HP CIFS Server and Kerberos Version 1.05 November, 2008 Version 1.02 August 2005: Added Microsoft Kerberos realm name identification in Chapter 4. Added clockskew in Common Problems section, Chapter 8. Version 1.03 November 2005: Added Kerbtray tool in Chapter 8. Version 1.05 November 2008: Added Klist tool in Chapter 8. Added HA Chapter 9. Updated component versions throughout document. Updated support matrix in Chapter 6. VSSN Advanced Technology Center E0300 Printed in: U.S.A.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
Contents Legal Notices ...................................................................................................................... 2 Chapter 1 Introduction ....................................................................................................... 5 Chapter 2 Kerberos, CIFS, and Samba Overview .................................................................. 6 2.1 Kerberos Primer..........................................................................................................
Chapter 1 Introduction HP CIFS Server 3.0 incorporates the Opensource Samba 3.0 enhancements that include Kerberos authentication and related encryption types. These enhancements are introduced in the HP CIFS Server version A.02.01, which was officially released on December 15th, 2004.
Chapter 2 Kerberos, CIFS, and Samba Overview The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft for Windows 2000, and is the default authentication protocol for Windows 2000, 2003. and 2008 domains (including the Windows 2000, XP, and Vista clients that inhabit those domains). Microsoft has modified the Kerberos protocol for better synergy with the Windows domain concept, and thus proclaims that their implementation is “Based upon an industry standard.
Windows Client: Authenticatee HP CIFS Server: Resource The protocol exchanges do not include actual passwords passed over the wire, therefore a password cannot be sniffed and unencrypted to gain access to a resource. Instead, encrypted keys are passed over the wire, and the 3 principals (KDC, Client, Server) each use pre-arranged secrets to decode the keys and allow access. The secrets are not transferred.
Chapter 3 Solution Components Here is a review of the various components that are necessary to configure HP CIFS Server for Kerberos authentication. HP CIFS Server: Version A.02.01 and later (Based upon Samba 3.0.7 and later) HP-UX 11i v1, HP-UX 11i v2, or HP-UX 11i v3 HP-UX Kerberos Client o o http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=KRB5CLIENT HP-UX 11iv1 Version 1.3.5.
Chapter 4 Solution Configuration(s) Configuring Kerberos for HP CIFS Server requires synchronizing system configuration files for interoperability between the solution components, as well as the Windows domain and the HP-UX server. 4.1 HP CIFS Server The two primary configuration files are smb.conf and krb5.conf. /etc/opt/samba/smb.conf [global] workgroup = HPATC2003 realm = HPATC2003.HP.COM netbios name = atcux5 server string = Samba Server interfaces = 15.43.214.
A simple precaution is to check with the Windows domain administrator to verify the Kerberos realm name. 4.2 Microsoft Active Directory Domain No special config for Kerberos (KDC service must be started) HP CIFS Server domain prerquisites: NetBIOS enabled Both native and mixed Pre-Windows 2000 compatible 4.3 Joining the Windows Domain The first step when joining the HP CIFS Server to the domain is to KINIT from the HP-UX command line. Krb5.
Note: For new Windows 2000 or 2003 domains, the Administrator password must be changed after the initial domain controller installation because the default password encryption is not compatible with Kerberos. If the password has not been changed after the initial domain installation, the HP CIFS Server configuration cannot be added to the domain. The kinit will fail with the message: KDC has no support for encryption type while getting initial credentials The next step is to join the server to the domain.
The HP CIFS Server is now a member of the Windows 2003 domain, in this case HPATC2003. The diagram above illustrates that the local Kerberos secret key is stored in the Samba file secrets.tdb, and not krb5.keytab. This will be explained in a later chapter.
The “net ads join” has added 5 new Kerberos Principals to the Active Directory for the HP CIFS Server. The “net ads status” command displays the new Principals: # net ads status -U administrator | grep Princ administrator's password: userPrincipalName: HOST/atcux5@HPATC2003.HP.COM servicePrincipalName: CIFS/atcux5.hpatc2003.hp.com servicePrincipalName: CIFS/atcux5 servicePrincipalName: HOST/atcux5.hpatc2003.hp.com servicePrincipalName: HOST/atcux5 4.
