[Samba] Samba 3.020 and Win2K with Kerberos 5

Igor Korzinek igor.korzinek at fgmicrotec.com
Thu Oct 17 09:01:01 GMT 2002


Hi,
I've posted this one also to comp.protocols.smb, but the list seems to be
more hacky :-)

I have M$ Win2K PDC with Kerberos authentication system.

PDC
Win2K--------------SAMBA-3.020-------------LINUX
Kerberos5

It was somewhere told (Samba 3.0 prealpha guide to Kerberos
authentication)that this should work.
I'm using RedHat 7.2 with latest patches (obtained via net from redhat
site).
Kerberos is 1.2.2-14
klist showes after kinit:
-------------------------------
[root at pan log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADMINISTRATOR at ZG.CORP.FGMICROTEC.COM

Valid starting     Expires            Service principal
10/16/02 17:58:48  10/17/02 03:58:48
krbtgt/ZG.CORP.FGMICROTEC.COM at ZG.CORP.FGMI
CROTEC.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
--------------------------------
So I assume that kerberos client is running fine. I've tryed with wrong
passwd, and it complains, so this should be fine.

I did change execution path so that the Samba 3.0.20 is started and log
files said that everything is fine.

When I did net ads join, then I've got Segmentation fault....
Any hint ? (oh, yes, gcc is 2.96)

If someone has succeeded with such a connection, please let me know.

Yes, there is an additional info...
instead of  net ads join,
I've used should use

net ads join -Uadministrator

because, default is a logged user, which is allmost never administrator on
UNIXes, but can be root or some local user... (I've discovered that with
kdbg and 1 hour session :-)).

And when I execute:

[root at pan root]# net ads status -Uadministrator

I've got the following:

administrator password:
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: pan
countryCode: 0
dNSHostName: pan
instanceType: 4
isCriticalSystemObject: FALSE
lastLogoff: 0
lastLogon: 0
logonCount: 0
-------------- Security Descriptor (revision: 1, type: 0x8c14)
owner SID: S-1-5-21-353111985-644491385-32730383-512
group SID: S-1-5-21-353111985-644491385-32730383-513
------- (system) ACL (revision: 2, size: 28, number of ACEs: 1)
------- ACE (type: 0x02, flags: 0xd2, size: 0x14, mask: 0xd016b)
access SID:  S-1-1-0
access type: SYSTEM AUDIT
Permissions:
        [Create All Child Objects]
        [Delete All Child Objects]
        [All validate writes]
        [Write All Properties]
        [Delete Subtree]
        [Change Password]
        [Reset Password]
        [Delete]
        [Modify Permissions]
        [Modify Owner]
------- (user) ACL (revision: 4, size: 1284, number of ACEs: 30)
------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
access SID:  S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
access SID:  S-1-5-32-548
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff)
access SID:  S-1-5-18
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4)
access SID:  S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED
Permissions:
        [List Contents]
        [Read All Properties]
        [Delete Subtree]
        [List Object]
        [Change Password]
        [Reset Password]
        [Delete]
        [Read Permissions]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED OBJECT
Permissions:
        [Write All Properties]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094)
access SID:  S-1-5-11
access type: ALLOWED
Permissions:
        [List Contents]
        [Read All Properties]
        [List Object]
        [Read Permissions]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object flags:
0x1)
access SID:  S-1-1-0
access type: ALLOWED OBJECT
Permissions:
        [Change Password]
        [Reset Password]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3)
access SID:  S-1-5-10
access type: ALLOWED
Permissions:
        [Create All Child Objects]
        [Delete All Child Objects]
------- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x3, object flags:
0x1)
access SID:  S-1-5-32-550
access type: ALLOWED OBJPermissions:
        [Create All Child Objects]
        [Delete All Child Objects]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x30, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-517
access type: ALLOWED OBJECT
Permissions:
        [Read All Properties]
        [Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
0x1)
access SID:  S-1-5-10
access type: ALLOWED OBJECT
Permissions:
        [All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x30, object flags:
0x1)
access SID:  S-1-5-10
access type: ALLOWED OBJECT
Permissions:
        [Read All Properties]
        [Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
0x1)
access SID:  S-1-5-10
access type: ALLOWED OBJECT
Permissions:
        [All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED OBJECT
Permissions:
        [All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-512ECT

.... etc etc etc...

access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [Write All Properties]
------- ACE (type: 0x00, flags: 0x12, size: 0x24, mask: 0x4)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED
Permissions:
        [List Contents]
------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
flags: 0x2)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [List Contents]
        [Read All Properties]
        [List Object]
        [Read Permissions]
------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
flags: 0x2)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [List Contents]
        [Read All Properties]
        [List Object]
        [Read Permissions]
-------------- End Of Security Descriptor
distinguishedName: CN=pan,CN=Computers,DC=zg,DC=corp,DC=fgmicrotec,DC=com
objectCategory:
CN=Computer,CN=Schema,CN=Configuration,DC=zg,DC=corp,DC=fgmicrotec,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
objectGUID: BCB686FB03DF4448A060FEB4F2AF844C
objectSid: S-1-5-21-353111985-644491385-32730383-1175
operatingSystem: Samba
operatingSystemVersion: 3.0alpha20
primaryGroupID: 515
pwdLastSet: 126792633499442796
name: pan
sAMAccountName: pan$
sAMAccountType: 805306369
servicePrincipalName: HOST/pan
userAccountControl: 2691072
userPrincipalName: HOST/pan at ZG.CORP.FGMICROTEC.COM
uSNChanged: 518176
uSNCreated: 518173
whenChanged: 20021016173549.0Z
whenCreated: 20021016173549.0Z

So it looks like I have joined the domain and zeus which is both Kerberos
server and PDC Win2K for the domain.

Am I correct ?
What is wrong ?
Is it smb.conf file ?


Thank you for your time. And send me an address if you want a postcard :-)

Igor


---smb.conf---------------------------------------
[global]
        path = /home2/ftp/pub/
        dns proxy = no
        encrypt passwords = yes
        ads server = zeus
        realm = ZG.CORP.FGMICROTEC.COM
        workgroup = UNIX
        server string = Linux File/Application Server
        socket options = TCP_NODELAY
        log file = /var/log/samba/log.%m
        netbios name = PAN
        load printers = yes
        max log size = 50
        preferred master = no
        hosts allow = 192.168.0. 10.1.2. 127.

[PublicExportedPath]
        writable = yes
        comment = Home Directories

[printers]
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

# This one is useful for people to share files
[Export]
        path = /export
        writable = yes
        browseable = yes
        comment = Temporary file space
        public = yes
----------------------------------------------------------
--krb5.conf------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = ZG.CORP.FGMICROTEC.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 ZG.CORP.FGMICROTEC.COM = {
  kdc = zeus
 }

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
--------------------------------------




More information about the samba mailing list