[Samba] Re: Kerberos Error

Martin Zielinski mz at seh.de
Wed Dec 8 14:37:51 GMT 2004 

Hello!

I'm currently trying to understand some problem reports from customers using 
samba with ADS. Googling brought a lot of suggestions but no real solutions. 
So I'd like to ask some general questions about that:

1. Has anyone a working ticket authentication with MIT kerberos?
I mean: really working. Not the NTLMSSP fallback when you enter an IP address 
instead of a hostname. I haven't noticed this for month since I always used 
the IP address :-(

2. If so, what does the trick ? Where to look at in the libraries.

3. What do we (samba users) need to know about the ticket received by kinit? 
Do we ever need to renew it? Or is the ticket obsolete after joining the 
domain? 
I had LOGON errors even with heimdal 0.6.3 until I deleted the /tmp/krxxxx 
file. No idea, why.

4. Does a W2k client ever do ticket authentication? I can't get my W2k client 
to do this.

Thanks a lot,

Martin


On Wednesday 08 December 2004 14:29, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Norman Zhang wrote:
> |> I'm using samba-*-3.0.6-4.3.100mdk and libkrb51-1.3-6.3.100mdk on
> |> LM10.0. A similar summary to what I'm seeing could be found here.
> |>
> |> http://lists.samba.org/archive/samba/2004-July/090210.html
> |
> | Solve the problem by changing
> |
> | [libdefaults]
> |  ticket_lifetime = 24000
> |  default_realm = HQ.ARKONNETWORKS.COM
> | ; default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> | ; default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> | ; permitted_enctypes = des3-hmac-sha1 des-cbc-crc
> |
> | default_etypes = des-cbc-crc des-crc-md5
> | default_etypes_des = des-cbc-crc des-crc-md5
>
> unless you are pretty comfortable with krb5 enc types
> and have a specific reason to use the des keys, I would
> recommend not setting those 2 lines at all on MIT
> krb 1.3.x releases.
>
> cheers, jerry
> - ---------------------------------------------------------------------
> Alleviating the pain of Windows(tm)      ------- http://www.samba.org
> GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
> "If we're adding to the noise, turn off this song"--Switchfoot (2003)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBtwG3IR7qMdg1EfYRAir/AJ9t7u9f24PH/bARPXKt0emKyWtobACfYpAK
> 7LvcSN/7GohUT7ND14YdUhQ=
> =+q/F
> -----END PGP SIGNATURE-----

-- 
Martin Zielinski                       mz at seh.de
Software Development
SEH Computertechnik GmbH     www.seh.de

More information about the samba mailing list