Bug 1549969
Summary: | 'Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR' while accessing share. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sudhir Menon <sumenon> | ||||||
Component: | samba | Assignee: | Alexander Bokovoy <abokovoy> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.5 | CC: | asn, gdeschner, jarrpa | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-02-28 10:49:47 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Sudhir Menon
2018-02-28 08:03:33 UTC
Created attachment 1401670 [details]
Logs from Samba Server
Created attachment 1401684 [details]
ENV Setup Details
according to the comment 3, the configuration is incorrect. You shouldn't give a keytab with wrong keys. Logs in comment 2 confirm it: [2018/02/28 13:27:34.624795, 5, pid=21548, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:739(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2018/02/28 13:27:34.625086, 10, pid=21548, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:1326(smb_krb5_kt_open_relative) smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab [2018/02/28 13:27:34.625229, 1, pid=21548, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse_krb5.c:513(fill_mem_keytab_from_dedicated_keytab) ../source3/librpc/crypto/gse_krb5.c:513: krb5_kt_start_seq_get failed (No such file or directory) [2018/02/28 13:27:34.625295, 1, pid=21548, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse_krb5.c:593(gse_krb5_get_server_keytab) ../source3/librpc/crypto/gse_krb5.c:593: Error! Unable to set mem keytab - 2 smbd was unable to find a proper principal from the keytab. Also, this ipa-fserver host is not enrolled into IPA domain. This is an invalid test as something should be done to set up basic kerberos configuration, namely default realm used by the krb5 library. ab, Thank you for explaining the issue where the setup was wrong. After rectifying the same was able to able to access the samba share. 1. Tried to get keytab on ipa-server itself was incorrect. So joined ipa-fserver to IPA realm using ipa-client-install, since only setting up smb.conf with realm = IPA.TEST doesn't let samba server locate kerberos server. 2. Also there was no need to replace the /etc/krb5.keytab on ipa-fserver, just copied keytab generated in /root/samba.keytab to /etc/samba which only included entries for ipa-fserver in this case. 2. so ran the below commands on ipa-fserver after running ipa-client-install and the share was accessible using ipauser and as well as trusted AD user. [root@ipa-fserver ~]# ipa service-add cifs/ipa-fserver.ipa.test -------------------------------------------------- Added service "cifs/ipa-fserver.ipa.test" -------------------------------------------------- Principal name: cifs/ipa-fserver.ipa.test Principal alias: cifs/ipa-fserver.ipa.test Managed by: ipa-fserver.ipa.test [root@ipa-fserver ~]# ipa-getkeytab -s ipa-server1.ipa.test -p cifs/ipa-fserver.ipa.test -k /root/samba.keytab Keytab successfully retrieved and stored in: /root/samba.keytab [root@ipa-fserver ~]# ktutil ktutil: read_kt /root/samba.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 cifs/ipa-server1.ipa.test 2 1 cifs/ipa-server1.ipa.test 3 1 cifs/ipa-fserver.ipa.test 4 1 cifs/ipa-fserver.ipa.test 5 1 cifs/ipa-fserver.ipa.test 6 1 cifs/ipa-fserver.ipa.test 7 1 cifs/ipa-fserver.ipa.test 8 1 cifs/ipa-fserver.ipa.test ktutil: q [root@ipa-fserver ~]# cp -frv /root/samba.keytab /etc/samba/ ‘/root/samba.keytab’ -> ‘/etc/samba/samba.keytab’ [root@ipa-fserver ~]# cd /etc/samba/ [root@ipa-fserver samba]# ls -l total 28 -rw-r--r--. 1 root root 20 Dec 20 22:30 lmhosts -rwx------. 1 root root 682 Feb 28 16:09 samba.keytab -rw-r--r--. 1 root root 369 Feb 28 12:55 smb.conf -rw-r--r--. 1 root root 11327 Dec 20 22:30 smb.conf.example -rw-r--r--. 1 root root 706 Feb 27 14:34 smb.conf.org [root@ipa-fserver samba]# chmod 0700 samba.keytab [root@ipa-fserver samba]# ls -l total 28 -rw-r--r--. 1 root root 20 Dec 20 22:30 lmhosts -rwx------. 1 root root 682 Feb 28 16:09 samba.keytab ===Accessing share as trusted ad user from ipa-fclient=== [root@ipa-fclient ~]# klist -l Principal name Cache name -------------- ---------- cuser1 KEYRING:persistent:0:0 [root@ipa-fclient ~]# smbclient -k //ipa-fserver.ipa.test/share1 Try "help" to get a list of possible commands. smb: \> md cifsuser1 smb: \> ls . D 0 Wed Feb 28 16:10:25 2018 .. D 0 Tue Feb 27 14:35:59 2018 cifsuser1 D 0 Wed Feb 28 16:10:25 2018 36805060 blocks of size 1024. 34189912 blocks available smb: \> [root@ipa-fclient ~]# ===Accessing share as trusted ad user from ipa-fclient=== [root@ipa-fclient ~]# kdestroy -A [root@ipa-fclient ~]# echo ipauser1 | kinit ipauser1 Password for ipauser1: [root@ipa-fclient ~]# klist -l Principal name Cache name -------------- ---------- ipauser1 KEYRING:persistent:0:0 [root@ipa-fclient ~]# smbclient -k //ipa-fserver.ipa.test/share1 Try "help" to get a list of possible commands. smb: \> md ipauser1 smb: \> ls . D 0 Wed Feb 28 16:11:00 2018 .. D 0 Tue Feb 27 14:35:59 2018 cifsuser1 D 0 Wed Feb 28 16:10:25 2018 ipauser1 D 0 Wed Feb 28 16:11:00 2018 36805060 blocks of size 1024. 34188924 blocks available [root@ipa-fserver ~]# cd /mnt/samba/share1/ [root@ipa-fserver share1]# pwd /mnt/samba/share1 [root@ipa-fserver share1]# ls -l total 0 drwxr-xr-x. 2 cuser1 cuser1 6 Feb 28 16:10 cifsuser1 drwxr-xr-x. 2 ipauser1 ipauser1 6 Feb 28 16:11 ipauser1 |