[Samba] Samba on Linux + Windows Server 2003 R2 / ADS: Clients can connect using IP but no hostname

Bogdan Taru bogdan.taru at to.com
Mon Jan 7 16:59:11 GMT 2008 


	Hello everyone,

  I'm trying to make Samba authenticate clients against an Active  
Directory Server running on W2k3 R2. Samba is running on a Debian Linux:

virtual-101:~# dpkg -l | egrep -i '(samba|kerb)'
ii  krb5-config                       1.17               Configuration  
files for Kerberos Version 5
ii  krb5-user                         1.6.dfsg.3~beta1-2 Basic  
programs to authenticate using MIT Kerberos
ii  libkadm55                         1.6.dfsg.3~beta1-2 MIT Kerberos  
administration runtime libraries
ii  libkrb53                          1.6.dfsg.3~beta1-2 MIT Kerberos  
runtime libraries
ii  samba                             3.0.28-1           a LanManager- 
like file and printer server for Unix
ii  samba-common                      3.0.28-1           Samba common  
files used by both the server and the client

  This is the Samba and Kerberos configuration:

virtual-101:~# egrep -v '^(#|;|$)' /etc/samba/smb.conf
[global]
    workgroup = INTERNAL
    realm = INTERNAL.TESTLABOR.XX.COM
    preferred master = no
    server string = Samba Public Server
    include = /etc/samba/dhcp.conf
    dns proxy = no
    log file = /var/log/samba/log.%m
    log level = 5
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
     security = ADS
    encrypt passwords = yes
    passdb backend = tdbsam
    obey pam restrictions = yes
    invalid users = root
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX 
\spassword:* %n\n *password\supdated\ssuccessfully* .
    printcap name = cups
    printing = cups
    socket options = TCP_NODELAY
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum groups = yes
    winbind enum users = yes
    winbind separator = +
[printers]
    comment = All Printers
    browseable = no
    path = /var/spool/samba
    printable = yes
    public = no
    writable = no
    create mode = 0700
[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers
    browseable = yes
    read only = yes
    guest ok = no
[ftp]
    comment = Public FTP Resource
    writable = no
    locking = no
    path = /home/ftp
    public = yes
    guest ok = no


virtual-101:~# egrep -v '^$' /etc/krb5.conf
[libdefaults]
	default_realm = INTERNAL.TESTLABOR.XX.COM
	default_tgs_enctypes = des-cbc-crc des-cbc-md5
	default_tkt_enctypes = des-cbc-crc des-cbc-md5
	permitted_enctypes = des-cbc-crc des-cbc-md5
[realms]
	INTERNAL.TESTLABOR.XX.COM = {
		kdc = virtual-100.internal.testlabor.xx.com
		#admin_server = virtual-100.internal.testlabor.xx.com
	}
[domain_realms]
	.kerberos.server = INTERNAL.TESTLABOR.XX.COM


  From the Samba Server, I was able to get a Kerberos ticket from the  
AD:
virtual-101:~# kinit  Administrator at INTERNAL.TESTLABOR.XX.COM
Password for Administrator at INTERNAL.TESTLABOR.XX.COM:
virtual-101:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at INTERNAL.TESTLABOR.XX.COM

Valid starting     Expires            Service principal
01/07/08 17:06:58  01/08/08 03:07:00  krbtgt/INTERNAL.TESTLABOR.XX.COM at INTERNAL.TESTLABOR.XX.COM
	renew until 01/08/08 17:06:58, Etype (skey, tkt): DES cbc mode with  
CRC-32, DES cbc mode with CRC-32

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

  From the Samba Server I am able to mount a local resource, either by  
using the Kerberos ticket or by authentication with a Domain User:
virtual-101:~# smbclient -k //virtual-101/ftp
OS=[Unix] Server=[Samba 3.0.28]
smb: \>
virtual-101:~# smbclient  -U INTERNAL+test1 //virtual-101/ftp
Password:
Domain=[INTERNAL] OS=[Unix] Server=[Samba 3.0.28]
smb: \>

  The problem is that from a Windows 2k workstation (also part of the  
Domain), the mapping of the Samba resource is possible only when using  
the IP adress of the Samba server ("net use y: \\10.10.0.101\ftp / 
USER:INTERNAL\test1") but not when using the Hostname of the Samba  
server ("net use y: \\virtual-101\ftp /USER:INTERNAL\test1"). When  
using the Hostname of the Samba server, this is what Samba is logging:

..................
[2008/01/07 17:46:37, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would  
close all old resources.
[2008/01/07 17:46:37, 3] smbd/ 
sesssetup.c:reply_sesssetup_and_X_spnego(1029)
   Doing spnego session setup
[2008/01/07 17:46:37, 3] smbd/ 
sesssetup.c:reply_sesssetup_and_X_spnego(1060)
   NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]  
PrimaryDomain=[]
[2008/01/07 17:46:37, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667)
   parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2
[2008/01/07 17:46:37, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667)
   parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10
[2008/01/07 17:46:37, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
   reply_spnego_negotiate: Got secblob of size 1236
[2008/01/07 17:46:37, 3] libads/ 
kerberos_verify.c:ads_secrets_verify_ticket(279)
   ads_secrets_verify_ticket: enc type [23] failed to decrypt with  
error Encryption type not permitted
[2008/01/07 17:46:37, 3] libads/kerberos_verify.c:ads_verify_ticket(427)
   ads_verify_ticket: krb5_rd_req with auth failed (Encryption type  
not permitted)
[2008/01/07 17:46:37, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/01/07 17:46:37, 3] smbd/error.c:error_packet_set(106)
   error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX)  
NT_STATUS_LOGON_FAILURE
[2008/01/07 17:46:37, 5] lib/util.c:show_msg(484)
[2008/01/07 17:46:37, 5] lib/util.c:show_msg(494)
..................
[2008/01/07 17:46:42, 3] smbd/ 
sesssetup.c:reply_sesssetup_and_X_spnego(1029)
   Doing spnego session setup
[2008/01/07 17:46:42, 3] smbd/ 
sesssetup.c:reply_sesssetup_and_X_spnego(1060)
   NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]  
PrimaryDomain=[]
[2008/01/07 17:46:42, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667)
   parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2
[2008/01/07 17:46:42, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667)
   parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10
[2008/01/07 17:46:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
   reply_spnego_negotiate: Got secblob of size 1206
[2008/01/07 17:46:42, 3] libads/ 
kerberos_verify.c:ads_secrets_verify_ticket(279)
   ads_secrets_verify_ticket: enc type [23] failed to decrypt with  
error Encryption type not permitted
[2008/01/07 17:46:42, 3] libads/kerberos_verify.c:ads_verify_ticket(427)
   ads_verify_ticket: krb5_rd_req with auth failed (Encryption type  
not permitted)
[2008/01/07 17:46:42, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/01/07 17:46:42, 3] smbd/error.c:error_packet_set(106)
   error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX)  
NT_STATUS_LOGON_FAILURE
[2008/01/07 17:46:42, 5] lib/util.c:show_msg(484)
[2008/01/07 17:46:42, 5] lib/util.c:show_msg(494)
..................


  What could be the problem? I have tried more Kerberos settings  
(playing with default_tgs_enctypes/default_tkt_enctypes in /etc/ 
krb5.conf, trying to comment them, etc.), but nothing seems to work --  
and the error messages in Samba are the same.

  Any ideas would be appreciated!

  Thank you,
  Bogdan

More information about the samba mailing list