FreeBSD 8.2, Samba 3.4, Active Directory and Cyrillic logins
Our bundle has long and successfully worked in our company: Samba 3.x installed on FreeBSD (6.x or 7.x) uses user authentication in the Active Directory domain to access the balls. All clients are Windows XP and above. The AD domain is Windows 2003.
Everything was fine until one of the FreeBSD servers was upgraded to version 8.2. After the update, users with Cyrillic logins were not able to access the shared resources of this server. At the same time, users with logins in Latin normally authenticated. The wbinfo -u and wbinfo -g commands, as expected, showed all users and AD groups, including Cyrillic. Another FreeBSD 7.3 server with the same version of Samba - 3.4.9 and with the same config worked fine with any logins.
A study of Samba logs showed that when trying to authenticate using a Cyrillic login, an error occurs in the kerberos library - the client ticket does not pass the check: Another thing was noticed: if you access the server not by name, but by IP address (\\ 192.168.1.1 ), then authentication is successful! In the Samba logs, we find that in this case the client initiates authentication using the NTLM protocol, and not with kerberos. After that, it became clear clearly that the cause of our troubles was the kerberos library.
For a long time, the kerberos library has been included in the basic FreeBSD installation. On FreeBSD 8.2, this is Heimdal 1.1. In addition, there are two more kerberos libraries in the ports: Heimdal 1.4 and MIT krb5 1.9. The idea was to recompile Samba with kerberos from the ports and see what happens.
At first it was decided to try Heimdal, because it integrates well with the Kerberos core library (as they say, on the Internet, anyway). Set the port heimdal-1.4_1, rebuild the port samba34-3.4.9_2. Using the HEIMDAL_HOME environment variable, we indicate that when compiling Samba, we must use the heimdal library installed from the ports (in / usr / local / lib), otherwise the standard library (from / usr / lib) will be used. Trying to login. The result is the same.
Now try the MIT library by first removing Heimdal. The port assembly unexpectedly aborts with the error: Unexpectedly, because this is clearly a flaw of the one who prepared the samba port for FreeBSD. Open the file work / samba-3.4.9 / source3 / include / config.h and correct the line to After that we start compilation again. The KRB5_HOME variable can no longer be defined, since it was needed only at the configure stage. The port has assembled and installed, but Samba does not start. In the samba logs we see the following:
The reason is that dynamic libraries (.so) are first looked up by the loader in / usr / lib, and then in / usr / local / lib. Since the names of some library files of the standard heimdal and those installed from the krb5 ports are the same, the standard library is first searched and loaded. And we need to make the libraries from / usr / local / lib the first in the search list for samba daemons. This can be done using the environment variable LD_LIBRARY_PATH, which must be determined before running the daemons. The variable must contain the directory names in which the application loader will search for dynamic libraries in the first place. Those. in our case it will be like this: LD_LIBRARY_PATH = / usr / local / lib.
I did not find anything better than making changes to the /usr/local/etc/rc.d/samba startup script. This, of course, is not a good option, because if you reinstall or upgrade Samba, the changes will be lost. So, in the samba_cmd function, before calling run_rc_command, we insert the line: Now we restart Samba and enjoy life with Cyrillic logins.
Due to the fact that two Kerberos libraries are installed in the system, which are not at all friendly with each other, complications can arise. From what has been noticed, the net ads command now needs to be run like this:
Other net subcommands seem to work fine even without LD_LIBRARY_PATH.
As a summary, I will give the basic operations and settings necessary to run Samba 3.4 on FreeBSD 8.2 in an Active Directory environment. A lot has been written about installing and configuring Samba on the Internet, so I won’t give trivial explanations.
It is understood that all commands are executed as root. Instead of vi, use your favorite text editor.
Everything was fine until one of the FreeBSD servers was upgraded to version 8.2. After the update, users with Cyrillic logins were not able to access the shared resources of this server. At the same time, users with logins in Latin normally authenticated. The wbinfo -u and wbinfo -g commands, as expected, showed all users and AD groups, including Cyrillic. Another FreeBSD 7.3 server with the same version of Samba - 3.4.9 and with the same config worked fine with any logins.
A study of Samba logs showed that when trying to authenticate using a Cyrillic login, an error occurs in the kerberos library - the client ticket does not pass the check: Another thing was noticed: if you access the server not by name, but by IP address (\\ 192.168.1.1 ), then authentication is successful! In the Samba logs, we find that in this case the client initiates authentication using the NTLM protocol, and not with kerberos. After that, it became clear clearly that the cause of our troubles was the kerberos library.
[2011/04/26 15:06:18, 3] libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Invalid argument
[2011/04/26 15:06:18, 3] libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Message size is incompatible with encryption type
[2011/04/26 15:06:18, 3] libads/kerberos_verify.c:378(ads_secrets_verify_ticket)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Message size is incompatible with encryption type
For a long time, the kerberos library has been included in the basic FreeBSD installation. On FreeBSD 8.2, this is Heimdal 1.1. In addition, there are two more kerberos libraries in the ports: Heimdal 1.4 and MIT krb5 1.9. The idea was to recompile Samba with kerberos from the ports and see what happens.
