PDA

View Full Version : SLES 12 SP3 Failed to set machine kerberos encryption types: Insufficien



x0500hl
01-Mar-2019, 17:53
When I try to join a new SLES 12 SP3 host (on System z) that is on a fairly current patch level, the 'net ads join...' command fails with “Failed to join domain: failed to set machine kerberos encryption types: Insufficient access”.

The exact same procedure was used to build several new SLES 12 SP3 hosts a few months ago and was successful. The only difference that I can find is that this host is at a patch level from October, 2018.

I found a new host that hadn't yet had the 'net ads join...' command issue that was at the October, 2018, patch level and when the command was issued and ran successfully. That leads me to believe that something in the newer rpm's has caused the issue.

The procedure I am following consists of:
- Join the host to the domain. An AD Administrator issues the command as root and supplies his password.

net ads join member -S v99xxxxx2k8-01.xxxxx.int -U u20069 --no-dns-updates createcomputer='/Member Servers/Linux and Unix Servers'
- Customize Windows Domain Membership using 'YaST -> Network Services -> Windows Domain Membership'. I then toggle on "Create Home Directory on Login" and "Single Sign-on for SSH". I leave "Offline Authentication" toggled off. When I select OK YaST installs krb5-client and samba-winbind.

I stopped the host build process for seven new hosts because the 'net ads join...' command failed on each of them.

Is the I'm following procedure correct? This same procedure was used to clone and build dozens of new SLES 12 SP3 hosts in 2018.

I opened a SR with IBM (they provide support for my client) almost a month ago but haven't gotten very far - that is why I created this post.

krb5.conf (modified for client privacy)


[libdefaults]
# This is the default_realm for the host server
default_realm = xxxDHS.INT
clockskew = 300
# To avoid KRB5KRB_ERR_RESPONSE_TOO_BIG response from KDC when first
# attempting to send messages via UDP, set the UDP preference
# limit to 1 to force TCP to be used instead for the first attempt.
udp_preference_limit = 1

# "dns_canonicalize_hostname" and "rdns" are better set to false for improved security.
# If set to true, the canonicalization mechanism performed by Kerberos client may
# allow service impersonification, the consequence is similar to conducting TLS certificate
# verification without checking host name.
# If left unspecified, the two parameters will have default value true, which is less secure.
dns_canonicalize_hostname = false
rdns = false

#
default_ccache_name = FILE:/tmp/krb5cc_%{uid}

[realms]
AGENCY.xxx.LOCAL = {
# To get list of domain controllers use the following command in a Windows command prompt:
# "C:\Windows\System32\nltest" /dclist:agency.xxx.local | find "xxxC"
kdc = ldp-agn01.agency.xxx.local
kdc = ldp-agn02.agency.xxx.local
kdc = ldp-agn03.agency.xxx.local
kdc = ldp-agn04-000.agency.xxx.local
default_domain = agency.xxx.local
admin_server = ldp-agn01.agency.xxx.local
# Only the auth-to-local value is checked in the default_realm specified in the libdefaults.
# You must include a check against $0 which is the REALM name to be able to distinguish different
# domains in a multiple domain environment.

####### Rule mapping principal PRINCIPAL@AGENCY.xxx.LOCAL to AGENCY\principal
####### auth_to_local = RULE:[1:$0\$1](AGENCY.xxx.LOCAL\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/agency.xxx.local/AGENCY/
# Rule mapping principal PRINCIPAL@xxxDHS.INT to xxxDHS\principal
auth_to_local = RULE:[1:$0\$1](xxxDHS.INT\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/xxxdhs.int/xxxDHS/
# For extra security we code a specific check in place of the DEFAULT check which we have removed. This way
# we know we are only allowing the REALMs through that we want to limit access to.
# Rule mapping principal PRINCIPAL@AGENCY.xxx.LOCAL to principal
auth_to_local = RULE:[1:$0\$1](AGENCY.xxx.LOCAL\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/agency.xxx.local\\//
# auth_to_local = DEFAULT
}
xxxDHS.INT = {
# To get list of domain controllers use the following command in a Windows command prompt:
# "C:\Windows\System32\nltest" /dclist:xxxdhs.int | find "Mainframe"
# We add to the list the name v99xxxdhs2k8-02 in case it is stood up again.
kdc = v99xxxdhs2k8-01.xxxdhs.int
kdc = v99xxxdhs2k8-02.xxxdhs.int
# We also add s99xxxdhs6.xxxdhs.int it is on the 10.5.0.0/16 subnet thus it is reachable if agency is the default
# domain and we code a route through xxxDHS network for 10.5.0.0/16.
kdc = s99xxxdhs6.xxxdhs.int
default_domain = xxxdhs.int
admin_server = v99xxxdhs2k8-01.xxxdhs.int
# Only the auth-to-local value is checked in the default-realm specified in the libdefaults.
# You must include a check against $0 which is the REALM name to be able to distinguish different
# domains in a multiple domain environment.
# Rule mapping principal PRINCIPAL@AGENCY.xxx.LOCAL to AGENCY\principal
auth_to_local = RULE:[1:$0\$1](AGENCY.xxx.LOCAL\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/agency.xxx.local/AGENCY/
####### Rule mapping principal PRINCIPAL@xxxDHS.INT to xxxDHS\principal
####### auth_to_local = RULE:[1:$0\$1](xxxDHS.INT\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/xxxdhs.int/xxxDHS/
# For extra security we code a specific check in place of the DEFAULT check which we have removed. This way
# we know we are only allowing the REALMs through that we want to limit access to.
# Rule mapping principal PRINCIPAL@xxxDHS.INT to principal
auth_to_local = RULE:[1:$0\$1](xxxDHS.INT\\.*)s/A/a/g s/B/b/g s/C/c/g s/D/d/g s/E/e/g s/F/f/g s/G/g/g s/H/h/g s/I/i/g s/J/j/g s/K/k/g s/L/l/g s/M/m/g s/N/n/g s/O/o/g s/P/p/g s/Q/q/g s/R/r/g s/S/s/g s/T/t/g s/U/u/g s/V/v/g s/W/w/g s/X/x/g s/Y/y/g s/Z/z/g s/xxxdhs.int\\//
# auth_to_local = DEFAULT
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
# default = SYSLOG:DEBUG:DAEMON

