[Samba] 2003 KDC and Samba

John H Terpstra jht at samba.org
Thu Jul 29 17:57:53 GMT 2004 

On Thursday 29 July 2004 08:08, Tran Charles A Civ OC-ALC/ITMA wrote:
> We have serveral RHEL 3.0 Update 2 servers running Samba.
> These have been working flawlessly for several months..
>
> Recently, the base upgraded all the Windows 2000 servers
> to Windows 2003..

Only MIT Kerberos 1.3.1 or later will work with Windows 2003 Server ADS.

- John T.

> NOTE: we don't have admin rights to the Domain Controllers.. (wish we
> did..)
>
> Previous to the Domain (and kdc) controllers to 2003 we had
> no issues joining a new Samba Sever to the ADS..
>
> Using the same krb5.conf and kdc.conf and smb.conf file.. it
> is no longer possible to join a Samba 3.0 server to the domain..
>
> Any help direction is appreciated..
> VR
> Charles
>
> Samba packages
> -------------
> samba-common-3.0.4-6.3E
> samba-3.0.4-6.3E
> samba-client-3.0.4-6.3E
>
> Kerberos Packages..
> -----------------
> pam_krb5-1.73-1
> krb5-libs-1.2.7-24
> krb5-workstation-1.2.7-24
> krbafs-1.1.1-11
> krbafs-utils-1.1.1-11
> krb5-server-1.2.7-24
> krbafs-devel-1.1.1-11
> krb5-devel-1.2.7-24
>
>
> Things tried..(per the samba docs. this is the first step..)
>
> kinit USERNAME at REALM
> error..
> kinit(v5): KRB5 error code 52 while getting initial credentials
>
> net ads join "/IT/Computers/Servers-2" -U adminOFthisOU
> error..
> kerberos_kinit_password ADMINOFTHISOU at USAF.AFMC.DS.AF.MIL failed: KRB5
> error code 52
>
> Not much on google about this error..
>
> krb5.conf
> **************
> logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = USAF.AFMC.DS.AF.MIL
> #  default_tgs_enctypes = rc4-hmac
> #  default_tkt_enctypes = rc4-hmac
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>
> [realms]
>  USAF.AFMC.DS.AF.MIL = {
>   kdc = xxx.xxx.xxx.241:88
>   admin_server = xxx.xxx.xxx.241:749
>   default_domain = usaf.af.mil
>  }
>
> [domain_realm]
>  .usaf.af.mil = USAF.AFMC.DS.AF.MIL
>  usaf.af.mil = USAF.AFMC.DS.AF.MIL
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
> *****************************
> kdc.conf
> *********
> [kdcdefaults]
>  acl_file = /var/kerberos/krb5kdc/kadm5.acl
>  dict_file = /usr/share/dict/words
>  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>  v4_mode = nopreauth
>
> [realms]
>  USAF.AFMC.DS.AF.MIL = {
>   master_key_type = des-cbc-crc
>   supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
> des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal
> des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3
> des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4
> des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm
> des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
> des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
>  }
> *********
> smb.conf
> *****[global]
>         workgroup = USAF-2K
>         realm = USAF.AFMC.DS.AF.MIL
>         server string =
>         security = ADS
>         obey pam restrictions = Yes
>         password server = xxx.xxx.xxx.241
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>         log file = /var/log/samba/%m.log
>         max log size = 0
>         announce version = 5.0
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         preferred master = No
>         local master = No
>         domain master = No
>         wins server = 10.50.1.52
>         ldap ssl = no
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         template shell = /bin/bash
> #       winbind separator = +
> #       valid users = @oracle
>         printing = cups
>
> [testshare]
>         comment = System Share
>         path = /home2/share
>         force group = share
>         writeable = yes
>         case sensitive = Yes
>         hide dot files = No

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.

More information about the samba mailing list