[Samba] Samba 3.020 and Win2K with Kerberos 5
Igor Korzinek
igor.korzinek at fgmicrotec.com
Thu Oct 17 09:01:01 GMT 2002
Hi,
I've posted this one also to comp.protocols.smb, but the list seems to be
more hacky :-)
I have M$ Win2K PDC with Kerberos authentication system.
PDC
Win2K--------------SAMBA-3.020-------------LINUX
Kerberos5
It was somewhere told (Samba 3.0 prealpha guide to Kerberos
authentication)that this should work.
I'm using RedHat 7.2 with latest patches (obtained via net from redhat
site).
Kerberos is 1.2.2-14
klist showes after kinit:
-------------------------------
[root at pan log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADMINISTRATOR at ZG.CORP.FGMICROTEC.COM
Valid starting Expires Service principal
10/16/02 17:58:48 10/17/02 03:58:48
krbtgt/ZG.CORP.FGMICROTEC.COM at ZG.CORP.FGMI
CROTEC.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
--------------------------------
So I assume that kerberos client is running fine. I've tryed with wrong
passwd, and it complains, so this should be fine.
I did change execution path so that the Samba 3.0.20 is started and log
files said that everything is fine.
When I did net ads join, then I've got Segmentation fault....
Any hint ? (oh, yes, gcc is 2.96)
If someone has succeeded with such a connection, please let me know.
Yes, there is an additional info...
instead of net ads join,
I've used should use
net ads join -Uadministrator
because, default is a logged user, which is allmost never administrator on
UNIXes, but can be root or some local user... (I've discovered that with
kdbg and 1 hour session :-)).
And when I execute:
[root at pan root]# net ads status -Uadministrator
I've got the following:
administrator password:
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: pan
countryCode: 0
dNSHostName: pan
instanceType: 4
isCriticalSystemObject: FALSE
lastLogoff: 0
lastLogon: 0
logonCount: 0
-------------- Security Descriptor (revision: 1, type: 0x8c14)
owner SID: S-1-5-21-353111985-644491385-32730383-512
group SID: S-1-5-21-353111985-644491385-32730383-513
------- (system) ACL (revision: 2, size: 28, number of ACEs: 1)
------- ACE (type: 0x02, flags: 0xd2, size: 0x14, mask: 0xd016b)
access SID: S-1-1-0
access type: SYSTEM AUDIT
Permissions:
[Create All Child Objects]
[Delete All Child Objects]
[All validate writes]
[Write All Properties]
[Delete Subtree]
[Change Password]
[Reset Password]
[Delete]
[Modify Permissions]
[Modify Owner]
------- (user) ACL (revision: 4, size: 1284, number of ACEs: 30)
------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
access SID: S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
access SID: S-1-5-32-548
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff)
access SID: S-1-5-18
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4)
access SID: S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED
Permissions:
[List Contents]
[Read All Properties]
[Delete Subtree]
[List Object]
[Change Password]
[Reset Password]
[Delete]
[Read Permissions]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags:
0x1)
access SID: S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094)
access SID: S-1-5-11
access type: ALLOWED
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object flags:
0x1)
access SID: S-1-1-0
access type: ALLOWED OBJECT
Permissions:
[Change Password]
[Reset Password]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3)
access SID: S-1-5-10
access type: ALLOWED
Permissions:
[Create All Child Objects]
[Delete All Child Objects]
------- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x3, object flags:
0x1)
access SID: S-1-5-32-550
access type: ALLOWED OBJPermissions:
[Create All Child Objects]
[Delete All Child Objects]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x30, object flags:
0x1)
access SID: S-1-5-21-353111985-644491385-32730383-517
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
[Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x30, object flags:
0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
[Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
0x1)
access SID: S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
0x1)
access SID: S-1-5-21-353111985-644491385-32730383-512ECT
.... etc etc etc...
access SID: S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
0x1)
access SID: S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
0x1)
access SID: S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
0x1)
access SID: S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x00, flags: 0x12, size: 0x24, mask: 0x4)
access SID: S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED
Permissions:
[List Contents]
------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
flags: 0x2)
access SID: S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
flags: 0x2)
access SID: S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
-------------- End Of Security Descriptor
distinguishedName: CN=pan,CN=Computers,DC=zg,DC=corp,DC=fgmicrotec,DC=com
objectCategory:
CN=Computer,CN=Schema,CN=Configuration,DC=zg,DC=corp,DC=fgmicrotec,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
objectGUID: BCB686FB03DF4448A060FEB4F2AF844C
objectSid: S-1-5-21-353111985-644491385-32730383-1175
operatingSystem: Samba
operatingSystemVersion: 3.0alpha20
primaryGroupID: 515
pwdLastSet: 126792633499442796
name: pan
sAMAccountName: pan$
sAMAccountType: 805306369
servicePrincipalName: HOST/pan
userAccountControl: 2691072
userPrincipalName: HOST/pan at ZG.CORP.FGMICROTEC.COM
uSNChanged: 518176
uSNCreated: 518173
whenChanged: 20021016173549.0Z
whenCreated: 20021016173549.0Z
So it looks like I have joined the domain and zeus which is both Kerberos
server and PDC Win2K for the domain.
Am I correct ?
What is wrong ?
Is it smb.conf file ?
Thank you for your time. And send me an address if you want a postcard :-)
Igor
---smb.conf---------------------------------------
[global]
path = /home2/ftp/pub/
dns proxy = no
encrypt passwords = yes
ads server = zeus
realm = ZG.CORP.FGMICROTEC.COM
workgroup = UNIX
server string = Linux File/Application Server
socket options = TCP_NODELAY
log file = /var/log/samba/log.%m
netbios name = PAN
load printers = yes
max log size = 50
preferred master = no
hosts allow = 192.168.0. 10.1.2. 127.
[PublicExportedPath]
writable = yes
comment = Home Directories
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
[Export]
path = /export
writable = yes
browseable = yes
comment = Temporary file space
public = yes
----------------------------------------------------------
--krb5.conf------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = ZG.CORP.FGMICROTEC.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
ZG.CORP.FGMICROTEC.COM = {
kdc = zeus
}
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
--------------------------------------
More information about the samba
mailing list