FreeBSD 8.2, Samba 3.4, Active Directory and Cyrillic Logins
The following link has been successfully working in our company for a long time: Samba 3.x installed on FreeBSD (6.x or 7.x) uses user authentication in the Active Directory domain to access the balls. All clients are Windows XP and higher. AD domain - Windows 2003.
Everything was fine until one of the FreeBSD servers was upgraded to version 8.2. After the upgrade, users with Cyrillic logins could not access the shared resources of this server. At the same time, users with logins in the Latin alphabet are normally authenticated. The wbinfo -u and wbinfo -g commands showed all users and AD groups, including Cyrillic, as expected. Another FreeBSD 7.3 server with the same version of Samba - 3.4.9 and with the same config worked fine with any logins.
A study of Samba logs showed that when trying to authenticate using a Cyrillic login, an error occurs in the kerberos library - the client ticket does not pass verification:
Another such thing was noticed: if you access the server not by name, but by IP address (\\ 192.168.1.1), then the authentication is successful! In Samba logs, we find that in this case the client initiates authentication using the NTLM protocol, and not via kerberos. After that, it became clear that the cause of our troubles is the kerberos library.
For a long time, the kerberos library is included in the base installation of FreeBSD. In FreeBSD 8.2, this is Heimdal 1.1. In addition, there are two more kerberos libraries in the ports: Heimdal 1.4 and MIT krb5 1.9. The idea was to recompile Samba with kerberos from the ports and see what happens.
At first, it was decided to try Heimdal, since it integrates well with the kerberos base library (so, anyway, write on the Internet). Install the heimdal-1.4_1 port, rebuild the samba34-3.4.9_2 port.
Using the HEIMDAL_HOME environment variable, we indicate that when compiling Samba, you must use the heimdal library installed from the ports (in / usr / local / lib), otherwise the standard library (from / usr / lib) will be used. We try to log in. The result is the same.
Now try the MIT library, after removing Heimdal.
')
Port assembly unexpectedly fails with an error:
Suddenly, because this is clearly a flaw in the one who prepared the samba port for FreeBSD. Open the file work / samba-3.4.9 / source3 / include / config.h and fix the line
on
After that, run the compilation again. The KRB5_HOME variable can no longer be defined, since it was needed only at the configure stage.
The port is assembled and installed, but Samba does not start. In samba logs we see the following:
The reason is that dynamic libraries (.so) are first searched by the loader in / usr / lib, and then in / usr / local / lib. Since the names of some files of the standard heimdal libraries and those installed from the krb5 ports are the same, the standard library is searched for and loaded first. And we need to make sure that for samba daemons, the first in the search list are libraries from / usr / local / lib. This can be done using the environment variable LD_LIBRARY_PATH, which must be defined before running the daemons. The variable must be entered the names of directories in which the application loader will look for dynamic libraries in the first place. Those. in our case it will be like this: LD_LIBRARY_PATH = / usr / local / lib.
I did not find anything better than to make changes to the /usr/local/etc/rc.d/samba startup script. This, of course, is not a good option at all, because when you reinstall or update Samba, the changes will be lost. So, in the samba_cmd function, before calling run_rc_command we insert the line:
Now we restart Samba and enjoy life with Cyrillic logins.
Due to the fact that the system has two kerberos libraries, which are not at all friendly with each other, complications can arise. From what was noticed, the net ads command now needs to be run like this:
Other net subcommands seem to work fine without LD_LIBRARY_PATH.
As a summary, I’ll give you the basic operations and settings needed to run Samba 3.4 on FreeBSD 8.2 in an Active Directory environment. About installing and configuring Samba is written a lot in the Internet, so I will not give a trivial explanation.
This implies that all commands are executed as root. Instead of vi, use your favorite text editor.
Everything was fine until one of the FreeBSD servers was upgraded to version 8.2. After the upgrade, users with Cyrillic logins could not access the shared resources of this server. At the same time, users with logins in the Latin alphabet are normally authenticated. The wbinfo -u and wbinfo -g commands showed all users and AD groups, including Cyrillic, as expected. Another FreeBSD 7.3 server with the same version of Samba - 3.4.9 and with the same config worked fine with any logins.
A study of Samba logs showed that when trying to authenticate using a Cyrillic login, an error occurs in the kerberos library - the client ticket does not pass verification:
[2011/04/26 15:06:18, 3] libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Invalid argument
[2011/04/26 15:06:18, 3] libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Message size is incompatible with encryption type
[2011/04/26 15:06:18, 3] libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Message size is incompatible with encryption type
Another such thing was noticed: if you access the server not by name, but by IP address (\\ 192.168.1.1), then the authentication is successful! In Samba logs, we find that in this case the client initiates authentication using the NTLM protocol, and not via kerberos. After that, it became clear that the cause of our troubles is the kerberos library.
For a long time, the kerberos library is included in the base installation of FreeBSD. In FreeBSD 8.2, this is Heimdal 1.1. In addition, there are two more kerberos libraries in the ports: Heimdal 1.4 and MIT krb5 1.9. The idea was to recompile Samba with kerberos from the ports and see what happens.
