[gpfsug-discuss] Spectrum Scale CES , SAMBA, LDAP kerberos authentication issue
hopii at interia.pl
hopii at interia.pl
Fri May 18 19:53:57 BST 2018
Hi there,
I'm just learning, trying to configure Spectrum Scale: SMB File Authentication using LDAP (IPA) with kerberos, and been struggling with it for a couple of days, without success.
Users on spectrum cluster and client machine are authenticated properly, so ldap should be fine.
NFS mount with keberos works with no issues as well.
But I ran out of ideas how to configure SMB using LDAP with kerberos.
I could messed up with netbios names, as am not sure which one to use, from cluster node, from protocol node, exactly which one.
But error message seems to point to keytab file, which is present on both, server and client nodes.
I ran into simillar post, dated few days ago, so I'm not the only one.
https://www.mail-archive.com/gpfsug-discuss@spectrumscale.org/msg03919.html
Below is my configuration and error message, and I'd appreciate any hints or help.
Thank you,
d.
Error message from /var/adm/ras/log.smbd
[2018/05/18 13:51:58.853681, 3] ../auth/gensec/gensec_start.c:918(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2018/05/18 13:51:58.859984, 0] ../source3/librpc/crypto/gse.c:586(gse_init_server)
smb_gss_krb5_import_cred failed with [Unspecified GSS failure. Minor code may provide more information: Keytab MEMORY:cifs_srv_keytab is nonexistent or empty]
[2018/05/18 13:51:58.860151, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech)
Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
Cluster nodes
spectrum1.example.com RedHat 7.4
spectrum2.example.com RedHat 7.4
spectrum3.example.com RedHat 7.4
Protocols nodes:
labs1.example.com
lasb2.example.com
labs3.example.com
ssipa.example.com Centos 7.5
spectrum scale server:
[root at spectrum1 security]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/labs1.example.com at example.com
1 host/labs1.example.com at example.com
1 host/labs2.example.com at example.com
1 host/labs2.example.com at example.com
1 host/labs3.example.com at example.com
1 host/labs3.example.com at example.com
1 nfs/labs1.example.com at example.com
1 nfs/labs1.example.com at example.com
1 nfs/labs2.example.com at example.com
1 nfs/labs2.example.com at example.com
1 nfs/labs3.example.com at example.com
1 nfs/labs3.example.com at example.com
1 cifs/labs1.example.com at example.com
1 cifs/labs1.example.com at example.com
1 cifs/labs2.example.com at example.com
1 cifs/labs2.example.com at example.com
1 cifs/labs3.example.com at example.com
1 cifs/labs3.example.com at example.com
[root at spectrum1 security]# net conf list
[global]
disable netbios = yes
disable spoolss = yes
printcap cache time = 0
fileid:algorithm = fsname
fileid:fstype allow = gpfs
syncops:onmeta = no
preferred master = no
client NTLMv2 auth = yes
kernel oplocks = no
level2 oplocks = yes
debug hires timestamp = yes
max log size = 100000
host msdfs = yes
notify:inotify = yes
wide links = no
log writeable files on exit = yes
ctdb locktime warn threshold = 5000
auth methods = guest sam winbind
smbd:backgroundqueue = False
read only = no
use sendfile = no
strict locking = auto
posix locking = no
large readwrite = yes
aio read size = 1
aio write size = 1
force unknown acl user = yes
store dos attributes = yes
map readonly = yes
map archive = yes
map system = yes
map hidden = yes
ea support = yes
groupdb:backend = tdb
winbind:online check timeout = 30
winbind max domain connections = 5
winbind max clients = 10000
dmapi support = no
unix extensions = no
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPCNT=4 TCP_KEEPIDLE=240 TCP_KEEPINTVL=15
strict allocate = yes
tdbsam:map builtin = no
aio_pthread:aio open = yes
dfree cache time = 100
change notify = yes
max open files = 20000
time_audit:timeout = 5000
gencache:stabilize_count = 10000
server min protocol = SMB2_02
server max protocol = SMB3_02
vfs objects = shadow_copy2 syncops gpfs fileid time_audit
smbd profiling level = on
log level = 1
logging = syslog at 0 file
smbd exit on ip drop = yes
