Samba 3.0 won't work with smbclient using Kerberos.

P Ranjit Kumar ranjit at cup.hp.com
Mon May 20 11:33:01 GMT 2002 

Thanks for the reply, Andrew.

I could get Samba to work with Kerberos (win2k KDC).

I think there is a problem with the way Samba implemented Kerberos key
storage. Other Kerberos applications running on the same machine can't use
the same key that samba uses because the host principal (samba gets it from
Win2K KDC) is stored in secrets.tdb instead of krb5.keytab file.

If I create another account for the same host in Win2K KDC to be able to use
with other Kerberos applications, then Samba won't work because Win2k
generates encrypted messages using the new key (different  from the one
stored in secrets.tdb).


I am currently trying to find a compromise, if you have already worked on it
or have ideas let me know. I can spend time on it.

Thanks,
Ranjit




-----Original Message-----
From: abartlet at pcug.org.au [mailto:abartlet at pcug.org.au]
Sent: Friday, May 17, 2002 2:30 AM
To: P Ranjit Kumar
Cc: samba-technical at lists.samba.org
Subject: Re: Samba 3.0 won't work with smbclient using Kerberos.


P Ranjit Kumar wrote:
>
> Hi
>
> I am trying to get smbclient to work with Samba 3.0 server. Samba 3.0
server
> joined a Win2k Native domain successfully.

> Interestingly, I made and account on the KDC for the unix machine (using
> ktpass) and specified enc type DES-CBC-MD5, which is used by smbclient.
Also
> I checked that the encryption type is MD5 for the TGT.

You must join the domain with 'net join'.  Set 'security=ads' in your
smb.conf.

Becouse samba must also use legacy RPC protocols for NT4 connections,
and becouse of differences in case sensitivity in the MIT/MS
implementations, Samba does not use a predefined keytab, but stores the
plaintext password, creating the 'keys' in memory.

As such there isn't an /etc/krb5.keytab on a normal samba ADS member.
We need an option 'krb5 keytab write = ' (defaulting to
/etc/krb5.keytab) to allow unix servers compatibilty here, but I havn't
got a chance to writing it yet.  (Patches are more than welcome).

Andrew Bartlett

--
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list