At first, it was decided to try Heimdal, since it integrates well with the kerberos base library (so, anyway, write on the Internet). Install the heimdal-1.4_1 port, rebuild the samba34-3.4.9_2 port.
$ cd /usr/ports/security/heimdal
$ sudo make install clean
$ cd /usr/ports/net/samba34
$ sudo HEIMDAL_HOME=/usr/local make deinstall reinstall clean
$ sudo /usr/local/etc/rc.d/samba restart
Using the HEIMDAL_HOME environment variable, we indicate that when compiling Samba, you must use the heimdal library installed from the ports (in / usr / local / lib), otherwise the standard library (from / usr / lib) will be used. We try to log in. The result is the same.
Now try the MIT library, after removing Heimdal.
')
$ sudo pkg_delete heimdal-1.4_1
$ cd /usr/ports/security/krb5
$ sudo make install clean
$ cd /usr/ports/net/samba34
$ sudo KRB5_HOME=/usr/local make deinstall reinstall clean
Port assembly unexpectedly fails with an error:
Compiling libsmb/clikrb5.c
libsmb/clikrb5.c:1623:2: error: #error UNKNOWN_KRB5_ENCTYPE_TO_STRING_FUNCTION
Suddenly, because this is clearly a flaw in the one who prepared the samba port for FreeBSD. Open the file work / samba-3.4.9 / source3 / include / config.h and fix the line
/* #undef HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG */on
#define HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG 1After that, run the compilation again. The KRB5_HOME variable can no longer be defined, since it was needed only at the configure stage.
$ sudo vi work/samba-3.4.9/source3/include/config.h
$ sudo make deinstall reinstall clean
$ sudo /usr/local/etc/rc.d/samba restart
The port is assembled and installed, but Samba does not start. In samba logs we see the following:
/libexec/ld-elf.so.1: /usr/local/sbin/smbd: Undefined symbol "krb5_set_default_tgs_ktypes"
The reason is that dynamic libraries (.so) are first searched by the loader in / usr / lib, and then in / usr / local / lib. Since the names of some files of the standard heimdal libraries and those installed from the krb5 ports are the same, the standard library is searched for and loaded first. And we need to make sure that for samba daemons, the first in the search list are libraries from / usr / local / lib. This can be done using the environment variable LD_LIBRARY_PATH, which must be defined before running the daemons. The variable must be entered the names of directories in which the application loader will look for dynamic libraries in the first place. Those. in our case it will be like this: LD_LIBRARY_PATH = / usr / local / lib.
I did not find anything better than to make changes to the /usr/local/etc/rc.d/samba startup script. This, of course, is not a good option at all, because when you reinstall or update Samba, the changes will be lost. So, in the samba_cmd function, before calling run_rc_command we insert the line:
samba_cmd() {
...
export LD_LIBRARY_PATH=/usr/local/lib
run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}
...
}Now we restart Samba and enjoy life with Cyrillic logins.
A spoon of tar
Due to the fact that the system has two kerberos libraries, which are not at all friendly with each other, complications can arise. From what was noticed, the net ads command now needs to be run like this:
LD_LIBRARY_PATH=/usr/local/lib net ads …Other net subcommands seem to work fine without LD_LIBRARY_PATH.
Installation from scratch
As a summary, I’ll give you the basic operations and settings needed to run Samba 3.4 on FreeBSD 8.2 in an Active Directory environment. About installing and configuring Samba is written a lot in the Internet, so I will not give a trivial explanation.
This implies that all commands are executed as root. Instead of vi, use your favorite text editor.
# cd /usr/ports/security/krb5
# make install clean
# cd /usr/ports/net/samba34
# make configSet the option "With Active Directory support".
# KRB5_HOME=/usr/local make configure
# vi work/samba-3.4.9/source3/include/config.hcorrect/* #undef HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG */
on#define HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG 1
# make install clean
# vi /usr/local/etc/rc.d/sambainsert export LD_LIBRARY_PATH = / usr / local / lib before calling run_rc_command:samba_cmd() {
...
export LD_LIBRARY_PATH=/usr/local/lib
run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}
...
}
# echo samba_enable=\"YES\" >> /etc/rc.conf
# vi /etc/nsswitch.confchange stringsgroup: compat
passwd: compat
on suchgroup: files winbind
passwd: files winbind
# vi /usr/local/etc/smb.confThe basic settings are:[global]
security = ads
# DNS- .
realm = DOMAIN.LOCAL
# NETBIOS- . , .
workgroup = DOMAIN
# smb.conf. AD . Samba 3.5 : UTF-8.
unix charset = CP1251
# . .
display charset = KOI8-R
Sample balls:[share_name]
path = /tmp
valid users = \
+staff \
DOMAIN\. \
@"DOMAIN\ "
writable = yes
# LD_LIBRARY_PATH=/usr/local/lib net ads join -U administratorWe join our server to the domain. administrator - username with domain administrator rights. The domain name can be omitted, since the realm value from smb.conf will be used by default.
Notice that the kerberos configuration file /etc/krb5.conf, about which so many people write on the Internet, is completely unnecessary. All necessary information about the domain and KDC is taken from the DNS.
# /usr/local/etc/rc.d/samba startSource: https://habr.com/ru/post/118485/
All Articles