Manualshelf

HP CIFS Server and Kerberos

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
919293949596979899100
93
8.1.4 ldapsearch
The “net ads status” command will display the CIFS Server computer object in the Active Directory,
assuming that the computer object is in the default location. Many customers design their own
directory layout (schema), and so “net ads status” may not know where to look for the computer
object. In that case, you can use the HP-UX ldapsearch tool to find it.
ldapsearch is installed with the LDAP-UX Client product, which is a perquisite for HP CIFS Server. It is
located in /opt/ldapux/bin. Here is an example of an ldapsearch command using the default ADS
schema and searching for the atcux4 computer object:
ldapsearch -h hpatcwin2k1.hpatcdom.hp.com -D "cn=administrator,cn=users,dc=hpatcdom,dc=hp,dc=com" -w samba -b
dc=hpatcdom,dc=hp,dc=com "cn=atcux4"
Look for the same data as “net ads status” provided: the userAccountControl (discussed later in the
“Joining the Domain” topic) and the servicePrincipalName.
8.1.5 Samba Logging
Samba logging is enabled by the smb.conf “log level =” or “debug level = “ variable (they do the
same thing). To view the Kerberos log events, the log level must be set to 10. It is best to configure
the logging function to generate a new file for every client connection by “log file =
/var/opt/samba/log.%m”.
8.1.5.1 Default Kerberos Config Logging
For the default Kerberos configuration that uses secrets.tdb for the secret key store, a user logon log
file displays a sequence of failed ticket verifications using a non-matching encryption type. It’s easiest
to grep the logfile for “crypt.”
# grep crypt goodsecretslog
ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type
ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad encryption type
ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type
ads_secrets_verify_ticket: enc type [23] decrypted message !
If a “decrypted message” line is not present, then it is likely that the client password dialog box has
popped up requesting a username/password.
8.1.5.2 Kerberos Keytab Config Logging
For a Kerberos keytab file configuration that uses krb5.keytab for the secret key(s) store, a user logon
log file also displays a sequence of failed ticket verifications for non-matching enctypes, but these
originate with the keytab verify code. It is easiest to just grep the logfile for “principal.”
# grep principal goodkeytablog
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@SNSLATC.HP.COM) failed:
Wrong principal in request
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@SNSLATC.HP.COM) failed:
Wrong principal in request
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/emonster.rose.hp.com@SNSLATC.HP.COM) failed:
Wrong principal in request