[Samba] Problem with Samba 3 as member server in Win2K/ADS domain
Jon Rabone
jon.rabone at criticalblue.com
Mon Sep 2 05:38:01 GMT 2002
Hi,
I'm having problems getting Samba 3 working in a Win2K/ADS domain. I
don't want Samba to be a PDC - just a member server. I have two boxes,
aquarius (Windows 2000 Server DC) and gemini (Debian Linux, current
development version)
I do both a kinit, and a net ads join successfully, but if I try to
access shares on the DC, I get:
# smbclient -k -L aquarius
added interface ip=192.168.0.5 bcast=192.168.0.255 nmask=255.255.255.0
Doing spnego session setup (blob length=118)
Doing kerberos session setup
krb5_get_credentials failed for aquarius$@EDI.COMPANY.COM (No
credentials found with supported encryption types)
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED
klist on gemini shows:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: GEMINI$@EDI.COMPANY.COM
Valid starting Expires Service principal
09/01/02 18:12:14 09/02/02 04:12:14
krbtgt/EDI.COMPANY.COM at EDI.COMPANY.COM
09/01/02 18:12:14 09/02/02 04:12:14 ldap/aquarius at EDI.COMPANY.COM
Kerberos 4 ticket cache: /tmp/tkt0
I think this might be something to do with NTLMv2 - our Win2K domain is
a native-mode domain, with no down-level clients. The domain policy is
set to only allow NTLMv2 auth. Running klist on the Win2K server, I get
(amongst others):
Server: AQUARIUS$@EDI.CRITICALBLUE.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 9/2/2002 15:31:01
Renew Time: 9/9/2002 5:31:01
Server: HOST/gemini at EDI.CRITICALBLUE.COM
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
End Time: 9/2/2002 3:57:26
Renew Time: 9/8/2002 17:57:26
Is the error message from "krb5_get_credentials" indicating that RSADSI
RC4-HMAC(NT) is unsupported in Samba at the moment? Is this something
that I've not configured at the Linux end, or is it a limitation of
Samba at the present?
I'm using a CVS snapshot of Samba dated 2002-08-27 (Debian packaged
version). I'm happy to experiment on the linux server - the Windows
server is in production use so I don't want to do anything too drastic
to it.
Thanks,
Jon
More information about the samba
mailing list