Samba-3.0.7-1.3E Active Directory Issues

Doug VanLeuven roamdad at sonic.net
Wed Nov 3 14:02:32 GMT 2004 


Jeremy Allison wrote:

>On Tue, Nov 02, 2004 at 02:23:30PM -0800, Doug VanLeuven wrote:
>  
>
>>Jeremy Allison wrote:
>>
>>    
>>
>>>On Thu, Oct 28, 2004 at 03:32:11PM -0700, Jeremy Allison wrote:
>>>
>>>
>>>      
>>>
>>>>Ok - here is a "work in progress" snapshot of what I have done with 
>>>>your code. It doesn't compile (yet :-) but might give you a better
>>>>idea how I'm going about things. I'm still working on my version of
>>>>verify_service_password().
>>>>  
>>>>
>>>>        
>>>>
>>>Here is the version I'm going to put into test.
>>>
>>>More comments welcome !
>>>
>>>
>>>      
>>>
>>With svn 3417 and the patch submitted for bug 1717
>>http://people.redhat.com/nalin/test/samba-3.0.8pre1-fqdn.patch
>>I was able to join a subdomain and have "des only" work for shares and 
>>smbclient.
>>Major thanks! :-)
>>
>>The patch has a side effect of requiring des-cbc-md5 to be  permitted 
>>enctype.
>>If I'm configured to use rc4-hmac as the only acceptable encttype in 
>>/etc/krb5.conf
>>default_tgs_enctypes = rc4-hmac
>>default_tkt_enctypes = rc4-hmac
>>permitted_enctypes = rc4-hmac
>>
>>then with this patch, it will never authenticate.  Can't even net ads join.
>>so it has to be specified
>>default_tgs_enctypes = rc4-hmac des-cbc-md5
>>default_tkt_enctypes = rc4-hmac des-cbc-md5
>>permitted_enctypes = rc4-hmac des-cbc-md5
>>
>>I captured a level 10 of the join failure if it would be of any help.
>>    
>>
>
>I'm still looking at the samba-3.0.8pre1-fqdn.patch for 3.0.8, but
>with the current state of the kerberos code can you confirm everything
>else is working for you ? I could do with as much testing of this code
>as possible.
>
Here's my test environment - 2 seperate domains

realm=NT.LDXNET.COM
windows 2003 enterprise server
all current security fixes
computer names have accounts in unix
samba server gate.ldxnet.com svn 3417
    RH9
    MIT kerberos 1.3.5
    krb5.conf
       permitted_enctypes = rc4-hmac des-cbc-md5
    joined and running using KDC enctype RSADSI RC4-HMAC

samba server lex.ldxnet.com svn 3417
    RH9
    MIT kerberos 1.3.5
    krb5.conf
       permitted_enctypes = des-cbc-md5 rc4-hmac
    joined and running using KDC Kerberos DES-CBC-MD5

realm=NT.SCWA.GOV
windows 2003 standard server
all current security fixes
computer names do not have unix accounts
samba server rs8.nt.scwa.gov svn 3345 (pre-kerberos patch)
    AIX 5.2
    MIT kerberos 1.3.4
    krb5.conf
       permitted_enctypes = des-cbc-md5 rc4-hmac
    joined and running using KDC enctype Kerberos DES-CBC-MD5

samba server proxy.scwa.gov svn 3504
    RH9
    MIT kerberos 1.3.4
    krb5.conf
       permitted_enctypes = des-cbc-md5 rc4-hmac
    joined and running using KDC Kerberos DES-CBC-MD5

samba server rs6.scwa.gov V3.0.8
    AIX 5.2
    MIT kerberos 1.3.4
    krb5.conf
       rc4-hmac des-cbc-crc des-cbc-md5
    joined and running using KDC enctype RSADSI RC4-HMAC

the server rs8 in the same domain and realm from a pre-kerberos patch 
samba generates occasional "Decrypt integrity check failed" when 
communication with the KDC, but mostly worked as expected.

None of the post-kerberos patch samba servers has yet generated the 
"Decrypt integrity check failed".  Just 2 days though.

The windows workstations are configured to use the post-kerberos patch 
servers for redirected folders, "Application Data", "Desktop", "My 
Documents"
Home directory is mapped on the 2003 server AD accounts to these servers 
as well, plus 5 or 6 mapped drives to samba servers in netlogon scripts.
The only red X left is on the Home directory connection with or without 
a unix machine account defined.

In case you're wondering, on the servers that I wanted to do DES only, I 
modified libads/ldap.c
/*#ifndef ENCTYPE_ARCFOUR_HMAC*/
        acct_control |= UF_USE_DES_KEY_ONLY;
/*#endif*/
so they would update the account as DES only even though I have rc4-hmac 
available.

I've run officeXP SP3 apps word and excel and visio.  Don't have an 
access database application handy.  There was an issue with the date 
stamps using excel on samba prior to office SP3.

Tests on smbclient use the -k option just to be sure.
One item: my 2 pre-kerberos patch samba servers can't connect to 
post-patch \\proxy DES-only using kerberos auth.
    session setup failed: NT_STATUS_LOGON_FAILURE
One is DES-only in different dns domain and one is rc4-hmac in the same 
dns domain, but \\proxy post-patch can connect to \\rs8 and \\rs6 
pre-patch and all windows 2000 & 2003 servers using kerberos.
So I just need to get rid of the old pre-patch versions.

I've successfully used the kerberos rlogin after kinit on the DES only 
post-patch machines even when the server was in a different domain than 
the KDC.  Pleasant suprise!  I expected otherwise.

Everything related to kerberos authentication seems to be going great.

Sorry I can't be of help with the RH9 krb5-libs-1.2.7-14 issues.  I had 
problems getting the system keytab to update correctly under samba's 
control.  Tried FILE: and WRFILE: , but just no luck.  Can't revert.

I'm running out of creativity in testing the kerberos and fqdn patch.  
All the ways I want to use it seem to be working better than ever.

Regards, Doug

More information about the samba-technical mailing list