<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:9pt" ><div dir="ltr" >The Samba config below has:</div>
<div dir="ltr" >security = ADS</div>
<div dir="ltr" >which would be the result from configuring mmuserauth with --type ad</div>
<div dir="ltr" > </div>
<div dir="ltr" ><font size="2" face="Default Monospace,Courier New,Courier,monospace" >mmuserauth service create --type ldap --data-access-method file --servers ssipa.example.com --base-dn dc=example,dc=com --user-name 'cn=Directory Manager' --netbios-name labs1 --enable-server-tls --enable-kerberos --kerberos-server ssipa.example.com --kerberos-realm example.com</font></div>
<div dir="ltr" >on the other hand would configure 'security = user'.</div>
<div dir="ltr" > </div>
<div dir="ltr" >I cannot say whether that is the only problem, but something does not seem to match here. If that does not explain the problem, i would suggest to capture the problem in a SMB trace and report the problem through a PMR.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Regards,</div>
<div dir="ltr" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial;font-size:10.5pt" ><div dir="ltr" ><br><font size="2" face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif" ><font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif" >Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ<br>christof.schmitt@us.ibm.com || +1-520-799-2469 (T/L: 321-2469)</font></font></div></div></div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: hopii@interia.pl<br>Sent by: gpfsug-discuss-bounces@spectrumscale.org<br>To: gpfsug-discuss@spectrumscale.org<br>Cc:<br>Subject: [gpfsug-discuss] Spectrum Scale CES , SAMBA, LDAP kerberos authentication issue<br>Date: Fri, May 18, 2018 12:01 PM<br>
<div><font size="2" face="Default Monospace,Courier New,Courier,monospace" >Hi there,<br><br>I'm just learning, trying to configure Spectrum Scale: SMB File Authentication using LDAP (IPA) with kerberos, and been struggling with it for a couple of days, without success.<br><br>Users on spectrum cluster and client machine are authenticated properly, so ldap should be fine.<br>NFS mount with keberos works with no issues as well.<br><br>But I ran out of ideas how to configure SMB using LDAP with kerberos.<br><br>I could messed up with netbios names, as am not sure which one to use, from cluster node, from protocol node, exactly which one.<br>But error message seems to point to keytab file, which is present on both, server and client nodes.<br><br>I ran into simillar post, dated few days ago, so I'm not the only one.<br><a href="https://www.mail-archive.com/gpfsug-discuss@spectrumscale.org/msg03919.html" target="_blank">https://www.mail-archive.com/gpfsug-discuss@spectrumscale.org/msg03919.html</a><br><br><br>Below is my configuration and error message, and I'd appreciate any hints or help.<br><br>Thank you,<br>d.<br><br><br><br>Error message from /var/adm/ras/log.smbd<br><br>[2018/05/18 13:51:58.853681, 3] ../auth/gensec/gensec_start.c:918(gensec_register)<br> GENSEC backend 'ntlmssp_resume_ccache' registered<br>[2018/05/18 13:51:58.859984, 0] ../source3/librpc/crypto/gse.c:586(gse_init_server)<br> smb_gss_krb5_import_cred failed with [Unspecified GSS failure. Minor code may provide more information: Keytab MEMORY:cifs_srv_keytab is nonexistent or empty]<br>[2018/05/18 13:51:58.860151, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech)<br> Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR<br><br><br><br>Cluster nodes<br>spectrum1.example.com RedHat 7.4<br>spectrum2.example.com RedHat 7.4<br>spectrum3.example.com RedHat 7.4<br><br>Protocols nodes:<br>labs1.example.com<br>lasb2.example.com<br>labs3.example.com<br><br><br>ssipa.example.com Centos 7.5<br> <br><br><br>spectrum scale server:<br><br>[root@spectrum1 