durable handles = no
ctdb:smbxsrv_open_global.tdb = false
mangled names = illegal
include system krb5 conf = no
smbd:async search ask sharemode = yes
gpfs:sharemodes = yes
gpfs:leases = yes
gpfs:dfreequota = yes
gpfs:prealloc = yes
gpfs:hsm = yes
gpfs:winattr = yes
gpfs:merge_writeappend = no
fruit:metadata = stream
fruit:nfs_aces = no
fruit:veto_appledouble = no
readdir_attr:aapl_max_access = false
shadow:snapdir = .snapshots
shadow:fixinodes = yes
shadow:snapdirseverywhere = yes
shadow:sort = desc
nfs4:mode = simple
nfs4:chown = yes
nfs4:acedup = merge
add share command = /usr/lpp/mmfs/bin/mmcesmmccrexport
change share command = /usr/lpp/mmfs/bin/mmcesmmcchexport
delete share command = /usr/lpp/mmfs/bin/mmcesmmcdelexport
server string = IBM NAS
client use spnego = yes
kerberos method = system keytab
ldap admin dn = cn=Directory Manager
ldap ssl = start tls
ldap suffix = dc=example,dc=com
netbios name = spectrum1
passdb backend = ldapsam:"ldap://ssipa.example.com"
realm = example.com
security = ADS
dedicated keytab file = /etc/krb5.keytab
password server = ssipa.example.com
idmap:cache = no
idmap config * : read only = no
idmap config * : backend = autorid
idmap config * : range = 10000000-299999999
idmap config * : rangesize = 1000000
workgroup = labs1
ntlm auth = yes
[share1]
path = /ibm/gpfs1/labs1
guest ok = no
browseable = yes
comment = jas share
smb encrypt = disabled
[root at spectrum1 ~]# mmsmb export list
export path browseable guest ok smb encrypt
share1 /ibm/gpfs1/labs1 yes no disabled
userauth command:
mmuserauth service create --type ldap --data-access-method file --servers ssipa.example.com --base-dn dc=example,dc=com --user-name 'cn=Directory Manager' --netbios-name labs1 --enable-server-tls --enable-kerberos --kerberos-server ssipa.example.com --kerberos-realm example.com
root at spectrum1 ~]# mmuserauth service list
FILE access configuration : LDAP
PARAMETERS VALUES
-------------------------------------------------
ENABLE_SERVER_TLS true
ENABLE_KERBEROS true
USER_NAME cn=Directory Manager
SERVERS ssipa.example.com
NETBIOS_NAME spectrum1
BASE_DN dc=example,dc=com
USER_DN none
GROUP_DN none
NETGROUP_DN none
USER_OBJECTCLASS posixAccount
GROUP_OBJECTCLASS posixGroup
USER_NAME_ATTRIB cn
USER_ID_ATTRIB uid
KERBEROS_SERVER ssipa.example.com
KERBEROS_REALM example.com
OBJECT access not configured
PARAMETERS VALUES
-------------------------------------------------
net ads keytab list -> does not show any keys
LDAP user information was updated with Samba attributes according to the documentation:
https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adm_updateldapsmb.htm
[root at spectrum1 ~]# pdbedit -L -v
Can't find include file /var/mmfs/ces/smb.conf.0.0.0.0
Can't find include file /var/mmfs/ces/smb.conf.internal.0.0.0.0
No builtin backend found, trying to load plugin
Module 'ldapsam' loaded
db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x4d2a432b
db_open_ctdb: opened database 'secrets.tdb' with dbid 0x7132c184
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SPECTRUM1))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_paged: base => [dc=example,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1000]
smbldap_search_paged: search was successful
init_sam_from_ldap: Entry found for user: jas
---------------
Unix username: jas
NT username: jas
Account Flags: [U ]
User SID: S-1-5-21-2394233691-157776895-1049088601-1281201008
Forcing Primary Group to 'Domain Users' for jas
Primary Group SID: S-1-5-21-2394233691-157776895-1049088601-513
Full Name: jas jas
Home Directory: \\spectrum1\jas
HomeDir Drive:
Logon Script:
Profile Path: \\spectrum1\jas\profile
Domain: SPECTRUM1
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Thu, 17 May 2018 14:08:01 EDT
Password can change: Thu, 17 May 2018 14:08:01 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Client keytab file:
[root at test ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/test.example.com at example.com
1 host/test.example.com at example.com
More information about the gpfsug-discuss
mailing list