[cifs-protocol] RE: [Pfif] Other types of Kerberos messages on
SamLogon Generic
Hongwei Sun
hongweis at microsoft.com
Wed Sep 10 22:00:52 GMT 2008
Andrew,
We still have problem with the test. The following is we did during our test. Please give us some advice.
Here's the output:
[root at fed8 source]# bin/smbtorture -k yes --realm=test.net //W2K3SRV.test.net/public RPC-PAC -UTESTDOM/administrator%P at ssw0rd
Using seed 1221036728
Running PAC
Domain join failed - Connection to SAMR pipe of DC W2K3SRV.test.net failed:
Connection to DC W2K3SRV.test.net failed: NT_STATUS_INVALID_PARAMETER
Setup failed: torture/rpc/rpc.c:144: Failed to join as BDC
PAC took 0.194445 secs
This is my krb5.conf file:
[root at fed8 source]# cat /etc/krb5.conf
[libdefaults]
default_realm = TEST.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
TEST.NET = {
kdc = W2K3SRV.test.net:88
admin_server = W2K3SRV.test.net:749
default_domain = test.net
}
[domain_realm]
.test.net = TEST.NET
test.net = TEST.NET
Note: A netstat -an does not show any processes listening on port 749 on the W2K3SRV machine.
Also, as a reference, here are the steps I followed on the Linux side:
1. Pulled down the current Samba source tree using rsync
2. ./configure
3. make
4. make install
5. setup/provision --realm=test.net --domain=TESTDOM --adminpass=P at ssw0rd --server-role=dc
6. Copied /usr/local/samba/private/krb5.conf to /etc/
7. Edited /etc/krb5.conf to look as shown above.
Changed following entries:
dns_lookup_realm
dns_lookup_kdc
kdc
admin_server
8. Run smbtorture
Linux is configured to use W2K3SRV as its DNS server.
Thanks !
Hongwei
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, September 09, 2008 8:37 PM
To: Hongwei Sun
Cc: Stefan (metze) Metzmacher; pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: [Pfif] Other types of Kerberos messages on SamLogon Generic
On Tue, 2008-09-09 at 07:46 -0700, Hongwei Sun wrote:
> Metze,
>
>
>
> After we set time correctly, we got the following output. The error
> doesn't look like related to verify PAC message. Maybe we didn't go
> further enough. Any suggestion?
>
>
>
> Thanks!
>
>
>
> Hongwei
>
>
>
> --- After setting time ----
>
> [root at fed8 source]# bin/smbtorture //VM-W2K8.test.net/public RPC-PAC
> -UTESTDOM/administrator%P at ssw0rd
Add -k yes --realm=test.net
> TEST verify FAILED! - torture/rpc/remote_pac.c:101: status was
> NT_STATUS_INVALID_PARAMETER, expected NT_STATUS_OK:
It failed to connect using kerberos (which was strictly required for this test) because it did not find the KDC (or some other pre-requisite).
Also ensure your krb5.conf points the kerberos libs to your KDC with:
[libdefaults]
default_realm = S4.NAOMI.ABARTLET.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the cifs-protocol
mailing list