Here is the netlogon sequence as the user gets authenticated from the client into the domain. The krb5-as-req is the user authentication and request. The krb5-as-rep reply from the KDC sends credentials to the client, including a client session key and TGT that allows the client to access the KDC. The client then uses the session key and TGT for krbtgt to request a service ticket – krb5-tgsreq. This particular request is not for the CIFS server, because we have not mapped the share yet.
At the completion of the client netlogon sequence, the client is ready to request domain services, which for this session will be an HP CIFS Server share. Many of the examples of the Kerberos exchanges in this paper will start from this point.
“Maximum Lifetime” for the “User Ticket” (set on the KDC) expires. This allows the client to request services from the domain without re-authenticating. In this example we have ignored the Kerberos encryption types, but these encryption types will be the focus of the majority of the subsequent data and discussion. After the user has been successfully authenticated into the domain, it now maps a share to a CIFS server: \\atcux5\buffy.
Here is the HP CIFS Server log entry for the associated user logon failure for HPATCCLI2$: So the client reques ts anoth er TGS ticket for the user name buffy, and then presents this ticket to the HP CIFS Server. Buffy is a valid user on the CIFS Server, so the request is granted and the session setup continues. See the trace below. [2005/01/12 10:30:05, 5] lib/username.c:Get_Pwnam_internals(256) Get_Pwnam_internals didn't find user [HPATCCLI2$]! [2005/01/12 10:30:05, 1] smbd/sesssetup.
After the client goes back to the KDC to get a service ticket for the user name, it presents the valid ticket to the HP CIFS Server, and the user is authorized. The user logon (authorization) to the HP CIFS Server in the Active Directory domain is complete.
[2004/12/22 14:39:22, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(199) ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type [2004/12/22 14:39:22, 10] libads/kerberos_verify.c:ads_secrets_verify_ticket(199) ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type [2004/12/22 14:39:22, 10] libads/kerberos_verify.
Chapter 5 HP-UX Application Co-Existence The typical HP-UX server is a multi-user and multi-application system. If Kerberos is the preferred authentication protocol for a customer, then it will probably be preferred for Windows domain users as well as HP-UX users and applications. However, Samba and HP CIFS Server, by default, create a CIFS –specific Kerberos configuration that can only be used by CIFS/Samba users.
system. The following steps will show how to generate a valid keytab file, configure CIFS/Samba to access the keytab file, and configure Kerberos for HP-UX INET Services access. 1. Edit /etc/krb5.conf file to add the WRFILE attribute to the default_keytab_name parameter * HP-UX Kerberos version 1.3.5 or later is REQUIRED for WRFILE. /etc/krb5.conf for HP CIFS Server Keytab creation # Kerberos configuration [libdefaults] default_realm = HPATC2003.HP.
krb5_rd_req(ATCUX5$@HPATC2003.HP.COM) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) krb5_rd_req(host/atcux5@HPATC2003.HP.COM) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) krb5_rd_req(host/ATCUX5@HPATC2003.HP.COM) failed: Wrong principal in request [2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113) krb5_rd_req(host/atcux5@HPATC2003.HP.
default = FILE:/var/log/krb5lib.log If the /etc/keytab.krb5 file needs to be regenerated (by a “net ads create keytab”) then the /etc/krb5.conf file must be edited to include the WRFILE attribute to the default_keytab_name parameter. After the krb5.keytab is created, the krb5.conf file should be re-edited to remove WRFILE for INET Services interoperation. 5.2 krb5.keytab Configuration Script # swlist -l product | grep -i krb KRB-Support B.11.11 KRB5-Client B.11.11 KRBS-Support B.11.11.13 PHSS_31163 1.
netbios name = atcux5 server string = Samba Server interfaces = 15.43.214.58 bind interfaces only = Yes security = ADS password server = HPATCWIN2K5.HPATC2000.HP.COM use kerberos keytab = yes # more /etc/krb5.conf [libdefaults] default_realm = HPATC2000.HP.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 default_keytab_name = "WRFILE:/etc/krb5.keytab" # net ads keytab create –U administrator administrator's password: # more /etc/krb5.
format. When CIFS/Samba creates a keytab file, it adds keys for every likely combination of service principals and encryption formats. There are 7 encryption formats. Keytabs are created for casespecific HOST/host and CIFS/cifs service principals, as well as SYSTEM/system service principals. For this test system, there were 6 service principals in the Computer object of the Active Directory. This results in a keytab file that has 182 service principals. Do not be alarmed when examining a krb5.
