[Samba] Samba 3.020 and Win2K with Kerberos 5
Donald Saltarelli
djs at uci.edu
Fri Nov 1 23:35:01 GMT 2002
Igor-
I have tried this type of setup and it does not work.
If the user logs in to the "REALMNAME (Kerberos Realm)" on the Windows
2000 workstation, the kerberos tickets he has are slightly different
from the ones he gets when he logs into the Windows 2000 domain. These
tickets aren't authenticated by the Samba server and the user gets
prompted for a password (which would then be compared against the one in
the Windows 2000 domain and unless it matches the one in your UNIX
kerberos, it'll fail.). Apparently this isn't a popular architecture yet
and so it's not being worked on currently.
I haven't had time to get more information to the developers that would
help in solving the problem.
Donald
On Thu, 2002-10-17 at 02:00, Igor Korzinek wrote:
> Hi,
> I've posted this one also to comp.protocols.smb, but the list seems to be
> more hacky :-)
>
> I have M$ Win2K PDC with Kerberos authentication system.
>
> PDC
> Win2K--------------SAMBA-3.020-------------LINUX
> Kerberos5
>
> It was somewhere told (Samba 3.0 prealpha guide to Kerberos
> authentication)that this should work.
> I'm using RedHat 7.2 with latest patches (obtained via net from redhat
> site).
> Kerberos is 1.2.2-14
> klist showes after kinit:
> -------------------------------
> [root at pan log]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ADMINISTRATOR at ZG.CORP.FGMICROTEC.COM
>
> Valid starting Expires Service principal
> 10/16/02 17:58:48 10/17/02 03:58:48
> krbtgt/ZG.CORP.FGMICROTEC.COM at ZG.CORP.FGMI
> CROTEC.COM
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> --------------------------------
> So I assume that kerberos client is running fine. I've tryed with wrong
> passwd, and it complains, so this should be fine.
>
> I did change execution path so that the Samba 3.0.20 is started and log
> files said that everything is fine.
>
> When I did net ads join, then I've got Segmentation fault....
> Any hint ? (oh, yes, gcc is 2.96)
>
> If someone has succeeded with such a connection, please let me know.
>
> Yes, there is an additional info...
> instead of net ads join,
> I've used should use
>
> net ads join -Uadministrator
>
> because, default is a logged user, which is allmost never administrator on
> UNIXes, but can be root or some local user... (I've discovered that with
> kdbg and 1 hour session :-)).
>
> And when I execute:
>
> [root at pan root]# net ads status -Uadministrator
>
> I've got the following:
>
> administrator password:
> accountExpires: 9223372036854775807
> badPasswordTime: 0
> badPwdCount: 0
> codePage: 0
> cn: pan
> countryCode: 0
> dNSHostName: pan
> instanceType: 4
> isCriticalSystemObject: FALSE
> lastLogoff: 0
> lastLogon: 0
> logonCount: 0
> -------------- Security Descriptor (revision: 1, type: 0x8c14)
> owner SID: S-1-5-21-353111985-644491385-32730383-512
> group SID: S-1-5-21-353111985-644491385-32730383-513
> ------- (system) ACL (revision: 2, size: 28, number of ACEs: 1)
> ------- ACE (type: 0x02, flags: 0xd2, size: 0x14, mask: 0xd016b)
> access SID: S-1-1-0
> access type: SYSTEM AUDIT
> Permissions:
> [Create All Child Objects]
> [Delete All Child Objects]
> [All validate writes]
> [Write All Properties]
> [Delete Subtree]
> [Change Password]
> [Reset Password]
> [Delete]
> [Modify Permissions]
> [Modify Owner]
> ------- (user) ACL (revision: 4, size: 1284, number of ACEs: 30)
> ------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
> access SID: S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED
> Permissions: [Full Control]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
> access SID: S-1-5-32-548
> access type: ALLOWED
> Permissions: [Full Control]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff)
> access SID: S-1-5-18
> access type: ALLOWED
> Permissions: [Full Control]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4)
> access SID: S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED
> Permissions:
> [List Contents]
> [Read All Properties]
> [Delete Subtree]
> [List Object]
> [Change Password]
> [Reset Password]
> [Delete]
> [Read Permissions]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED OBJECT
> Permissions:
> [Write All Properties]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094)
> access SID: S-1-5-11
> access type: ALLOWED
> Permissions:
> [List Contents]
> [Read All Properties]
> [List Object]
