Communication breakdown

2003 January 22
by darkness

Sorry about last night’s entry. It was late and I was getting kind of frazzled.

I just counted and I’ve got 115 tabs open across about eight Mozilla windows. So I’m going to kind of talk about what’s been going on, as much as I can remember (I think I blacked out for a while) and then it’s going to be link city as I post every possibly useful link I can find out of all the ones I have open.

So OpenAFS is slow, and that’s all there is too it. On my Windows box, the best I could manage with a 100MB cache was 2/3 of the speed I could get from a Samba server on slower (though hardly slow) hardware. At that speed I was peaking my CPU; working with the Samba server, my CPU never got above 40% or so. Plus Wake, great application that it is, keeps crashing. (Note: that’s not sarcasm. Wake is really quite nice.) Additionally when the OpenAFS client’s tickets expired overnight while I was sleeping, it was a bit of a fuss trying to get it back to a working state the next day. For example, at one point the OpenAFS service decided to peg the CPU until I restarted it.

All kudos to the people that made AFS and develop OpenAFS. It’s a nice system with great documentation. Very easy to install and use, and it looks very flexible and stable enough. It’s just too slow for my needs — and I suspect the needs of others — and I don’t really have the time or the desire to fix it.

So I started looking at Samba. I have this inkling that Win2K is secretly sending (or trying to send) tickets to the SMB servers I’m connecting to. It’d be nice if there was something that could use the ticket. My choices in that realm (no pun intended) seem to be Samba TNG or Samba HEAD. Neither of these sound particularly stable to me. TNG seems to not have much of anything in the way of included documentation, and the stuff that is out on the Internet is pretty sketchy and often dated. Samba HEAD is only slightly better from what I’ve seen, and it sounds quite unstable. I have these fears of writing files and having them come out corrupted on the other side.

Moreover, I’m still unsure if either of these packages will do what I want. It seems that using the Kerberos ticket that’s included in the Samba packet is often tied with Active Directory (AD) support. I’m kind of dubious whether TNG has this at all. Samba HEAD has the ability to join an AD “domain” (?) but I keep hearing people talk about using it with Windows KDC’s and nothing else. I guess I need to try it, but the lack of documentation isn’t exactly encouraging.

For the record, I also checked out NFSv4. The CITI project/group/whatever at UMich has a Linux NFSv4 implementation that appears to work in 2.4. Hummingbird makes NFS Maestro which will supposedly do NFSv4 for Windows. NFSv4 supposedly supports GSSAPI authentication, something about Kerberos, blah blah blah. Great. Problems: NFS Maestro costs money. CITI group’s patches are… numerous, it seems. I don’t really feel like patching my kernel this way, for once. I’m kind of ruling out NFSv4 all together.

The solution that is making the most sense in my mind right now is making a PDC out of Samba or Samba TNG which gives me one central source for my NTLM passwords. Then use some sort of PAM module, like pam_smbpass to update the NTLM hashes when someone changes their password via passwd. pam_krb5 will already update their Kerberos password. I can still have Win2K authenticate from Kerberos, it just won’t be used to connect to SMB servers. This gives me synchronized, if not exactly centralized, authentication information. I can use NFSv3 or whatever is in Red Hat 2.4 kernels to give shared access to the *NIX machines. Still use LDAP to provide directory services. The only problem I can think of is that Samba might keep a user’s UID/GID in the smbpasswd file, and I don’t know how I’d keep that in sync with OpenLDAP. Maybe a patch to Samba, or maybe use Samba TNG with its DB in LDAP; if I do that, I almost suspect Samba will just attach another object class or three to the DN for the user that the OpenLDAP/nss_ldap migration tools made, and then they can share the uidNumber attribute or whatever. TNG probably also has the best PDC support.

Now, let LinkFest 2003 start. Sorry if some of these aren’t links but paraphrasings of the useful information on some pages I’ve got open.

  • In case I didn’t list this elsewhere, someone made a document titled “Replacing NIS with Kerberos and LDAP HOWTO.” Looks pretty good.