Chapter 6 Support Matrices Here is a matrix that summarizes the Kerberos components and how they interact for HP CIFS Server. The encryption types are defined in HP-UX /etc/krb5.conf. Windows 2000 Adv Server Windows 2003 Adv Server Windows 2003R2 Adv Server (no hotfixes) (no hotfixes) (no hotfixes) HP-UX Kerberos 1.
Chapter 7 Traces and Logs This section provides Wireshark network traces and Samba log entries of the important Kerberos operations for HP CIFS Server. These are provided as a guide to what should be the expected behavior for the various component combinations, and data to support the expected behavior. The following matrices show exactly what operations are traced and in what order they are listed in this section. W2000 KDC KRB5 1.0 MD5 W2000 KDC KRB5 1.0 CRC W2000 KDC KRB5 1.0 RC4 W2000 KDC KRB5 1.3.
7.1 Windows 2000 KDC – HP-UX Kerberos 1.0, MD5 Session KINIT – DES-CBC-MD5 Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for krbtgt/HPATC2000.HP.COM is encrypted with MD5. This is what we expect.
Windows 2000 domain JOIN Command : net ads join –U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket is DES-CBC-CRC. This is somewhat unusual – note that the other MD5 scenarios do not use CRC. Command line output: # net ads join -U administrator%samba [2005/02/01 15:10:19, 3] libads/ldap.c:ads_workgroup_name(2524) Found alternate name 'HPATC2000' for realm 'HPATC2000.HP.
verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:19, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/01 15:10:20, 10] libads/kerberos.
The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2003 domain using RC4-HMAC encryption – which is unusual for W2000 and not expected.
HP CIFS Server A.02.01 (Samba 3.0.7 with 3.0.8 backports) HP-UX Kerberos Client version 1.0 Windows XP SP1 client Windows 2000 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using MD5 encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5.
7.2 Windows 2000 KDC – HP-UX Kerberos 1.0, CRC Session KINIT – DES-CBC-CRC Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for krbtgt/HPATC2003.HP.COM is encrypted with DES-CBC-CRC.
Windows 2003 domain JOIN Command : net ads join –U administrator%password The ATCUX5$ principal is authenticated with DES-CBC-CRC encryption. The ticket for “host atcux5” is also DES-CBC-CRC. Command line output: # net ads join -U administrator –d 10 [2005/02/02 13:57:42, 3] libads/ldap.c:ads_workgroup_name(2524) Found alternate name 'HPATC2000' for realm 'HPATC2000.HP.COM' Using short domain name -- HPATC2000 [2005/02/02 13:57:42, 10] libads/kerberos.
verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 1 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt HOST/atcux5@HPATC2000.HP.COM! [2005/02/02 13:57:43, 10] libads/kerberos.
Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share.
Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 1497) is encrypted with DES-CBC-MD5. MD5 is the encryption type that Samba uses, and cannot be affected by the HP-UX krb5.conf enctype configuration.
HP-UX command line operations using the Windows administrator user are authenticated using CRC encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5.
7.3 Windows 2000 KDC – HP-UX Kerberos 1.0, RC4 Session KINIT – RC4-HMAC Command : kinit administrator # kinit administrator kinit: No supported encryption types (config file error?) while getting initial credentials The HP-UX Kerberos libraries version 1.0 – the default Kerberos libraries on HP-UX 11i v1 and 11i v2 – do not support the RC4-HMAC encryption type. Therefore, no additional data can be collected.
7.4 Windows 2000 KDC – HP-UX Kerberos 1.3.5, MD5 Session KINIT – DES-CBC-MD5 Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for krbtgt/HPATC2000.HP.COM is encrypted with MD5.
Windows 2000 domain JOIN Command : net ads join –U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for hpatcwin2k5$ is MD5. Command line output: [2005/01/24 12:55:06, 5] libads/kerberos.c:get_service_ticket(368) get_service_ticket: krb5_get_credentials for atcux5$@HPATC2000.HP.COM enctype 1 failed: No credent ials found with supported encryption types [2005/01/24 12:55:06, 3] libads/kerberos.
