X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C85EE4.C9A17FF4@onstor-exch02.onstor.net>; Thu, 24 Jan 2008 15:56:50 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C85EE4.C9A17FF4"
Content-class: urn:content-classes:message
Subject: RE: Problem Kerberos authentication in Windows
Date: Thu, 24 Jan 2008 15:56:50 -0800
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E07E5F99F@onstor-exch02.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E07E5F90C@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Problem Kerberos authentication in Windows
Thread-Index: Ache3GVC+no765DDScGHxAdMUJhz6wABsqtg
References: <BB375AF679D4A34E9CA8DFA650E2B04E07E5F90C@onstor-exch02.onstor.net>
From: "Ron Bhanukitsiri" <ronb@onstor.com>
To: "Michael Ridley" <mridley@onstor.com>,
	"dl-cstech" <dl-cstech@onstor.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C85EE4.C9A17FF4
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

First of all, for kerberos domain "auth checkDomainSid" is not a good
indication if kerberos

is working properly (although returning a value is a good indication
that the vserver joined

the domain successfully.) The reason is because "auth checkDomainSid"
always uses NTLMv2

to connect to the DC.  Just because the vserver is joined successfully
to the domain does

not mean the vserver will continue to work with kerberos - the problem
might simply be time

sync.  Did they make sure they have ntp configured for the filer?

=20

Back to kerberos, "domain status windows" is a better indication if the
vserver joins the

domain properly because this command uses kerberos to connect to AD to
retrieve info.

Alternatively, you can use "domain checkpwd windows krb5" to check the
user and password.

This will use kerberos.

=20

Now here are some questions:

- Check if the time between the client, the DC and the filer are all
synchronized

- Can they access the share via the Explorer?

=20

If they can't access the share using Explorer, please enable elog debug
and do authSetDebugLevel 4

in vserver context and send us the elog and cifsd logs.

=20

Ron B[ee]

=20

________________________________

From: Michael Ridley=20
Sent: Thursday, January 24, 2008 2:57 PM
To: dl-cstech
Subject: Problem Kerberos authentication in Windows

=20

Hi technical experts-

=20

I have a customer (Calpine case 6924) who is having an interesting
problem.  When they join to their domain CALPINENA via NTLM without
using Kerberos, everything works as we would expect.  When, however,
they go into the Web UI and join using domain CALPINENA and their
Kerberos server na.calpine.com they are not able to access the shares
via the Windows computer manager.  The priv mapping is set so that
CALPINENA\Domain Admins has everything checked in both cases.  I'm not
sure if the priv mapping needs to be set up differently for Kerberos?

=20

The vsvr does enable and auth checkDomainSid returns a value, so I don't
think the problem is that it's not joining the domain or that there is
some authentication issue with the user account they are using to join
it to the domain.

=20

The customer is running 3.2 and it's a new install.

=20

Not sure what to check from here.  Suggestions would be appreciated.
Thanks!

=20

-m


------_=_NextPart_001_01C85EE4.C9A17FF4
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal;
	font-family:Arial;
	color:windowtext;}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>First of all, for kerberos domain =
&#8220;auth
checkDomainSid&#8221; is not a good indication if =
kerberos<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>is working properly (although =
returning a
value is a good indication that the vserver =
joined<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>the domain successfully.) The =
reason is
because &#8220;auth checkDomainSid&#8221; always uses =
NTLMv2<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>to connect to the DC.&nbsp; Just =
because the
vserver is joined successfully to the domain =
does<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>not mean the vserver will continue =
to work
with kerberos &#8211; the problem might simply be =
time<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>sync.&nbsp; Did they make sure they =
have
ntp configured for the filer?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Back to kerberos, &#8220;domain =
status
windows&#8221; is a better indication if the vserver joins =
the<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>domain properly because this =
command uses
kerberos to connect to AD to retrieve info.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Alternatively, you can use =
&#8220;domain
checkpwd windows krb5&#8221; to check the user and =
password.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>This will use =
kerberos.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Now here are some =
questions:<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>- Check if the time between the =
client,
the DC and the filer are all synchronized<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>- Can they access the share via the
Explorer?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>If they can&#8217;t access the =
share using
Explorer, please enable elog debug and do authSetDebugLevel =
4<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>in vserver context and send us the =
elog
and cifsd logs.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Ron =
B[ee]<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> =
Michael Ridley <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, January =
24, 2008
2:57 PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> dl-cstech<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Problem Kerberos
authentication in Windows</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Hi technical experts-<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I have a customer (Calpine case 6924) who is having =
an
interesting problem.&nbsp; When they join to their domain CALPINENA via =
NTLM
without using Kerberos, everything works as we would expect.&nbsp; When,
however, they go into the Web UI and join using domain CALPINENA and =
their
Kerberos server na.calpine.com they are not able to access the shares =
via the
Windows computer manager.&nbsp; The priv mapping is set so that
CALPINENA\Domain Admins has everything checked in both cases.&nbsp; =
I&#8217;m
not sure if the priv mapping needs to be set up differently for =
Kerberos?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>The vsvr does enable and auth checkDomainSid returns =
a
value, so I don&#8217;t think the problem is that it&#8217;s not joining =
the
domain or that there is some authentication issue with the user account =
they
are using to join it to the domain.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>The customer is running 3.2 and it&#8217;s a new =
install.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Not sure what to check from here.&nbsp; Suggestions =
would be
appreciated.&nbsp; Thanks!<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>-m<o:p></o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C85EE4.C9A17FF4--
