[cifs-protocol] RE: [Pfif] Other types of Kerberos messages on SamLogon Generic

Hongwei Sun hongweis at microsoft.com
Wed Sep 10 22:00:52 GMT 2008


  We still have problem with the test. The following is we did during our test.  Please give us some advice.

  Here's the output:

    [root at fed8 source]# bin/smbtorture -k yes --realm=test.net //W2K3SRV.test.net/public RPC-PAC -UTESTDOM/administrator%P at ssw0rd
    Using seed 1221036728
    Running PAC
    Domain join failed - Connection to SAMR pipe of DC W2K3SRV.test.net failed:
    Connection to DC W2K3SRV.test.net failed: NT_STATUS_INVALID_PARAMETER
    Setup failed: torture/rpc/rpc.c:144: Failed to join as BDC
    PAC took 0.194445 secs

 This is my krb5.conf file:
    [root at fed8 source]# cat /etc/krb5.conf
            default_realm = TEST.NET
            dns_lookup_realm = true
            dns_lookup_kdc = true
            ticket_lifetime = 24h
            forwardable = yes

            TEST.NET = {
                    kdc = W2K3SRV.test.net:88
                    admin_server = W2K3SRV.test.net:749
                    default_domain = test.net

            .test.net = TEST.NET
            test.net = TEST.NET

Note: A netstat -an does not show any processes listening on port 749 on the W2K3SRV machine.

Also, as a reference, here are the steps I followed on the Linux side:
    1. Pulled down the current Samba source tree using rsync
    2. ./configure
    3. make
    4. make install
    5. setup/provision --realm=test.net --domain=TESTDOM --adminpass=P at ssw0rd --server-role=dc
    6. Copied /usr/local/samba/private/krb5.conf to /etc/
    7. Edited /etc/krb5.conf to look as shown above.
          Changed following entries:
    8. Run smbtorture

Linux is configured to use W2K3SRV as its DNS server.

Thanks !


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, September 09, 2008 8:37 PM
To: Hongwei Sun
Cc: Stefan (metze) Metzmacher; pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: [Pfif] Other types of Kerberos messages on SamLogon Generic

On Tue, 2008-09-09 at 07:46 -0700, Hongwei Sun wrote:
> Metze,
>  After we set time correctly, we got the following output.   The error
> doesn't look like related to verify PAC message.   Maybe we didn't go
> further enough.  Any suggestion?
> Thanks!
> Hongwei
> --- After setting time ----
> [root at fed8 source]# bin/smbtorture //VM-W2K8.test.net/public RPC-PAC
> -UTESTDOM/administrator%P at ssw0rd

Add -k yes --realm=test.net

> TEST verify FAILED! - torture/rpc/remote_pac.c:101: status was

It failed to connect using kerberos (which was strictly required for this test) because it did not find the KDC (or some other pre-requisite).

Also ensure your krb5.conf points the kerberos libs to your KDC with:
 default_realm = S4.NAOMI.ABARTLET.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list