The encryption type for the ATCUX5 service ticket logon is MD5 (0x3). reserved des-cbc-crc des-cbc-md4 des-cbc-md5 [reserved] des3-cbc-md5 [reserved] des3-cbc-sha1 dsaWithSHA1-CmsOID md5WithRSAEncryption-CmsOID sha1WithRSAEncryption-CmsOID rc2CBC-EnvOID rsaEncryption-EnvOID rsaES-OAEP-ENV-OID des-ede3-cbc-Env-OID des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac rc4-hmac-exp subkey-keymaterial 0 1 2 3 4 5 6 7 9 10 11 12 13 14 15 16 17 18 23 24 65 [RFC-ietf-krb-wg-crypto-07.
The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2000 domain using RC4-HMAC encryption. This is the expected behavior.
Notice that the HP CIFS Server tried to decrypt the ticket using a number of different encryption types before successfully using DES-CBC-MD5 [3]. Values are in decimal. Windows event log values are in hex. MD5 Summary: HP-UX 11i HP CIFS Server A.02.01 (Samba 3.0.7 with 3.0.8 backports) HP-UX Kerberos Client version 1.3.
7.5 Windows 2000 KDC – HP-UX Kerberos 1.3.5, CRC Session KINIT – DES-CBC-CRC Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for krbtgt/HPATC2000.HP.COM is encrypted with CRC.
W2000 Domain JOIN Command : net ads join –U administrator%password –d 10 The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for hpatcwin2k5$ is MD5! Command line output: [2005/01/31 15:49:01, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(553) verify_service_password: get_service_ticket failed: No credentials found with supported encryption types [2005/01/31 15:49:01, 10] libads/kerberos.
Notice that the successful decrypt log entry is embedded with a multitude of failure entries. It is hard to find in the log, so use diligence when analyzing the output. The encryption type for the ATCUX5 service ticket logon is CRC (0x1).
The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share. The user buffy is authenticated to the Windows 2000 domain using RC4-HMAC encryption. This is especially confusing, because our krb5.
Notice that the HP CIFS Server tried to decrypt the ticket using a number of different encryption types before successfully using DES-CBC-MD5 [3]. Values are in decimal. Windows event log values are in hex. CRC Summary: HP-UX 11i HP CIFS Server A.02.01 (Samba 3.0.7 with 3.0.8 backports) HP-UX Kerberos Client version 1.3.
7.6 Windows 2000 KDC – HP-UX Kerberos 1.3.5, RC4 Session KINIT – RC4-HMAC Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with RC4-HMAC encryption. The ticket for krbtgt/HPATC2003.HP.COM is encrypted with RC4-HMAC. This is nice: an expected result for the configuration.
Windows 2003 domain JOIN Command : net ads join –U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with RC4-HMAC encryption due to the krb5.conf configuration. The ticket for hpatcwin2k5$ is DES-CBC-MD5. This is somewhat expected, given that we know Samba requires service tickets in MD5, and Windows likes to encrypt its own services in RC4.
Joined 'ATCUX5' to realm 'HPATC2000.HP.COM' [2005/02/01 13:35:47, 2] utils/net.c:main(792) return code = 0 # Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2000 KDC is encrypted in DES-CBC-MD5.
Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 1944) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.
HP CIFS Server A.02.01 (Samba 3.0.7 with 3.0.8 backports) HP-UX Kerberos Client version 1.3.5 Windows XP SP1 client Windows 2000 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using RC4 encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5.
7.7 Windows 2003 KDC – HP-UX Kerberos 1.0, MD5 Session KINIT – DES-CBC-MD5 Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for krbtgt/HPATC2003.HP.COM is encrypted with RC4-HMAC.
Windows 2003 domain JOIN Command : net ads join –U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for hpatcwin2k4$ is RC4-HMAC. Command line output: # net ads join -U administrator%samba Using short domain name -- HPATC2003 [2005/02/05 12:15:52, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@HPATC2 003.HP.
name_to_fqdn: lookup for ATCUX5 -> atcux5.hpatc2003.hp.com. [2005/02/05 12:15:53, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@HPATC2 003.HP.COM! [2005/02/05 12:15:53, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@HPATC2 003.HP.COM! Joined 'ATCUX5' to realm 'HPATC2003.HP.
