[Samba] Problem with Samba 3 as member server in Win2K/ADS domain

Jon Rabone jon.rabone at criticalblue.com
Mon Sep 2 05:38:01 GMT 2002 

Hi,

I'm having problems getting Samba 3 working in a Win2K/ADS domain. I
don't want Samba to be a PDC - just a member server. I have two boxes,
aquarius (Windows 2000 Server DC) and gemini (Debian Linux, current
development version)

I do both a kinit, and a net ads join successfully, but if I try to
access shares on the DC, I get: 

# smbclient -k -L aquarius
added interface ip=192.168.0.5 bcast=192.168.0.255 nmask=255.255.255.0
Doing spnego session setup (blob length=118) 
Doing kerberos session setup 
krb5_get_credentials failed for aquarius$@EDI.COMPANY.COM (No
credentials found with supported encryption types) 
session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED

klist on gemini shows:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: GEMINI$@EDI.COMPANY.COM

Valid starting     Expires            Service principal
09/01/02 18:12:14  09/02/02 04:12:14
krbtgt/EDI.COMPANY.COM at EDI.COMPANY.COM
09/01/02 18:12:14  09/02/02 04:12:14  ldap/aquarius at EDI.COMPANY.COM

Kerberos 4 ticket cache: /tmp/tkt0

I think this might be something to do with NTLMv2 - our Win2K domain is
a native-mode domain, with no down-level clients. The domain policy is
set to only allow NTLMv2 auth. Running klist on the Win2K server, I get
(amongst others):


   Server: AQUARIUS$@EDI.CRITICALBLUE.COM
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 9/2/2002 15:31:01
      Renew Time: 9/9/2002 5:31:01

   Server: HOST/gemini at EDI.CRITICALBLUE.COM
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 9/2/2002 3:57:26
      Renew Time: 9/8/2002 17:57:26

Is the error message from "krb5_get_credentials" indicating that RSADSI
RC4-HMAC(NT) is unsupported in Samba at the moment? Is this something
that I've not configured at the Linux end, or is it a limitation of
Samba at the present?

I'm using a CVS snapshot of Samba dated 2002-08-27 (Debian packaged
version). I'm happy to experiment on the linux server - the Windows
server is in production use so I don't want to do anything too drastic
to it. 

Thanks,

Jon

More information about the samba mailing list