.0.1
* Received NetLogon info from: dc1.mydomain.internal
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-SkorFJ/krb5.d/adcli-krb5-conf-pTrVz4
! Couldn't authenticate as: [email protected]: Preauthentication failed
adcli: couldn't connect to mydomain.internal domain: Couldn't authenticate as: [email protected]: Preauthentication failed
! Failed to join the domain
realm: Failed to join the domain
On Kerberos side:
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): INFO:
Current debug levels:
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): all: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): tdb: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): printdrivers: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): lanman: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): smb: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): rpc_parse: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): rpc_srv: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): rpc_cli: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): passdb: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): sam: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): auth: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): winbind: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): vfs: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): idmap: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): quota: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): acls: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): locking: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): msdfs: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): dmapi: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): registry: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): scavenger: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): dns: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): ldb: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): tevent: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): auth_audit: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): auth_json_audit: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): kerberos: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): drs_repl: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): smb2: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): smb2_credits: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): dsdb_audit: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): dsdb_json_audit: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): dsdb_password_audit: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): dsdb_password_json_audit: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): dsdb_transaction_audit: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): dsdb_transaction_json_audit: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): dsdb_group_audit: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): dsdb_group_json_audit: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): ldapsrv: 5
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): Processing section "[sysvol]"
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): Processing section "[netlogon]"
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): Processing section "[users]"
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): pm_process() returned Yes
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): schema_fsmo_init: we are master[yes] updates allowed[no]
Oct 04 14:04:09 dc1.mydomain.internal krb5kdc[117927](info): Loaded
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](Error): preauth pkinit failed to initialize: PKINIT initialization failed: No pkinit_identity supplied for realm MYDOMAIN.INTERNAL
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](Error): preauth spake failed to initialize: No SPAKE preauth groups configured
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): setting up network...
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): setsockopt(16,IPV6_V6ONLY,1) worked
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): setsockopt(18,IPV6_V6ONLY,1) worked
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): set up 4 sockets
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): Processing section "[global]"
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): INFO: Current debug levels:
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): all: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): tdb: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): printdrivers: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): lanman: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): smb: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): rpc_parse: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): rpc_srv: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): rpc_cli: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): passdb: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): sam: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): auth: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): winbind: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): vfs: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): idmap: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): quota: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): acls: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): locking: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): msdfs: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): dmapi: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): registry: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): scavenger: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): dns: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): ldb: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): tevent: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): auth_audit: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): auth_json_audit: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): kerberos: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): drs_repl: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): smb2: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): smb2_credits: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): dsdb_audit: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): dsdb_json_audit: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): dsdb_password_audit: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): dsdb_password_json_audit: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): dsdb_transaction_audit: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): dsdb_transaction_json_audit: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): dsdb_group_audit: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): dsdb_group_json_audit: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): ldapsrv: 5
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): Processing section "[sysvol]"
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): Processing section "[netlogon]"
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): Processing section "[users]"
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): pm_process() returned Yes
Oct 04 14:04:10 dc1.mydomain.internal krb5kdc[117927](info): commencing operation
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): authsam_account_ok: Checking SMB password for user [email protected]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): logon_hours_ok: No hours restrictions for user [email protected]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.16.0.10: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): authsam_account_ok: Checking SMB password for user [email protected]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): logon_hours_ok: No hours restrictions for user [email protected]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): kdb_samba_db_issue_pac: Generate PAC for AS-REQ [[email protected], flags=0x000040]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): AS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.16.0.10: ISSUE: authtime 1728043476, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for krbtgt/[email protected]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): sync interval is 14
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): authsam_calculate_lastlogon_sync_interval: randomised sync interval is 13 (-1)
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): lastLogonTimestamp is 133724574086692640
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): old timestamp is 133724574086692640, threshold 133713938765734640, diff 10635320958000
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): lastLogonTimestamp is 133724574086692640
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): old timestamp is 133724574086692640, threshold 133713938765784260, diff 10635320908380
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): DSDB Change [Modify] at [Fri, 04 Oct 2024 14:04:36.580718 CEST] status [Success] remote host [Unknown] SID [S-1-5-18] DN [CN=Administrator,CN=Users,DC=mydomain,DC=internal] attributes [replace: lastLogon [133725170765784260] replace: logonCount [15]]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): {"timestamp": "2024-10-04T14:04:36.581026+0200", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": "Success", "operation": "Modify", "remoteAddress": null, "performedAsSystem": false, "userSid": "S-1-5-18", "dn": "CN=Administrator,CN=Users,DC=mydomain,DC=internal", "transactionId": "9b53f5e9-9433-41cd-abab-6743322323b3", "sessionId": "10ba4009-13ed-4d29-969b-95b1da6a58f8", "attributes": {"lastLogon": {"actions": [{"action": "replace", "values": [{"value": "133725170765784260"}]}]}, "logonCount": {"actions": [{"action": "replace", "values": [{"value": "15"}]}]}}}}
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): descriptor_prepare_commit: changes: num_registrations=0
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): descriptor_prepare_commit: changes: num_registered=0
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): descriptor_prepare_commit: changes: num_toplevel=0
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): descriptor_prepare_commit: changes: num_processed=0
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): descriptor_prepare_commit: objects: num_processed=0
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): descriptor_prepare_commit: objects: num_skipped=0
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): kdb_samba_db_issue_pac: Update PAC for TGS-REQ [[email protected], [email protected], flags=00000000]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): dsdb_search_dn: flags=0x00000010 <SID=S-1-18-1> -> Base-DN '<SID=S-1-18-1>' not found (No such object)
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): dsdb_search_dn: flags=0x00000010 <SID=S-1-5-21-0-0-0-497> -> Base-DN '<SID=S-1-5-21-0-0-0-497>' not found (No such object)
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.16.0.10: ISSUE: authtime 1728043476, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for [email protected]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): closing down fd 19
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): kdb_samba_db_issue_pac: Update PAC for TGS-REQ [[email protected], server=kadmin/[email protected], flags=00000000]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): dsdb_search_dn: flags=0x00000010 <SID=S-1-18-1> -> Base-DN '<SID=S-1-18-1>' not found (No such object)
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): dsdb_search_dn: flags=0x00000010 <SID=S-1-5-21-0-0-0-497> -> Base-DN '<SID=S-1-5-21-0-0-0-497>' not found (No such object)
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.16.0.10: ISSUE: authtime 1728043476, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for kadmin/[email protected]
Oct 04 14:04:36 dc1.mydomain.internal krb5kdc[117927](info): closing down fd 19
Log info about joining to domain begin with line authsam_account_ok: Checking SMB password for user [email protected].
When I typed date on Client and AD server, time is the same.
kdc.conf:
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
kadmind_port = 464
restrict_anonymous_to_tgt = true
[realms]
MYDOMAIN.INTERNAL = {
master_key_type = aes256-cts
default_principal_flags = +preauth
}
mydomain.internal = {
master_key_type = aes256-cts
default_principal_flags = +preauth
}
MYDOMAIN = {
master_key_type = aes256-cts
default_principal_flags = +preauth
}
[dbmodules]
db_module_dir = /usr/local/samba/lib/krb5/plugins/kdb
MYDOMAIN.INTERNAL = {
db_library = samba
}
mydomain.internal = {
db_library = samba
}
MYDOMAIN = {
db_library = samba
}
[logging]
kdc = FILE:/usr/local/samba/var/mit_kdc.log
admin_server = FILE:/usr/local/samba/var/mit_kadmin.log
Domain server krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.INTERNAL
dns_lookup_realm = false
dns_lookup_kdc = true
permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
[realms]
MYDOMAIN.INTERNAL = {
default_domain = mydomain.internal
kdc = dc1.mydomain.internal
admin_server = dc1.mydomain.internal
}
[domain_realm]
dc1 = MYDOMAIN.INTERNAL
.mydomain.internal = MYDOMAIN.INTERNAL
mydomain.internal = MYDOMAIN.INTERNAL
I saw few movies how Kerberos works, those all Kerberos Ticket Granting Ticket, Ticket Granting Service, Service Principal Name and so on. But delegation for me it's quite mysterious.
Anyone can help me, explain how all this stuff works? Which approach I should use?
Upvotes: 0
Views: 105
Answers (0)
Related Questions
- How to solve "Error: Apache shutdown unexpectedly"?
- Apache and Node.js on the Same Server
- How to enable mod_rewrite for Apache 2.2
- Configuring Tomcat SSO using Kerberos SPNEGO
- Tomcat 6 with SPNEGO SSO still prompts for login and password
- jboss-negotiation-toolkit 'secured' test not working (SPNEGO authentication fails)