[gpfsug-discuss] Spectrum Scale CES , SAMBA, LDAP kerberos authentication issue

hopii at interia.pl hopii at interia.pl
Fri May 18 19:53:57 BST 2018 

Hi there,

I'm just learning, trying to configure Spectrum Scale: SMB File Authentication using LDAP (IPA) with kerberos, and been struggling with it for a couple of days, without success.

Users on spectrum cluster and client machine are authenticated properly, so ldap should be fine.
NFS mount with keberos works with no issues as well.

But I ran out of ideas how to configure SMB using LDAP with kerberos.

I could messed up with netbios names, as am  not sure which one to use, from cluster node, from protocol node, exactly which one.
But error message seems to point to keytab file, which is present on both, server and client nodes.

I ran into simillar post, dated few days ago, so I'm not the only one.
https://www.mail-archive.com/gpfsug-discuss@spectrumscale.org/msg03919.html


Below is my configuration and error message, and I'd appreciate any hints or help.

Thank you,
d.



Error message from /var/adm/ras/log.smbd

[2018/05/18 13:51:58.853681,  3] ../auth/gensec/gensec_start.c:918(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2018/05/18 13:51:58.859984,  0] ../source3/librpc/crypto/gse.c:586(gse_init_server)
  smb_gss_krb5_import_cred failed with [Unspecified GSS failure.  Minor code may provide more information: Keytab MEMORY:cifs_srv_keytab is nonexistent or empty]
[2018/05/18 13:51:58.860151,  1] ../auth/gensec/gensec_start.c:698(gensec_start_mech)
  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR



Cluster nodes
spectrum1.example.com	RedHat 7.4
spectrum2.example.com	RedHat 7.4
spectrum3.example.com	RedHat 7.4

Protocols nodes:
labs1.example.com
lasb2.example.com
labs3.example.com


ssipa.example.com	Centos 7.5
 


spectrum scale server:

[root at spectrum1 security]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/labs1.example.com at example.com
   1 host/labs1.example.com at example.com
   1 host/labs2.example.com at example.com
   1 host/labs2.example.com at example.com
   1 host/labs3.example.com at example.com
   1 host/labs3.example.com at example.com
   1 nfs/labs1.example.com at example.com
   1 nfs/labs1.example.com at example.com
   1 nfs/labs2.example.com at example.com
   1 nfs/labs2.example.com at example.com
   1 nfs/labs3.example.com at example.com
   1 nfs/labs3.example.com at example.com
   1 cifs/labs1.example.com at example.com
   1 cifs/labs1.example.com at example.com
   1 cifs/labs2.example.com at example.com
   1 cifs/labs2.example.com at example.com
   1 cifs/labs3.example.com at example.com
   1 cifs/labs3.example.com at example.com




[root at spectrum1 security]# net conf list
[global]
	disable netbios = yes
	disable spoolss = yes
	printcap cache time = 0
	fileid:algorithm = fsname
	fileid:fstype allow = gpfs
	syncops:onmeta = no
	preferred master = no
	client NTLMv2 auth = yes
	kernel oplocks = no
	level2 oplocks = yes
	debug hires timestamp = yes
	max log size = 100000
	host msdfs = yes
	notify:inotify = yes
	wide links = no
	log writeable files on exit = yes
	ctdb locktime warn threshold = 5000
	auth methods = guest sam winbind
	smbd:backgroundqueue = False
	read only = no
	use sendfile = no
	strict locking = auto
	posix locking = no
	large readwrite = yes
	aio read size = 1
	aio write size = 1
	force unknown acl user = yes
	store dos attributes = yes
	map readonly = yes
	map archive = yes
	map system = yes
	map hidden = yes
	ea support = yes
	groupdb:backend = tdb
	winbind:online check timeout = 30
	winbind max domain connections = 5
	winbind max clients = 10000
	dmapi support = no
	unix extensions = no
	socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPCNT=4 TCP_KEEPIDLE=240 TCP_KEEPINTVL=15
	strict allocate = yes
	tdbsam:map builtin = no
	aio_pthread:aio open = yes
	dfree cache time = 100
	change notify = yes
	max open files = 20000
	time_audit:timeout = 5000
	gencache:stabilize_count = 10000
	server min protocol = SMB2_02
	server max protocol = SMB3_02
	vfs objects = shadow_copy2 syncops gpfs fileid time_audit
	smbd profiling level = on
	log level = 1
	logging = syslog at 0 file
	smbd exit on ip drop = yes
	durable handles = no
	ctdb:smbxsrv_open_global.tdb = false
	mangled names = illegal
	include system krb5 conf = no
	smbd:async search ask sharemode = yes
	gpfs:sharemodes = yes
	gpfs:leases = yes
	gpfs:dfreequota = yes
	gpfs:prealloc = yes
	gpfs:hsm = yes
	gpfs:winattr = yes
	gpfs:merge_writeappend = no
	fruit:metadata = stream
	fruit:nfs_aces = no
	fruit:veto_appledouble = no
	readdir_attr:aapl_max_access = false
	shadow:snapdir = .snapshots
	shadow:fixinodes = yes
	shadow:snapdirseverywhere = yes
	shadow:sort = desc
	nfs4:mode = simple
	nfs4:chown = yes
	nfs4:acedup = merge
	add share command = /usr/lpp/mmfs/bin/mmcesmmccrexport
	change share command = /usr/lpp/mmfs/bin/mmcesmmcchexport
	delete share command = /usr/lpp/mmfs/bin/mmcesmmcdelexport
	server string = IBM NAS
	client use spnego = yes
	kerberos method = system keytab
	ldap admin dn = cn=Directory Manager
	ldap ssl = start tls
	ldap suffix = dc=example,dc=com
	netbios name = spectrum1
	passdb backend = ldapsam:"ldap://ssipa.example.com"
	realm = example.com
	security = ADS
	dedicated keytab file = /etc/krb5.keytab
	password server = ssipa.example.com
	idmap:cache = no
	idmap config * : read only = no
	idmap config * : backend = autorid
	idmap config * : range = 10000000-299999999
	idmap config * : rangesize = 1000000
	workgroup = labs1
	ntlm auth = yes