The Windows event for the domain join is: The encryption type for the ATCUX5 service ticket logon is MD5 (0x3).
Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2003 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share.
Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 1975) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.
*ALWAYS* shows MD5 for the HP CIFS Server share in these test cases – regardless of the HP-UX enctype configuration.
7.8 Windows 2003 KDC – HP-UX Kerberos 1.0, CRC Session KINIT using DES-CBC-CRC: Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for krbtgt/HPATC2003.HP.COM is encrypted with RC4-HMAC.
Windows 2003 domain Join: Command : net ads join –U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for hpatcwin2k4$ is RC4-HMAC. The “net ads join” succeeds using CRC: Command line output: # net ads join -U administrator%samba [2005/02/05 12:41:08, 3] libads/ldap.c:ads_workgroup_name(2524) Found alternate name 'HPATC2003' for realm 'HPATC2003.HP.
003.HP.COM! [2005/02/05 12:41:08, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@HPATC2 003.HP.COM! [2005/02/05 12:41:09, 10] lib/util.c:name_to_fqdn(2442) name_to_fqdn: lookup for ATCUX5 -> atcux5.hpatc2003.hp.com. [2005/02/05 12:41:09, 10] libads/kerberos.c:verify_service_password(466) verify_service_password: decrypted message with enctype 3 salt host/atcux5.hpatc2003.hp.com@HPATC2 003.HP.
The Windows Event View event for the join is: The Windows Event logging appears to be in error because the encryption type shows 0x3 which is MD5, when we know that the actual type is CRC, and is expected to appear as 0x1.
Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2003 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share.
Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 2835) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.
Windows 2003 Advanced Server Event Viewer: Client user Service Ticket Request for HP CIFS Server share: The Windows 2003 KDC logs the Service Ticket Request from the client user buffy as encryption type DES-CBC-MD5 (0x3).
CRC Summary: HP-UX 11i HP CIFS Server A.02.01 (Samba 3.0.7 with 3.0.8 backports) HP-UX Kerberos Client version 1.0 Windows XP SP1 client Windows 2003 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using CRC encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5.
7.9 Windows 2003 KDC – HP-UX Kerberos 1.0, RC4 Session KINIT using RC4-HMAC: Command : kinit administrator # kinit administrator kinit: No supported encryption types (config file error?) while getting initial credentials The HP-UX Kerberos Client version 1.0 has no support for the RC4-HMAC encryption type at all. RC4-HMAC Summary: HP-UX 11i HP CIFS Server A.02.01 (Samba 3.0.7 with 3.0.8 backports) HP-UX Kerberos Client version 1.
7.10 Windows 2003 KDC – HP-UX Kerberos 1.3.5, MD5 Session KINIT – DES-CBC-MD5 Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for krbtgt/HPATC2003.HP.COM is encrypted with RC4-HMAC. Notice that this is different from W2000 with 1.3.5 and MD5 – where both the Administrator and the ticket were MD5. W2003 defaults the user to RC4-HMAC.
Windows 2003 domain JOIN Command : net ads join –U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCMD5 encryption. The ticket for hpatcwin2k4$ is RC4-HMAC. Command line output: # net ads join -U administrator%samba [2005/02/05 10:20:23, 5] libads/kerberos.c:get_service_ticket(368) get_service_ticket: krb5_get_credentials for cifs/atcux5.hpatc2003.hp.com@HPATC2003.HP.
The Windows event for the domain join is: The encryption type for the ATCUX5 service ticket logon is MD5 (0x3).
Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2003 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share.
Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 760) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.
Windows 2003 Advanced Server Event Viewer: Client user Service Ticket Request for HP CIFS Server share: The Windows 2003 KDC logs the Service Ticket Request from the client user buffy as encryption type DES-CBC-MD5 (0x3). MD5 Summary: HP-UX 11i HP CIFS Server A.02.01 (Samba 3.0.7 with 3.0.8 backports) HP-UX Kerberos Client version 1.3.
7.11 Windows 2003 KDC – HP-UX Kerberos 1.3.5, CRC Session KINIT using DES-CBC-CRC: Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for krbtgt/HPATC2003.HP.COM is encrypted with RC4-HMAC.
