delegated credentials on samba4
Amin Azez
azez at ufomechanic.net
Fri Sep 21 14:27:10 GMT 2007
I'm doing some work to add some generic caching and traffic optimization
to the cifs proxy vfs I hope will be accepted as part of samba4.
I have non-delgated proxying working, this message describes some
difficulty I am experiencing in getting delegated mode to work as
described in source/ntvfs/cifs/README.
I'm developing on a Centos-5 system, samba4 built and installed OK.
I have ntp running on all the servers involved.
I follow the instructions at:
http://wiki.samba.org/index.php/Samba4/HOWTO
and successfully followed step 4 to provision samba4 in an existing
windows 2003 domain:
./setup/provision --realm=home.ufomechanic.net --domain=UFO --adminpass=XXX
I wasn't able to completely follow these instructions:
Please install the zone located in
/usr/local/samba/private/home.ufomechanic.net.zone into your DNS server.
A sample BIND configuration snippit is at
/usr/local/samba/private/named.conf
because the named.conf line
tkey-gssapi-credential "DNS/home.ufomechanic.net";
causes bind9 to give the error:
Sep 21 14:41:43 localhost named[19606]: configuring TKEY: not implemented
And so I went without using the local nameserver, but had resolv.conf
pointing to the domain controller I am trying to join.
I mention this in case it is a cause or symptom of my problems; possibly
related to:
(
Server claims it's principal name is
ufomechanicw200$@WAKEFIELD.UFOMECHANIC.NET
Starting GENSEC submechanism gssapi_krb5
kinit for Administrator at UFO failed (Cannot contact any KDC for requested
realm: unable to reach any KDC in realm UFO)
Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for
requested realm
Cannot reach a KDC we require to contact
cifs at ufomechanicw200.wakefield.ufomechanic.net
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
signing_good: signing negotiated but not required and peer
isn't sending correct signatures. Turning off.
Shutdown SMB signing
)
anyway, I then do:
# net join UFO BDC -U Administrator
and successfully added the samba4 machine to the domain as a domain
controller, with this warning:
We still need to perform a DsAddEntry() so that we can create the
CN=NTDS Settings container.
Under the windows 2003 AD administration tools, I set cfs proxy to be
trusted for delegation.
I then added to smb.conf according to the vfs proxy instructions:
[myshare]
ntvfs handler = cifs
cifs:server = ufomechanicw200.home.ufomechanic.net
cifs:share = reports
# cifs:user = Administrator
# cifs:password = password
# cifs:domain = UFO
then
smbclient '\\cifsproxy\myshare' -U Administrator
where I provide the remote administrator password does not work.
If I un-comment the # lines then it works when I provide the local
administrator password.
Notes:
When I start smbd, I note this error:
Name registration conflict from 192.168.0.7 for UFO<1b> with ip
223.1.1.128 - rcode 6
Error registering UFO<1b> with 192.168.0.139 on interface 192.168.0.255
- NT_STATUS_CONFLICTING_ADDRESSES
192.168.0.7 is the windows 2003 domain controller for which I want to
make the samba4 machine also an active directory server (bdc in old
terms?) and trusted for delegation.
192.168.0.139 is the samba4 server.
I guess the provision command I ran must have made a distinct domain
instead of replicating from the existing domain of the same name,
despite my trying to join the existing name as a bdc, and despite seeing
hopefull messages like:
dreplsrv_periodic_schedule(15) scheduled for: Fri Sep 21 14:23:58 2007 BST
and
netlogon request to CIFSPROXY<00> from 192.168.0.7:138
unknown netlogon op 10 from 192.168.0.7:138
netlogon: struct nbt_netlogon_packet
command : NETLOGON_ANNOUNCE_UAS (10)
req : union nbt_netlogon_request(case 10)
uas: struct nbt_netlogon_announce_uas
serial_lo : 0x00000100 (256)
timestamp : Mon Jul 10 16:35:08 2006 BST
pulse : 0x00001c20 (7200)
random : 0x00000001 (1)
pdc_name : 'UFOMECHANICW200'
domain : 'UFO'
_pad : DATA_BLOB length=0
unicode_pdc_name : 'UFOMECHANICW200'
unicode_domain : 'UFO'
db_count : 0x00000003 (3)
dbchange: ARRAY(3)
dbchange: struct nbt_db_change
db_index : SAM_DATABASE_DOMAIN (0)
serial : 0x00000000ffffffff
(4294967295)
timestamp : Mon Jul 10 16:35:08 2006 BST
dbchange: struct nbt_db_change
db_index : SAM_DATABASE_BUILTIN (1)
serial : 0x00000000ffffffff
(4294967295)
timestamp : Tue Jul 4 05:38:44 2006 BST
dbchange: struct nbt_db_change
db_index : SAM_DATABASE_PRIVS (2)
serial : 0x00000000ffffffff
(4294967295)
timestamp : Tue Jul 4 05:38:40 2006 BST
sid_size : 0x00000018 (24)
_pad2 : DATA_BLOB length=2
sid :
S-1-5-21-3215233304-1248193272-1322505913
nt_version : 0x00000001 (1)
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
I tried joining the domain as a bdc WITHOUT running the
./setup/provision script.
I don't get the address conflict but I do get this
Searching for dsServiceName in rootDSE failed: (null)
Failed to find our own NTDS Settings DN in the ldb!
Failed to find our own NTDS Settings objectGUID in the ldb!
task_server_terminate: [dreplsrv: Failed to connect to local samdb:
WERR_DS_SERVICE_UNAVAILABLE
]
standard_terminate: reason[dreplsrv: Failed to connect to local samdb:
WERR_DS_SERVICE_UNAVAILABLE
(which seems reasonable).
So.....
is samba4 supposed to function as a deleagted domain controller yet?
Please help me see my mistake.
Sam
More information about the samba-technical
mailing list