[share1]
	path = /ibm/gpfs1/labs1
	guest ok = no
	browseable = yes
	comment = jas share
	smb encrypt = disabled


[root at spectrum1 ~]# mmsmb export list
export   path               browseable   guest ok   smb encrypt   
share1   /ibm/gpfs1/labs1   yes          no         disabled 



userauth command:
mmuserauth service create --type ldap --data-access-method file --servers ssipa.example.com --base-dn dc=example,dc=com --user-name 'cn=Directory Manager' --netbios-name labs1 --enable-server-tls --enable-kerberos --kerberos-server ssipa.example.com --kerberos-realm example.com


root at spectrum1 ~]# mmuserauth service list
FILE access configuration : LDAP
PARAMETERS               VALUES                   
-------------------------------------------------
ENABLE_SERVER_TLS        true                     
ENABLE_KERBEROS          true                     
USER_NAME                cn=Directory Manager     
SERVERS                  ssipa.example.com    
NETBIOS_NAME             spectrum1                
BASE_DN                  dc=example,dc=com 
USER_DN                  none                     
GROUP_DN                 none                     
NETGROUP_DN              none                     
USER_OBJECTCLASS         posixAccount             
GROUP_OBJECTCLASS        posixGroup               
USER_NAME_ATTRIB         cn                       
USER_ID_ATTRIB           uid                      
KERBEROS_SERVER          ssipa.example.com    
KERBEROS_REALM           example.com          

OBJECT access not configured
PARAMETERS               VALUES                   
-------------------------------------------------

net ads keytab list  -> does not show any keys


LDAP user information was updated with Samba attributes according to the documentation:
https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adm_updateldapsmb.htm


[root at spectrum1 ~]# pdbedit -L -v
Can't find include file /var/mmfs/ces/smb.conf.0.0.0.0
Can't find include file /var/mmfs/ces/smb.conf.internal.0.0.0.0
No builtin backend found, trying to load plugin
Module 'ldapsam' loaded
db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x4d2a432b
db_open_ctdb: opened database 'secrets.tdb' with dbid 0x7132c184
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SPECTRUM1))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_paged: base => [dc=example,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1000]
smbldap_search_paged: search was successful
init_sam_from_ldap: Entry found for user: jas
---------------
Unix username:        jas
NT username:          jas
Account Flags:        [U          ]
User SID:             S-1-5-21-2394233691-157776895-1049088601-1281201008
Forcing Primary Group to 'Domain Users' for jas
Primary Group SID:    S-1-5-21-2394233691-157776895-1049088601-513
Full Name:            jas jas
Home Directory:       \\spectrum1\jas
HomeDir Drive:        
Logon Script:         
Profile Path:         \\spectrum1\jas\profile
Domain:               SPECTRUM1
Account desc:         
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Thu, 17 May 2018 14:08:01 EDT
Password can change:  Thu, 17 May 2018 14:08:01 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF



Client keytab file:
[root at test ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/test.example.com at example.com
   1 host/test.example.com at example.com

More information about the gpfsug-discuss mailing list