At first it was decided to try Heimdal, because it integrates well with the Kerberos core library (as they say, on the Internet, anyway). Set the port heimdal-1.4_1, rebuild the port samba34-3.4.9_2. Using the HEIMDAL_HOME environment variable, we indicate that when compiling Samba, we must use the heimdal library installed from the ports (in / usr / local / lib), otherwise the standard library (from / usr / lib) will be used. Trying to login. The result is the same.
$ cd /usr/ports/security/heimdal
$ sudo make install clean
$ cd /usr/ports/net/samba34
$ sudo HEIMDAL_HOME=/usr/local make deinstall reinstall clean
$ sudo /usr/local/etc/rc.d/samba restart
Now try the MIT library by first removing Heimdal. The port assembly unexpectedly aborts with the error: Unexpectedly, because this is clearly a flaw of the one who prepared the samba port for FreeBSD. Open the file work / samba-3.4.9 / source3 / include / config.h and correct the line to After that we start compilation again. The KRB5_HOME variable can no longer be defined, since it was needed only at the configure stage. The port has assembled and installed, but Samba does not start. In the samba logs we see the following:
$ sudo pkg_delete heimdal-1.4_1
$ cd /usr/ports/security/krb5
$ sudo make install clean
$ cd /usr/ports/net/samba34
$ sudo KRB5_HOME=/usr/local make deinstall reinstall clean
Compiling libsmb/clikrb5.c
libsmb/clikrb5.c:1623:2: error: #error UNKNOWN_KRB5_ENCTYPE_TO_STRING_FUNCTION
/* #undef HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG */#define HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG 1$ sudo vi work/samba-3.4.9/source3/include/config.h
$ sudo make deinstall reinstall clean
$ sudo /usr/local/etc/rc.d/samba restart
/libexec/ld-elf.so.1: /usr/local/sbin/smbd: Undefined symbol "krb5_set_default_tgs_ktypes"
The reason is that dynamic libraries (.so) are first looked up by the loader in / usr / lib, and then in / usr / local / lib. Since the names of some library files of the standard heimdal and those installed from the krb5 ports are the same, the standard library is first searched and loaded. And we need to make the libraries from / usr / local / lib the first in the search list for samba daemons. This can be done using the environment variable LD_LIBRARY_PATH, which must be determined before running the daemons. The variable must contain the directory names in which the application loader will search for dynamic libraries in the first place. Those. in our case it will be like this: LD_LIBRARY_PATH = / usr / local / lib.
I did not find anything better than making changes to the /usr/local/etc/rc.d/samba startup script. This, of course, is not a good option, because if you reinstall or upgrade Samba, the changes will be lost. So, in the samba_cmd function, before calling run_rc_command, we insert the line: Now we restart Samba and enjoy life with Cyrillic logins.
samba_cmd() {
...
export LD_LIBRARY_PATH=/usr/local/lib
run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}
...
}A spoon of tar
Due to the fact that two Kerberos libraries are installed in the system, which are not at all friendly with each other, complications can arise. From what has been noticed, the net ads command now needs to be run like this:
LD_LIBRARY_PATH=/usr/local/lib net ads …Other net subcommands seem to work fine even without LD_LIBRARY_PATH.
Installation from scratch
As a summary, I will give the basic operations and settings necessary to run Samba 3.4 on FreeBSD 8.2 in an Active Directory environment. A lot has been written about installing and configuring Samba on the Internet, so I won’t give trivial explanations.
It is understood that all commands are executed as root. Instead of vi, use your favorite text editor.
# cd /usr/ports/security/krb5
# make install clean
# cd /usr/ports/net/samba34
# make configSet the option “With Active Directory support”.
# KRB5_HOME=/usr/local make configure
# vi work/samba-3.4.9/source3/include/config.hfix/* #undef HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG */
on#define HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG 1
# make install clean
# vi /usr/local/etc/rc.d/sambainsert export LD_LIBRARY_PATH = / usr / local / lib before calling run_rc_command:samba_cmd() {
...
export LD_LIBRARY_PATH=/usr/local/lib
run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args}
...
}
# echo samba_enable=\"YES\" >> /etc/rc.conf
# vi /etc/nsswitch.confwe change the lines to suchgroup: compat
passwd: compatgroup: files winbind
passwd: files winbind
# vi /usr/local/etc/smb.confThe basic settings are as follows: Example balls:[global]
security = ads
# DNS-имя домена.
realm = DOMAIN.LOCAL
# NETBIOS-имя домена. Возможно, что это совсем не обязательный параметр.
workgroup = DOMAIN
# Кодировка имен файлов и настроек в smb.conf. В этой кодировке надо будет вводить логины и имена групп безопасности AD в правилах доступа к шарам. В Samba 3.5 есть известный баг: кириллические логины будут работать только при значении этого параметра UTF-8.
unix charset = CP1251
# Кодировка консоли. Необходимо для правильного отображения кириллических имен в консольных утилитах.
display charset = KOI8-R[share_name]
path = /tmp
valid users = \
+staff \
DOMAIN\Пупкин.Вася \
@"DOMAIN\Группа товарищей"
writable = yes
# LD_LIBRARY_PATH=/usr/local/lib net ads join -U administratorWe join our server to the domain. administrator - user name with domain administrator rights. You can omit the domain name, since the default value is realm from smb.conf.
Note that the Kerberos configuration file /etc/krb5.conf, which is written about so much on the Internet, is completely unnecessary. All necessary domain and KDC information is taken from DNS.
# /usr/local/etc/rc.d/samba start