Samba 3.0 won't work with smbclient using Kerberos.

Andrew Bartlett abartlet at pcug.org.au
Mon May 20 14:17:02 GMT 2002 

P Ranjit Kumar wrote:
> 
> Thanks for the reply, Andrew.
> 
> I could get Samba to work with Kerberos (win2k KDC).
> 
> I think there is a problem with the way Samba implemented Kerberos key
> storage. Other Kerberos applications running on the same machine can't use
> the same key that samba uses because the host principal (samba gets it from
> Win2K KDC) is stored in secrets.tdb instead of krb5.keytab file.

Exactly.

> If I create another account for the same host in Win2K KDC to be able to use
> with other Kerberos applications, then Samba won't work because Win2k
> generates encrypted messages using the new key (different  from the one
> stored in secrets.tdb).

Correct.

> I am currently trying to find a compromise, if you have already worked on it
> or have ideas let me know. I can spend time on it.

As per my message below:  Write a patch that automaticly exports the
pricipal to the keytab on change.  

> Thanks,
> Ranjit
> 
> -----Original Message-----
> From: abartlet at pcug.org.au [mailto:abartlet at pcug.org.au]
> Sent: Friday, May 17, 2002 2:30 AM
> To: P Ranjit Kumar
> Cc: samba-technical at lists.samba.org
> Subject: Re: Samba 3.0 won't work with smbclient using Kerberos.
> 
> P Ranjit Kumar wrote:
> >
> > Hi
> >
> > I am trying to get smbclient to work with Samba 3.0 server. Samba 3.0
> server
> > joined a Win2k Native domain successfully.
> 
> > Interestingly, I made and account on the KDC for the unix machine (using
> > ktpass) and specified enc type DES-CBC-MD5, which is used by smbclient.
> Also
> > I checked that the encryption type is MD5 for the TGT.
> 
> You must join the domain with 'net join'.  Set 'security=ads' in your
> smb.conf.
> 
> Becouse samba must also use legacy RPC protocols for NT4 connections,
> and becouse of differences in case sensitivity in the MIT/MS
> implementations, Samba does not use a predefined keytab, but stores the
> plaintext password, creating the 'keys' in memory.
> 
> As such there isn't an /etc/krb5.keytab on a normal samba ADS member.
> We need an option 'krb5 keytab write = ' (defaulting to
> /etc/krb5.keytab) to allow unix servers compatibilty here, but I havn't
> got a chance to writing it yet.  (Patches are more than welcome).
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list