Manualshelf

HP CIFS Server and Kerberos

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
21222324252627282930
21
system. The following steps will show how to generate a valid keytab file, configure CIFS/Samba to
access the keytab file, and configure Kerberos for HP-UX INET Services access.
1. Edit /etc/krb5.conf file to add the WRFILE attribute to the default_keytab_name parameter
* HP-UX Kerberos version 1.3.5 or later is REQUIRED for WRFILE.
/etc/krb5.conf for HP CIFS Server Keytab creation
# Kerberos configuration
[libdefaults]
default_realm = HPATC2003.HP.COM
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
default_keytab_name = "WRFILE:/etc/krb5.keytab"
[realms]
HPATC2003.HP.COM = {
kdc = HPATCWIN2K4.HPATC2003.HP.COM:88
admin_server = HPATCWIN2K4.HPATC2003.HP.COM
}
[domain_realm]
.hp.com = HPATC2003.HP.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
2. Execute “net ads keytab create –U administrator” to generate an /etc/krb5.keytab file
* Observe the keys by executing “klist –k –e (see tools section for klist)
* The listing of keys will appear to be excessively long. This is due to the inclusion of
every possible combination of service principal name and key enctype.
3. Edit /etc/opt/samba/smb.conf to enable CIFS/Samba to read /etc/krb5.keytab
[global]
workgroup = HPATC2003
realm = HPATC2003.HP.COM
netbios name = atcux5
server string = Samba Server
interfaces = 15.43.214.58
bind interfaces only = Yes
security = ADS
password server = HPATCWIN2K4.HPATC2003.HP.COM
use kerberos keytab = yes
4. Start CIFS/Samba, logon to domain with a client, mount a CIFS/Samba share. The protocol
exchange will be the same as illustrated in Chapter 4.4. The difference is that the CIFS server will
now go to krb5.keytab for the secret key, instead of secrets.tdb. The logfile (level 10) entries will also
be different:
[2005/01/19 13:32:02, 10] lib/util.c:name_to_fqdn(2442)
name_to_fqdn: lookup for ATCUX5 -> atcux5.
[2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113)
krb5_rd_req(atcux5$@HPATC2003.HP.COM) failed: Wrong principal in request
[2005/01/19 13:32:02, 0] libads/kerberos_verify.c:ads_keytab_verify_ticket(113)