> [Read Permissions]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object flags:
> 0x1)
> access SID: S-1-1-0
> access type: ALLOWED OBJECT
> Permissions:
> [Change Password]
> [Reset Password]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3)
> access SID: S-1-5-10
> access type: ALLOWED
> Permissions:
> [Create All Child Objects]
> [Delete All Child Objects]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x3, object flags:
> 0x1)
> access SID: S-1-5-32-550
> access type: ALLOWED OBJPermissions:
> [Create All Child Objects]
> [Delete All Child Objects]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x30, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-517
> access type: ALLOWED OBJECT
> Permissions:
> [Read All Properties]
> [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
> 0x1)
> access SID: S-1-5-10
> access type: ALLOWED OBJECT
> Permissions:
> [All validate writes]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x30, object flags:
> 0x1)
> access SID: S-1-5-10
> access type: ALLOWED OBJECT
> Permissions:
> [Read All Properties]
> [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
> 0x1)
> access SID: S-1-5-10
> access type: ALLOWED OBJECT
> Permissions:
> [All validate writes]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED OBJECT
> Permissions:
> [All validate writes]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-512ECT
>
> .... etc etc etc...
>
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [Write All Properties]
> ------- ACE (type: 0x00, flags: 0x12, size: 0x24, mask: 0x4)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED
> Permissions:
> [List Contents]
> ------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
> flags: 0x2)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [List Contents]
> [Read All Properties]
> [List Object]
> [Read Permissions]
> ------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
> flags: 0x2)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [List Contents]
> [Read All Properties]
> [List Object]
> [Read Permissions]
> -------------- End Of Security Descriptor
> distinguishedName: CN=pan,CN=Computers,DC=zg,DC=corp,DC=fgmicrotec,DC=com
> objectCategory:
> CN=Computer,CN=Schema,CN=Configuration,DC=zg,DC=corp,DC=fgmicrotec,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> objectGUID: BCB686FB03DF4448A060FEB4F2AF844C
> objectSid: S-1-5-21-353111985-644491385-32730383-1175
> operatingSystem: Samba
> operatingSystemVersion: 3.0alpha20
> primaryGroupID: 515
> pwdLastSet: 126792633499442796
> name: pan
> sAMAccountName: pan$
> sAMAccountType: 805306369
> servicePrincipalName: HOST/pan
> userAccountControl: 2691072
> userPrincipalName: HOST/pan at ZG.CORP.FGMICROTEC.COM
> uSNChanged: 518176
> uSNCreated: 518173
> whenChanged: 20021016173549.0Z
> whenCreated: 20021016173549.0Z
>
> So it looks like I have joined the domain and zeus which is both Kerberos
> server and PDC Win2K for the domain.
>
> Am I correct ?
> What is wrong ?
> Is it smb.conf file ?
>
>
> Thank you for your time. And send me an address if you want a postcard :-)
>
> Igor
>
>
> ---smb.conf---------------------------------------
> [global]
> path = /home2/ftp/pub/
> dns proxy = no
> encrypt passwords = yes
> ads server = zeus
> realm = ZG.CORP.FGMICROTEC.COM
> workgroup = UNIX
> server string = Linux File/Application Server
> socket options = TCP_NODELAY
> log file = /var/log/samba/log.%m
> netbios name = PAN
> load printers = yes
> max log size = 50
> preferred master = no
> hosts allow = 192.168.0. 10.1.2. 127.
>
> [PublicExportedPath]
> writable = yes
> comment = Home Directories
>
> [printers]
> comment = All Printers
> path = /usr/spool/samba
> browseable = no
> # Set public = yes to allow user 'guest account' to print
> guest ok = no
> writable = no
> printable = yes
>
> # This one is useful for people to share files
> [Export]
> path = /export
> writable = yes
> browseable = yes
> comment = Temporary file space
> public = yes
> ----------------------------------------------------------
> --krb5.conf------------------------------------
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = ZG.CORP.FGMICROTEC.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> [realms]
> ZG.CORP.FGMICROTEC.COM = {
> kdc = zeus
> }
>
> [pam]
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> --------------------------------------
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list