security]# klist -k<br>Keytab name: FILE:/etc/krb5.keytab<br>KVNO Principal<br>---- --------------------------------------------------------------------------<br> 1 host/labs1.example.com@example.com<br> 1 host/labs1.example.com@example.com<br> 1 host/labs2.example.com@example.com<br> 1 host/labs2.example.com@example.com<br> 1 host/labs3.example.com@example.com<br> 1 host/labs3.example.com@example.com<br> 1 nfs/labs1.example.com@example.com<br> 1 nfs/labs1.example.com@example.com<br> 1 nfs/labs2.example.com@example.com<br> 1 nfs/labs2.example.com@example.com<br> 1 nfs/labs3.example.com@example.com<br> 1 nfs/labs3.example.com@example.com<br> 1 cifs/labs1.example.com@example.com<br> 1 cifs/labs1.example.com@example.com<br> 1 cifs/labs2.example.com@example.com<br> 1 cifs/labs2.example.com@example.com<br> 1 cifs/labs3.example.com@example.com<br> 1 cifs/labs3.example.com@example.com<br><br><br><br><br>[root@spectrum1 security]# net conf list<br>[global]<br>disable netbios = yes<br>disable spoolss = yes<br>printcap cache time = 0<br>fileid:algorithm = fsname<br>fileid:fstype allow = gpfs<br>syncops:onmeta = no<br>preferred master = no<br>client NTLMv2 auth = yes<br>kernel oplocks = no<br>level2 oplocks = yes<br>debug hires timestamp = yes<br>max log size = 100000<br>host msdfs = yes<br>notify:inotify = yes<br>wide links = no<br>log writeable files on exit = yes<br>ctdb locktime warn threshold = 5000<br>auth methods = guest sam winbind<br>smbd:backgroundqueue = False<br>read only = no<br>use sendfile = no<br>strict locking = auto<br>posix locking = no<br>large readwrite = yes<br>aio read size = 1<br>aio write size = 1<br>force unknown acl user = yes<br>store dos attributes = yes<br>map readonly = yes<br>map archive = yes<br>map system = yes<br>map hidden = yes<br>ea support = yes<br>groupdb:backend = tdb<br>winbind:online check timeout = 30<br>winbind max domain connections = 5<br>winbind max clients = 10000<br>dmapi support = no<br>unix extensions = no<br>socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPCNT=4 TCP_KEEPIDLE=240 TCP_KEEPINTVL=15<br>strict allocate = yes<br>tdbsam:map builtin = no<br>aio_pthread:aio open = yes<br>dfree cache time = 100<br>change notify = yes<br>max open files = 20000<br>time_audit:timeout = 5000<br>gencache:stabilize_count = 10000<br>server min protocol = SMB2_02<br>server max protocol = SMB3_02<br>vfs objects = shadow_copy2 syncops gpfs fileid time_audit<br>smbd profiling level = on<br>log level = 1<br>logging = syslog@0 file<br>smbd exit on ip drop = yes<br>durable handles = no<br>ctdb:smbxsrv_open_global.tdb = false<br>mangled names = illegal<br>include system krb5 conf = no<br>smbd:async search ask sharemode = yes<br>gpfs:sharemodes = yes<br>gpfs:leases = yes<br>gpfs:dfreequota = yes<br>gpfs:prealloc = yes<br>gpfs:hsm = yes<br>gpfs:winattr = yes<br>gpfs:merge_writeappend = no<br>fruit:metadata = stream<br>fruit:nfs_aces = no<br>fruit:veto_appledouble = no<br>readdir_attr:aapl_max_access = false<br>shadow:snapdir = .snapshots<br>shadow:fixinodes = yes<br>shadow:snapdirseverywhere = yes<br>shadow:sort = desc<br>nfs4:mode = simple<br>nfs4:chown = yes<br>nfs4:acedup = merge<br>add share command = /usr/lpp/mmfs/bin/mmcesmmccrexport<br>change share command = /usr/lpp/mmfs/bin/mmcesmmcchexport<br>delete share command = /usr/lpp/mmfs/bin/mmcesmmcdelexport<br>server string = IBM NAS<br>client use spnego = yes<br>kerberos method = system keytab<br>ldap admin dn = cn=Directory Manager<br>ldap ssl = start tls<br>ldap suffix = dc=example,dc=com<br>netbios name = spectrum1<br>passdb backend = ldapsam:"ldap://ssipa.example.com"<br>realm = example.com<br>security = ADS<br>dedicated keytab file = /etc/krb5.keytab<br>password server = ssipa.example.com<br>idmap:cache = no<br>idmap config * : read