Windows 2003 domain Join: Command : net ads join –U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with DES-CBCCRC encryption. The ticket for hpatcwin2k4$ is RC4-HMAC. The “net ads join” succeeds using CRC: Command line output: # net ads join -U administrator%samba Using short domain name -- HPATC2003 Joined 'ATCUX5' to realm 'HPATC2003.HP.
The Windows Event View event for the join is: The Windows Event logging appears to be in error because the encryption type shows 0x3 which is MD5, when we know that the actual type is CRC, and is expected to appear as 0x1.
Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2003 KDC is encrypted in DES-CBC-MD5. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share.
Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 2597) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.
Windows 2003 Advanced Server Event Viewer: Client user Service Ticket Request for HP CIFS Server share: The Windows 2003 KDC logs the Service Ticket Request from the client user buffy as encryption type DES-CBC-MD5 (0x3).
CRC Summary: HP-UX 11i HP CIFS Server A.02.01 (Samba 3.0.7 with 3.0.8 backports) HP-UX Kerberos Client version 1.3.5 Windows XP SP1 client Windows 2003 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using CRC encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5.
7.12 Windows 2003 KDC – HP-UX Kerberos 1.3.5, RC4 Session KINIT using RC4-HMAC: Command : kinit administrator The administrator user that is supplied on the HP-UX command line is authenticated with RC4-HMAC encryption. The ticket for krbtgt/HPATC2003.HP.COM is encrypted with RC4-HMAC.
Windows 2003 domain join: Command : net ads join –U administrator%password The administrator user that is supplied on the HP-UX command line is authenticated with RC4-HMAC encryption. The ticket for hpatcwin2k4$ is RC4-HMAC. Command line output: # net ads join -U administrator%samba [2005/02/05 11:50:39, 0] libads/kerberos.c:get_service_ticket(336) get_service_ticket: kerberos_kinit_password ATCUX5$@HPATC2003.HP.COM@HPATC2003.HP.
verify_service_password: get_service_ticket failed: KDC has no support for encryption type Joined 'ATCUX5' to realm 'HPATC2003.HP.COM' Like the “net ads join” operation for DES-CBC-CRC, the logging data does not show a successful service ticket decryption. Also significant is that for RC4, the logging does not show the attempted enctypes. The join succeeds, so this indicates an even more likely case of logging errors.
Windows XP SP1 client user buffy requests service ticket for HP CIFS Server (Samba) share: Command: Map Network Drive window, \\atcux5\buffy. The client user buffy maps her home drive on the HP CIFS Server (samba) share. In this case, the service ticket that is requested from the Windows 2003 KDC is encrypted in DES-CBC-MD5 – EVEN THOUGH /ETC/KRB5.CONF ENCTYPE=RC4-HMAC. This ticket will be presented by the client to the HP CIFS Server during the SMB session setup to request access to the share.
Windows XP SP1 client presents service ticket for \\atcux5\buffy to the HP CIFS Server (Samba). Command: none. The client presents the service ticket (acquired in the transaction with the KDC that is displayed on the previous page) to the HP CIFS Server (Samba). The service ticket for \\ATCUX5\BUFFY (see the Wireshark trace record 1606) is encrypted with DES-CBC-MD5. The HP CIFS Server log entry is (grep crypt log.
The Windows 2003 KDC logs the Service Ticket Request from the client user buffy as encryption type DES-CBC-MD5 (0x3).
RC4-HMAC Summary: HP-UX 11i HP CIFS Server A.02.01 (Samba 3.0.7 with 3.0.8 backports) HP-UX Kerberos Client version 1.3.5 Windows XP SP1 client Windows 2003 Advanced Server Enterprise Edition KDC and Active Directory domain HP-UX command line operations using the Windows administrator user are authenticated using RC4 encryption. The Windows client user itself is authenticated using RC4-HMAC encryption, but the service ticket for the HP CIFS Server share is encrypted using MD5.
Chapter 8 Support Tools and Common Problems Kerberos authentication is difficult to troubleshoot . The default data list for troubleshooting Kerberos authentication problems is: 8.1 kinit results smb.conf krb5.conf uname -a swlist –l product | grep –i krb swlist –l product | grep –i ldap smbd –V Samba log level 10 for client session o log level = 10 o log file = /var/opt/samba/log.