[domain_realm]
agency.xxx.local = AGENCY.xxx.LOCAL
.agency.xxx.local = AGENCY.xxx.LOCAL
xxxdhs.int = xxxDHS.INT
.xxxdhs.int = xxxDHS.INT

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}



smb.conf (modified for client privacy)

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
workgroup = xxxDHS
passdb backend = tdbsam
security = ADS
kerberos method = secrets and keytab
realm = xxxDHS.INT
wins support = No
domain logons = No
domain master = No
allow trusted domains = Yes

# Use the following ignore domains statement for AGENCY and xxxDHS joins
# List was obtained first by issuing the following command on a sever already joined to the domain
# wbinfo --trusted-domains
# The list was taken, consolidated, and sorted.
# The list can then be validated by loxxxing at the log files in /var/log/samba
# ls -l /var/log/samba/log.wb-*
winbind:ignore domains = DCS DMHSAS EBC EDSDOMxxxXIX HCA_LAN OAG ODEQ ODOC5 OHCFS xxx xxxAGRICULTURE xxxCAREERTECH xxxDHSDMZ xxxDHSROOT xxxLADOT xxxSDE OSDH OSTNT OWRB PHIN SIB VOIP WMIS_NETWORK

# Don't use the tsm interface to send broadcasts over. This has caused problems doing a join
# where the eth1 address could be used in the kerberos config file krb5.conf
interfaces = eth0 eth2

# Allowing dns updates could cause eth1 address to be updated to dns, we don't want this to occur.
allow dns updates = disabled

# Per https://www.suse.com/support/kb/doc.php?id=7017489 the following statement may also help
# to prevent eth1 ip address from being updated to dns. This is is not true, a join needs to be
# done with net command with --no-dns-updates specified.
bind interfaces only = yes

# Cut down on needless broadcasting.
name resolve order = host

# If there is a problem with domain controllers retrieved via DNS then the following statement
# can be used to control preference. This is particularly useful where there is a failure on
# one of the AGENCY Domain Controllers either to reach it or for it to reach the xxxDHS
# Domain Controllers participating in the join. When making a change to the "password server" statement
# in order to implement it you must stop samba "systemctl stop service", must delete all trivial
# databases "rm /var/lib/samba/*.tdb", and they start samba backup "systemctl start smb". Also stop
# and start winbind for safety. This is necessary because samba will cache the last good DC
# it accessed and will use it first in its preference list ahead of what is specified in the
# "password server" statement. To clear its mind you must do the prior mentioned delete.
########For AGENCY domain:
########password server = LDP-AGN01.agency.xxx.local, *
########For xxxDHS domain:
########password server = v99xxxdhs2k8-01.xxxdhs.int, *
#
password server = v99xxxdhs2k8-01.xxxdhs.int, *

################################################## ################################################## ###########
# Disable smb printing
################################################## ################################################## ###########
load printers = no
show add printer wizard = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

################################################## ################################################## ###########
# Logging
################################################## ################################################## ###########
max log size = 0
log file = /var/log/samba/log.%m
# Some big logs with debug level 8 if left on for days.
debug level = 1