only = no<br>idmap config * : backend = autorid<br>idmap config * : range = 10000000-299999999<br>idmap config * : rangesize = 1000000<br>workgroup = labs1<br>ntlm auth = yes<br><br>[share1]<br>path = /ibm/gpfs1/labs1<br>guest ok = no<br>browseable = yes<br>comment = jas share<br>smb encrypt = disabled<br><br><br>[root@spectrum1 ~]# mmsmb export list<br>export path browseable guest ok smb encrypt <br>share1 /ibm/gpfs1/labs1 yes no disabled<br><br><br><br>userauth command:<br>mmuserauth service create --type ldap --data-access-method file --servers ssipa.example.com --base-dn dc=example,dc=com --user-name 'cn=Directory Manager' --netbios-name labs1 --enable-server-tls --enable-kerberos --kerberos-server ssipa.example.com --kerberos-realm example.com<br><br><br>root@spectrum1 ~]# mmuserauth service list<br>FILE access configuration : LDAP<br>PARAMETERS VALUES <br>-------------------------------------------------<br>ENABLE_SERVER_TLS true <br>ENABLE_KERBEROS true <br>USER_NAME cn=Directory Manager <br>SERVERS ssipa.example.com <br>NETBIOS_NAME spectrum1 <br>BASE_DN dc=example,dc=com<br>USER_DN none <br>GROUP_DN none <br>NETGROUP_DN none <br>USER_OBJECTCLASS posixAccount <br>GROUP_OBJECTCLASS posixGroup <br>USER_NAME_ATTRIB cn <br>USER_ID_ATTRIB uid <br>KERBEROS_SERVER ssipa.example.com <br>KERBEROS_REALM example.com <br><br>OBJECT access not configured<br>PARAMETERS VALUES <br>-------------------------------------------------<br><br>net ads keytab list -> does not show any keys<br><br><br>LDAP user information was updated with Samba attributes according to the documentation:<br><a href="https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adm_updateldapsmb.htm" target="_blank">https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adm_updateldapsmb.htm</a><br><br><br>[root@spectrum1 ~]# pdbedit -L -v<br>Can't find include file /var/mmfs/ces/smb.conf.0.0.0.0<br>Can't find include file /var/mmfs/ces/smb.conf.internal.0.0.0.0<br>No builtin backend found, trying to load plugin<br>Module 'ldapsam' loaded<br>db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x4d2a432b<br>db_open_ctdb: opened database 'secrets.tdb' with dbid 0x7132c184<br>smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SPECTRUM1))]<br>StartTLS issued: using a TLS connection<br>smbldap_open_connection: connection opened<br>ldap_connect_system: successful connection to the LDAP server<br>smbldap_search_paged: base => [dc=example,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1000]<br>smbldap_search_paged: search was successful<br>init_sam_from_ldap: Entry found for user: jas<br>---------------<br>Unix username: jas<br>NT username: jas<br>Account Flags: [U ]<br>User SID: S-1-5-21-2394233691-157776895-1049088601-1281201008<br>Forcing Primary Group to 'Domain Users' for jas<br>Primary Group SID: S-1-5-21-2394233691-157776895-1049088601-513<br>Full Name: jas jas<br>Home Directory: \\spectrum1\jas<br>HomeDir Drive: <br>Logon Script: <br>Profile Path: \\spectrum1\jas\profile<br>Domain: SPECTRUM1<br>Account desc: <br>Workstations: <br>Munged dial: <br>Logon time: 0<br>Logoff time: never<br>Kickoff time: never<br>Password last set: Thu, 17 May 2018 14:08:01 EDT<br>Password can change: Thu, 17 May 2018 14:08:01 EDT<br>Password must change: never<br>Last bad password : 0<br>Bad password count : 0<br>Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF<br><br><br><br>Client keytab file:<br>[root@test ~]# klist -k<br>Keytab name: FILE:/etc/krb5.keytab<br>KVNO Principal<br>---- --------------------------------------------------------------------------<br> 1 host/test.example.com@example.com<br> 1 host/test.example.com@example.com<br><br>_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font><br> </div></blockquote>
<div dir="ltr" > </div></div><BR>