Samba 3.0 won't work with smbclient using Kerberos.
Andrew Bartlett
abartlet at pcug.org.au
Mon May 20 14:17:02 GMT 2002
P Ranjit Kumar wrote:
>
> Thanks for the reply, Andrew.
>
> I could get Samba to work with Kerberos (win2k KDC).
>
> I think there is a problem with the way Samba implemented Kerberos key
> storage. Other Kerberos applications running on the same machine can't use
> the same key that samba uses because the host principal (samba gets it from
> Win2K KDC) is stored in secrets.tdb instead of krb5.keytab file.
Exactly.
> If I create another account for the same host in Win2K KDC to be able to use
> with other Kerberos applications, then Samba won't work because Win2k
> generates encrypted messages using the new key (different from the one
> stored in secrets.tdb).
Correct.
> I am currently trying to find a compromise, if you have already worked on it
> or have ideas let me know. I can spend time on it.
As per my message below: Write a patch that automaticly exports the
pricipal to the keytab on change.
> Thanks,
> Ranjit
>
> -----Original Message-----
> From: abartlet at pcug.org.au [mailto:abartlet at pcug.org.au]
> Sent: Friday, May 17, 2002 2:30 AM
> To: P Ranjit Kumar
> Cc: samba-technical at lists.samba.org
> Subject: Re: Samba 3.0 won't work with smbclient using Kerberos.
>
> P Ranjit Kumar wrote:
> >
> > Hi
> >
> > I am trying to get smbclient to work with Samba 3.0 server. Samba 3.0
> server
> > joined a Win2k Native domain successfully.
>
> > Interestingly, I made and account on the KDC for the unix machine (using
> > ktpass) and specified enc type DES-CBC-MD5, which is used by smbclient.
> Also
> > I checked that the encryption type is MD5 for the TGT.
>
> You must join the domain with 'net join'. Set 'security=ads' in your
> smb.conf.
>
> Becouse samba must also use legacy RPC protocols for NT4 connections,
> and becouse of differences in case sensitivity in the MIT/MS
> implementations, Samba does not use a predefined keytab, but stores the
> plaintext password, creating the 'keys' in memory.
>
> As such there isn't an /etc/krb5.keytab on a normal samba ADS member.
> We need an option 'krb5 keytab write = ' (defaulting to
> /etc/krb5.keytab) to allow unix servers compatibilty here, but I havn't
> got a chance to writing it yet. (Patches are more than welcome).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team abartlet at samba.org
> Student Network Administrator, Hawker College abartlet at hawkerc.net
> http://samba.org http://build.samba.org http://hawkerc.net
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list