  • If you get messages like ldap_sasl_interactive_bind_s: No such attribute, try using the -x switch to ldapsearch, ldapadd, or whatever OpenLDAP utility it is that you’re running. By default it seems it’s trying to do SASL authentication, and I guess this message means that the server doesn’t have it set up correctly. -x tells it to use simple authentication IIRC.

  • There is an LDAP Linux HOWTO.

  • Someone has made some Linux OpenAFS Installation Tools, but honestly they don’t look that useful. The installation is easy enough as it is.

  • How to set up AFS with Kerberos V contains some potentially useful information, especially WRT PAM.

  • IBM has a “redbook” called “WebSphere V3 Performance Tuning Guide” which has a chapter called “AFS performance tuning guide.” I found this chapter useless since none of the things it pointed to were at fault in my systems. However, someone else might find some of the scenarios they present useful.

  • The AFS workshop notes from LISA 2002 are useless, but maybe interesting to learn about the more current state of AFS. I think they make a blurb in here about performance concerns, so I think the AFS people acknowledge that it’s slow. Everyone I’ve talked to that’s used it certainly acknowledges that it’s slow.

  • There are some “meltdown scripts” that are supposed to help you debug/tune your AFS server. I couldn’t download the Perl version and I didn’t feel like doing cut/paste with the scripts on the page, so I have no idea if these work. I don’t at all think I was in meltdown, which I believe happens when you get a shit load of requests, so this probably doesn’t apply to my situation at all.

  • Some discussion of the support for Kerberos in both Samba HEAD and Samba 2.2. (I think Samba HEAD == Samba 3.0?) This mentions that the options for enabling Kerberos support in Samba 2.2 are only valid for passwords sent in the clear, i.e. unencrypted. It also says that with W2K as your KDC and Samba HEAD the person thinks you can get “Kerberos-authenticated connections to Samba servers.”

  • There are some hints on Kerberos V at linuxfromscratch.org. I wouldn’t bother with these if you’re running Red Hat; go to the Red Hat documentation.

  • Andrew Tridgell made a post about a Samba/Kerberos HOWTO. This HOWTO is now just a little mention telling you to look at the docs that come with Samba, I think, but it might be useful to give you a sense of a time line.

  • Incidentally, in CVS there is a “Samba as a ADS domain member” chapter in the “SAMBA Project Documentation.” Brief, but mentions Kerberos at least.

  • A post from Andrew Tridgell saying “In the head branch I have added proper kerberos support, where windows 2000 and XP clients send us a kerberos ticket embedded in the SMB protocol and we validate that.” This obviously sounds quite hopeful.

  • Here’s some traffic talking about how Samba has to have its own Kerberos host key. Sounds like a complication. A minor one compared to the other problems I think I’ll be facing.

  • Again, here’s Andrew Tridgell reporting a successful Kerberos authentication from a Samba server. Note that he’s using a W2K KDC here.

  • Some more hints from Andrew Tridgell on using Samba HEAD and Kerberos.

  • Crazy ideas about Kerberos, NTLM, and PACs…” is part of a big long thread (that changed subjects at some point) that talks about all integrating Kerberos and Samba HEAD, and TNG too maybe. The previous subject was “NTLMSSP/GSSAPI and Heimdal, the new NTLMSSP interface,” from a bit I found on Usenet. Search on Google Groups.

  • The TNG LDAP HOWTO discusses keeping TNG and Unix accounts in LDAP, supposedly. In general this might be useful. Every time I read a document like this that has two out of three from the set {LDAP, Kerberos V, SMB} I get confused. So I can’t tell if this is really going to be useful in the end, if you want to keep Kerberos in that set. (Personally I’ve grown somewhat attached to Kerberos.)

  • While I’m pretty sure this is wholly useless to the tasks at hand, Oracle has apparently made their Oracle Cluster File System (OCFS) for Linux open source. I only even ran across this because it’s kind of a networked filesystem. I think.