8.1.2 klist (HP-UX) klist at the HP-UX prompt displays the current ticket cache for the session. This is helpful to observe the ticket that is issued from the KDC in the kinit command. See the kinit example above for klist output. klist is also useful for verifying that a particular user on HP-UX is accessible from the KDC. If a user “buffy” is attempting a Windows login to the HP CIFS Server, then the user must be able to authenticate.
8.1.4 ldapsearch The “net ads status” command will display the CIFS Server computer object in the Active Directory, assuming that the computer object is in the default location. Many customers design their own directory layout (schema), and so “net ads status” may not know where to look for the computer object. In that case, you can use the HP-UX ldapsearch tool to find it. ldapsearch is installed with the LDAP-UX Client product, which is a perquisite for HP CIFS Server. It is located in /opt/ldapux/bin.
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@SNSLATC.HP.COM) failed: Wrong principal in request ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@SNSLATC.HP.COM) failed: Wrong principal in request ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@SNSLATC.HP.COM) failed: Wrong principal in request ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/emonster.
8.1.6 Windows Event Logger The Windows KDC event logger can be useful just to validate that the client is requesting tickets for the HP CIFS Server service. To enable Security event logging on a KDC, read the instructions at: http://support.microsoft.com/default.aspx?scid=kb;en-us;300549&sd=tech The ticket encryption type will usually be 0x3 – MD5, assuming that the krb5.conf file is confgired for MD5..
The only significant drawback to Wireshark usage is ensuring that it is resident on the customer system. Wireshark binaries can be downloaded from: The HP-UX Porting and Archive Center o http://hpux.cs.utah.edu/hppd/hpux/Gtk/Applications/wireshark-1.1.1/ Includes 11iv1, 11iv2, 11iv3 www.software.hp.com Internet Express o https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXIEXP 1123 (11iv2) o https://h20392.www2.hp.com/portal/swdepot/try.
The client buffy received the krbtgt (Kerberos ticket-granting-ticket service) from the KDC. You can see that the client holds a ticket for the machine name, too (remember that the client tries to open the CIFS Server share as a machine name principal first, gets rejected, and tries again as the user).
The kerbtray tool shows that the enctype is RC4 for both the ticket that we received and the key. We already know that this is the default for Windows 2003 domains (part of the “security lockdown). Next, the CIFS Server share is mounted.
The kerbtray tool shows the new ticket of cifs/atcux5. This is the ticket for the HP CIFS Server.
As we know from our other data collection, the HP CIFS Server enctype is MD5. Here, kerbtray shows the enctype for the ticket and the key to be MD5. Kerbtray is easy to download from Microsoft and install. The Microsoft website is: http://www.microsoft.com/downloads/details.
The TICKETS option displays the currently cached tickets for the session. The PURGE option prompts the user to purge the cached tickets for the session. When duplicating client logins for a CIFS Server and observing the TGS (ticket granting service) for the client, you will need to purge the TGS from the client unless the lifetime has already expired. For more data about klist.exe, go to the Microsoft website: http://www.microsoft.com/downloads/details.
8.2 Common Problems HP CIFS Server A.02.01, based upon Samba 3.0 with Kerberos authentication, has been available since December 15th, 2004. Most of the common problems that are identified below have been observed in testing done by various internal HP organizations. Some have originated at customer sites. This is not an exhaustive list. Always ensure that an HP-UX kinit is successful before addressing Samba configurations.
8.2.1 Wrong Kerberos Libraries Symptom If the HP-UX Kerberos version is not supported for a particular operation (keytab support) or encryption type (RC4-HMAC) then the symptom could be the bad-password pop-up. Other symptoms would be a bad kinit result. Problem The Kerberos library version could be out of date for the attempted operation.
8.2.2 Invalid /etc/krb5.conf File Symptom Kinit failure. Often, kinit(v5): No supported encryption types (config file error?) while getting initial credentials Or “net ads join” failure (failed to join domain). Or bad-password pop-up. Problem Many problems can occur in krb5.conf: Bad enctypes, bad syntax, bad realms. Resolution The obvious tactic is to compare the existing krb5.conf with a known good file. A basic krb5.conf file is /etc/opt/samba/smb.