################################################## ################################################## ###########
# User Configuration
################################################## ################################################## ###########
template shell = /bin/bash
map to guest = Bad User
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
template homedir = /home/%D/%U
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
# Syncronize unix password to domain password:
unix password sync = yes
# Program used to syncronize unix password note this must be specified because for SLES the passwd program
# does not reside in the default location for this parameter.
passwd program = /usr/bin/passwd

################################################## ################################################## ###########
# Id Mapping
################################################## ################################################## ###########
# For Domain xxxDHS:
# For trust to AGENCY to work DSN must point to v99xxxdhs2k8-01.xxxdhs.int
# Thus recomended setting for DNS for Samba servers is: 10.5.10.22 followed by 10.8.0.52
idmap config AGENCY : backend = rid
idmap config AGENCY : range = 090000000-090999999
idmap config xxxDHS : backend = rid
idmap config xxxDHS : range = 830000000-830999999
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
# Do not use base rid of 1000 because buildin sids range from 500 to 999
# for example "domain users" is 513 which we require.
# idmap config xxxDHS : base_rid = 1000

################################################## ################################################## ###########
# Server Level Access controls
################################################## ################################################## ###########
#
# !! Important !!
# Be sure to update /etc/security/pam_winbind.conf with group names maintained here
# if you want the particular users to also be able to login to the host.
# To update /etc/security/pam_winbind.conf run the script: winbindconfedit
valid users = @"xxxDHS\XXXX.zlinux.Sysprog.zLinux.admin", \
#wfr: @"xxxDHS\XXXX.zlinux.Database.dba.oracle", \
#wfrdhsPROD: "xxxDHS\prxy410", \
#wfrdhsTEST: "xxxDHS\prxy415", \
#wfrdhsDEV: "xxxDHS\prxy420", \
#wfrkidsPROD: "xxxDHS\pxy246", \
#wfrkidsTEST: "xxxDHS\pxy247", \
#wfrkidsDEV: "xxxDHS\pxy248", \
#wfrdhsPROD: @"xxxDHS\WF.PROD.zlinux.prog.dhs.afs", \
#wfrdhsPROD: @"xxxDHS\WF.PROD.zlinux.prog.dhs.aps", \
#wfrdhsPROD: @"xxxDHS\WF.PROD.zlinux.prog.dhs.elders", \
#wfrdhsPROD: @"xxxDHS\WF.PROD.zlinux.prog.dhs.finpay", \
#wfrdhsPROD: @"xxxDHS\WF.PROD.zlinux.prog.dhs.ocaccm", \
#wfrdhsPROD: @"xxxDHS\WF.PROD.zlinux.prog.dhs.ocss", \
#wfrdhsPROD: @"xxxDHS\WF.PROD.zlinux.prog.dhs.ppmdash", \
#wfrdhsPROD: @"xxxDHS\WF.PROD.zlinux.prog.dhs.userrpts", \
#wfrdhsTEST: @"xxxDHS\WF.PROD.zlinux.prog.dhs.afs", \
#wfrdhsTEST: @"xxxDHS\WF.PROD.zlinux.prog.dhs.aps", \
#wfrdhsTEST: @"xxxDHS\WF.PROD.zlinux.prog.dhs.elders", \
#wfrdhsTEST: @"xxxDHS\WF.PROD.zlinux.prog.dhs.finpay", \
#wfrdhsTEST: @"xxxDHS\WF.PROD.zlinux.prog.dhs.ocaccm", \
#wfrdhsTEST: @"xxxDHS\WF.PROD.zlinux.prog.dhs.ocss", \
#wfrdhsTEST: @"xxxDHS\WF.PROD.zlinux.prog.dhs.ppmdash", \
#wfrdhsTEST: @"xxxDHS\WF.PROD.zlinux.prog.dhs.userrpts", \
#wfrdhsDEV: @"xxxDHS\WF.PROD.zlinux.prog.dhs.afs", \
#wfrdhsDEV: @"xxxDHS\WF.PROD.zlinux.prog.dhs.aps", \
#wfrdhsDEV: @"xxxDHS\WF.PROD.zlinux.prog.dhs.elders", \
#wfrdhsDEV: @"xxxDHS\WF.PROD.zlinux.prog.dhs.finpay", \
#wfrdhsDEV: @"xxxDHS\WF.PROD.zlinux.prog.dhs.ocaccm", \
#wfrdhsDEV: @"xxxDHS\WF.PROD.zlinux.prog.dhs.ocss", \
#wfrdhsDEV: @"xxxDHS\WF.PROD.zlinux.prog.dhs.ppmdash", \
#wfrdhsDEV: @"xxxDHS\WF.PROD.zlinux.prog.dhs.userrpts", \
@"xxxDHS\WF.PROD.zlinux.admin.dhs", \
@"xxxDHS\WF.PROD.zlinux.prog.dhs", \
@"AGENCY\Mainframe Systems Group - zLinux Admins"

# Following users get "root" authority so they can manage ACLs for shares where
# we want ACLs. The users can read/write all files regardless of permissions.
admin users = \
@"xxxDHS\XXXX.zlinux.Sysprog.zLinux.admin", \
@"AGENCY\Mainframe Systems Group - zLinux Admins"

# When updating invalid users also update invalid users on homes share.
invalid users = root bin daemon adm sync shutdown \
halt mail news uucp operator \
sysadmin sysoper oracle
usershare allow guests = No

################################################## ################################################## ###########
# Winbind settings
################################################## ################################################## ###########
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind refresh tickets = no
winbind offline logon = no

################################################## ################################################## ###########
# General Share Definitions
################################################## ################################################## ###########
browseable = Yes
read only = No
vfs objects = acl_xattr

# This parameter is forced to 0770 if using vfs objects = acl_xattr above.
directory mask = 0770

# This parameter is forced to 0770 if using vfs objects = acl_xattr above.
create mask = 0770

# Must use force group to prevent "Domain Users" from being granted rwx on any file
# created in the share. "nobody" prevents access being granted to a group apart from
# ACL definitions.
# There is a warning on one of the web pages talking about using mmc snapin to
# manage access that forcing group to nobody could cause a lock out of that function.
force group = nobody

# Allows set ACL mask to "rwx".
# This paramter is forced to Yes if using vfs objects = acl_xattr above.
inherit acls = Yes

# Allow owners with write permission to alter permissions.
# This paramter is forced to Yes if using vfs objects = acl_xattr above.
dos filemode = yes

inherit owner = No
map acl inherit = Yes
acl map full control = True
map hidden = no
map system = no
map archive = no
map readonly = no
store dos attributes = yes

################################################## ################################################## ###########
# Share Definitions
################################################## ################################################## ###########

[homes]
comment = Home Directories
#
# The below line will insure that only the user can connect to his own home directory,
# but if you implement the below line then mapped users will not be able
# to access their home directories. As a result we do not implement the below line.
# Once a user maps his own home cirectory he will be able to map any home directory
# allowed by UNIX security. Of course the global valid users limits access as a whole.
# valid users = %S, %D%w%S

# Same list as global list except we add some additional accounts that are sensative accounts
invalid users = root bin daemon adm sync shutdown \
halt mail news uucp operator \
sysadmin sysoper oracle \
sysdrrestore syssched
#
# Use native unix security without ACLs to control access to home directory data.
# We want security to be performed in a unix like manner in this share rather than a
# samba manner.
vfs objects =
directory mask = 0700
create mask = 0600
inherit acls = No
dos filemode = No
inherit owner = Yes
map acl inherit = No
acl map full control = False

## Share disabled by YaST
# [profiles]
# comment = Network Profiles Service
# path = %H
# read only = No
# store dos attributes = Yes
# create mask = 0600
# directory mask = 0700

#[users]
# comment = All users
# path = /home
# Hide directories starting with "sys"
# veto files = /sys*/

[apps]
comment = ibi apps
#wfrdhs: comment = ibi apps
#wfroig: comment = ibi wfs apps
#wfrkids: comment = ibi apps
path = /opt/ibi/apps
#wfrdhs: path = /opt/ibi/apps
#wfroig: path = /opt/ibi/oig-wfs/ibi/apps
#wfrkids: path = /opt/ibi/apps
#wfroig:
#wfroig:[dmapps]
#wfroig: comment = ibi dm apps
#wfroig: path = /opt/ibi/oig-wfs/ibi/apps

[install]
comment = ibi install
path = /opt/ibi/@install
valid users = @"xxxDHS\XXXX.zlinux.Sysprog.zLinux.admin", \
@"xxxDHS\WF.PROD.zlinux.admin.dhs"
force user = ibi
force group = ibi

#wfrkids:# Child Password Application Share
#wfrkids:[sde]
#wfrkids: comment = Child Passport
#wfrkids: path = /opt/ibi/apps/sde


## Share disabled by YaST
# [groups]
# comment = All groups
# path = /home/groups
# read only = No
# inherit acls = Yes

## Share disabled by YaST
# [printers]
# comment = All Printers
# path = /var/tmp
# printable = Yes
# create mask = 0600
# browseable = No

## Share disabled by YaST
# [print$]
# comment = Printer Drivers
# path = /var/lib/samba/drivers
# write list = @ntadmin root
# force group = ntadmin
# create mask = 0664
# directory mask = 0775

## Share disabled by YaST
# [netlogon]



Harley

Automatic Reply
06-Mar-2019, 06:30
x0500hl,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- Open a service request: https://www.suse.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot..

Good luck!

Your SUSE Forums Team
http://forums.suse.com