  • At SourceForge.net I’ve got LDAPUtils and Samba TNG open. LDAPUtils bills itself as “a set of perl script to create and manage user accounts in an LDAP directory. Current functionality includes adding fields compatible with samba-tng for allowing a common authentication database for UNIX and Windows logons.” The Samba TNG page on SourceForge is supposed to be for bug/task tracking I think, but it doesn’t really appear that anyone uses it very often.

  • I think I forgot to mention that I installed Heimdal KDC last night. I think it looks a bit less polished than MIT, but it works nonetheless. I spent way too long digging through the source to find that kadmin/util.c has the list of Kerberos attributes. Pre-authentication, for example, is requires-pre-auth. Also note that you can’t specify something like “30 days” for a password age; it appears to be absolute date only. I think MIT KDC lets you specify the maximum age for a password. MIT KDC has way better built-in support for password quality checking, but Heimdal seems to have a reasonably painless interface for integrating, say, cracklib with it. Heimdal is missing some init scripts I think; I hacked up the Red Hat krb5kdc script from its krb5-server package to start Heimdal. Heimdal also stores in LDAP just fine. I will note that its schema doesn’t look like anyone else’s schema that I’ve seen (such as Samba TNG’s). Note that the Heimdal /etc/krb5.conf is almost identical to the one that I got when setting up MIT Kerberos V.

  • There’s an OpenLDAP, OpenSSL, SASL and Kerberos HOWTO which sounded promising during one of my fits of delusion last night. I figured, “TNG can auth from LDAP, LDAP can auth from Kerberos… yes!” This passed quickly. Not to say that some of the information in here isn’t still useful. There’s also some “Kerberos LDAP Mini-HOWTO” lying around this site I think; Google on it.

  • WTF is “boxed penguin”? I don’t know, but on one of their message forums here’s a post from someone advertising pam_ldap_ntlm. This looks like a cool patch that helps you do what I was talking about above in keeping the password synchronized in LDAP for both Unix and Samba, and in Kerberos. Just in case this message should disappear, the pam_ldap_ntlm module is available at http://www.rit.bme.hu/~balsa/pam_ldap_ntlm/.

  • Luke Howard mentions the proposed Kerberos key type “arcfour-hmac-md5″. I don’t really understand this, but I think this type is basically an NTLM hash, and somehow a Kerberos server that supports this can authenticate someone using an NTLM hash? I think? Maybe? It’s all very confusing to me. I haven’t seen any good uses of this method/key type/whatever it is. Some research on this might not be a bad thing. I’ll also note that, in one of the threads mentioned above, Luke Howard tells us that PADL has developed something that basically does what we want. I think it’s called XAD, and it’s not available at all (though a few small, useless-looking portions are).

  • A post from LKCL about UID to RID mapping gives us some hints, at least as to what SURS means. I suspect it’s something like “Samba UID to RID Service,” and I suspect it’s in TNG. I also suspect that “winbind” is something like ypbind, and bridges whatever is configured in nsswitch.conf (regular system name services) to TNG. That’s interesting.

  • If, while using Heimdal, you get an error something like “parent doesn’t exist,” you can try some instructions from Luke Howard to fix a problem with putting Heimdal in LDAP. Worked for me, though the first one (dc=test,dc=net) was already created. Note that ldapadd apparently doesn’t do anything until you send it a blank line, as in the example.

  • I almost forgot the actual instructions on putting Heimdal information in LDAP. Also by Luke Howard I believe.

  • There’s some thread somewhere where I think Andrew Tridgell says that Samba HEAD wouldn’t authenticate with anything but a W2K KDC. This means it wouldn’t work with, for example, my MIT KDC. I can’t find this open, but I’m pretty sure I read it, though of course the information may be dated.

That’s actually about it. I thought I had more than that.

Anyway, off to work on RT now. I had some stupid problem today where “dUmMy” kept appearing on one of the RT pages where it should be saying “Status”. I won’t even give a hint how to fix this. I ended up rebuilding Mozilla 1.2.1’s RH7 RPMs in YDL 2.3, and it worked swimmingly. If anyone wants these RPMs, mail me. Note that a new Mozilla did not fix my above problem.

No Comments

Leave A Comment

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS