s3 member server to s4 kerberos trouble
Matthieu Patou
mat at samba.org
Fri Jun 11 14:02:35 MDT 2010
Hello Lukaz,
To my mind according to your log the pb is that w7 present an AES
encrypted ticket, and s3, didn't support for this version, AES.
In order for s4 to provide AES ticket, you should have raised to level
2008 your domain, because by default we do provision with a 2003
functional level.
Is it the case ?
Even win this case we should be able to sort out differences in capacity.
If I trust your log it _seems_ that your s3 pretend to support encoding
that it in fact didn't support :
Kerberos: AS-REQ ORINOCO$@STUDENT.EECS.QMUL.AC.UK from
ipv4:138.37.37.245:58349 for
krbtgt/STUDENT.EECS.QMUL.AC.UK at STUDENT.EECS.QMUL.AC.UK
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
ORINOCO$@STUDENT.EECS.QMUL.AC.UK
Kerberos: AS-REQ ORINOCO$@STUDENT.EECS.QMUL.AC.UK from
ipv4:138.37.37.245:47940 for
krbtgt/STUDENT.EECS.QMUL.AC.UK at STUDENT.EECS.QMUL.AC.UK
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- ORINOCO$@STUDENT.EECS.QMUL.AC.UK
Kerberos: Looking for ENC-TS pa-data -- ORINOCO$@STUDENT.EECS.QMUL.AC.UK
Kerberos: ENC-TS Pre-authentication succeeded --
ORINOCO$@STUDENT.EECS.QMUL.AC.UK using aes256-cts-hmac-sha1-96
Kerberos: AS-REQ authtime: 2010-06-11T09:59:30 starttime: unset endtime:
2010-06-12T09:59:33 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
arcfour-hmac-md5, des3-cbc-sha1, des-cbc-crc, des-cbc-md5, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Can you confirm that ORINOCO is your s3 server and that 138.37.37.245 is
its ip.
Andrew: if it is so I have the impression that something wrong: either
from s4 side because it thinks that the client support that it is not
announcing as supported, either it's s3 which announce encoding that it
fact it didn't support.
In any case even in if s3 announce wrong encoding when requesting
ticket, we should use msDS-SupportedEncryptionTypes when requested for a
ticket for a given principal (ie. cifs/server at REALM) to decide in which
encoding we return the ticket to the requester so that it can be
understood by requester and and requested principal. Looking at the code
I didn't saw much lookup to this attribute so I wonder how do we decide
which encoding the requested principal support.
Lukasz, a full trace from login and restart of s3 would be very useful
to see what's happenning.
If you can provide me the keytab of the domain it would be super (but it
means that I have somehow enough information to pretend to be you, your
dc or your server, so you'd better use a generic password for admin and
be ready to reprovision the domain).
Matthieu.
On 11/06/2010 13:17, Lukasz Zalewski wrote:
> Hi!
> The Samba 3 i have used is 3.3.8 running on centos 5.5 (i have tried
> samba 3.4.7 on Fedora 12 whiche exhibited same behaviour)
>
> I can join S3 machine to the s4 domain without any problems (well
> there is a DNS update failed). I can also mount any share from
> non-domain machines (it being XP or 7) without any issies. The
> problems start when i log in to the s4 domain - my homeDrive is
> specified as \\s3memberserver\username.
> Also whne i try to manually map the drive the authentication box pops up.
>
> Attached are s4 d10 log and memberserver client's d10 logs. Please let
> me know if you need anything else
>
>
> Regards
>
> Luk
--
Matthieu Patou
Samba Team http://samba.org
More information about the samba-technical
mailing list