8.2.3 Joining a Domain Multiple errors may occur when joining a domain. Symptom-1 # net ads join -U eroseme eroseme's password: [2005/03/18 09:13:37, 0] libads/ldap.c:ads_add_machine_acct(1366) ads_add_machine_acct: Host account for atcux5 already exists - modifying old account [2005/03/18 09:13:37, 0] libads/ldap.
Do not do this when smb.conf is “security = ads”. Samba requires a particular value in a directory computer attribute called UserAccountControl in order to correctly implement Kerberos for Samba. The “net ads join” command inserts the correct value into this attribute. The Windows MMC inserts an incorrect value into this attribute. All further Kerberos authentication attempts will fail, resulting in the bad-password pop-up.
The “kinit administrator” fails. Problem-4 The HP-UX server clock and the Windows KDC clock are not in sync. The Kerberos authentication protocol will use a timestamp as part of the encryption algorithm, and if the clocks are out of sync, then the authentication will fail. Resolution-4 Set the system clocks to be in sync. If this does not work, then use the “clockskew” parameter in the krb5.conf file to allow a larger window of clock error: [libdefaults] default_realm = SNSLATC.HP.
Chapter 9 Kerberos High Availability Integration HP CIFS Server is commonly configured as a node in a highly available HP-UX ServiceGuard cluster. For deployments that are running with “security = ads”, that usually means that users are being authenticated using Kerberos to a Windows Key Distribution Center (KDC) domain controller. By default, the ServiceGuard configuration has no influence upon the Kerberos authentication mechanism.
WARNING: Whenever a “net ads join” command is executed on any CIFS server in the ServiceGuard cluster, it changes the secret key on the KDC. A new krb5.keytab must be generated on the CIFS server to match the service principal keys with the KDC. Using the merged-keytab file technique, then all of the krb5.keytab files in the cluster will be replaced with new versions that are merged with the newest-generated krb5.keytab file from the recently-joined CIFS server. 9.
9.2 Testing the Merged Keytab Files The following HP-UX and HP CIFS Server configuration was used for these tests: HP-UX 11iv3 o pam_kerberos o nsswitch ldap passwd/group o Kerberos Client E.1.6.2 o LDAP-UX Client B.04.17 HP CIFS Server A.02.03.03 Windows 2003R2 Active Directory Unified Login Domain Model o SFU 3.5 o HP-UX users hosted on the AD with RFC 2307 UNIX attributes 1. Test local HP-UX logins with an AD-resident user. Test all nodes in the cluster.
2. Test CIFS Server logins with a Windows AD user. Use a Windows user from the domain to mount a share on the HP CIFS Server. To use Wireshark to verify the login, two traces must be taken: one between the client and the KDC to observe that the TGS is correctly issued; and another between the client and the HP CIFS Server to observe the client presenting the TGS to the server and that the ticket is validated and share access is allowed.
Next, the client must present the TGS to the CIFS Server: The CIFS Server accepts the TGS with the cifs/emonster.rose.hp.com service principal and the login proceeds.
This event shows that the client was issued a ticket for emonster. 3. Test with HP-UX Internet Services: ftp, telnet, rlogin, etc… ftp has the best error reporting, so the following example uses ftp to illustrate the usage of the krb5.keytab file for the ftp login service principal: ftp> open emonster Connected to emonster.rose.hp.com. 220 emonster.rose.hp.com FTP server (Revision 4.0 Version wuftpd2.6.1 Wed Jun 18 07:11:14 GMT 2008) ready. Error initializing security using principal 'ftp@emonster.rose.hp.
CIFS/Samba does not create an ftp principal, so it does not exist in the krb5.keytab file. When ftp searches for it, it is not found, but then ftp will re-try with the host/FQDN service principal. This is the same service principal that is used for HP-UX logins, so the re-try is successful. A Wireshark trace shows this behavior: Here is the ftp SP being rejected as “PRINCIPAL UNKNOWN” because it does not exist in the keytab file. Next….
ftp re-tries with the host principal and the authentication succeeds. 9.3 Examining the Merged krb5.keytab File CIFS/Samba builds a keytab file using 7 different encryption types for every service principal, and creates multiple entries for each service principal based upon case (see Chapter 5). This results in many keys residing in krb5.keytab. When merging krb5.keytab files from multiple systems in a ServiceGuard cluster, the file becomes even larger.
