[Samba] Windows 2000 and krb5 tickets.

Fri Dec 12 17:07:45 GMT 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You can try running the

strings /usr/lib/libkrb5.so.3.2 | grep BRAND

command and looking at what you get. 1-3-1 or something is MIT.

Also, I'm wondering if the fact that you can connect by IP and not by
name indicates that the 2000 server is looking up the name in, say, DNS
only and ignoring WINS. Perhaps my WINS server is misconfigured.

Well, I have to run Netbench tests, so I just dropped back to NT4 style
auth, which works fine for me.

- -Tom

Tim Jordan wrote:

| Perhaps we can work together.  Jerry mentioned in previous posts about
| the encryption options if the krb5.conf.
| The Official Samba How To states: " On a Windows 2000 client, try /net
| use * \\server\share/.  You should be logged in with Kerberos without
| needing to know a password.  If this fails then run /klist tickets./
| Did you get a tecket for the server?  Does it have an encryption type of
| DES-CBC-MD5?"
|
| "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
| encoding."
|
| I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
| Jerry sugested:
|
| /etc/krb5.conf:
|
|>[root at ANC-MDK-SMB3 samba3]# cat /etc/krb5.conf
|>[logging]
|> default = FILE:/var/log/kerberos/krb5libs.log
|> kdc = FILE:/var/log/kerberos/krb5kdc.log
|> admin_server = FILE:/var/log/kerberos/kadmind.log
|>
|>[libdefaults]
|> ticket_lifetime = 24000
|> default_realm = LABOR.AK
|> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
|> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
|> permitted_enctypes = des-cbc-md5 des-cbc-crc
|> dns_lookup_realm = false
|> dns_lookup_kdc = false
|> kdc_req_checksum_type = 2
|> checksum_type = 2
|> ccache_type = 1
|> forwardable = true
|> proxiable = true
|>
|>[realms]
|> LABOR.AK = {
|>  kdc = MY-KDC.LABOR.AK:88
|>  admin_server = MY-KDC.LABOR.AK:749
|>  default_domain = LABOR.AK
|> }
|>
|>[domain_realm]
|> .LABOR.AK = LABOR.AK
|>
|>[kdc]
|> profile = /etc/kerberos/krb5kdc/kdc.conf
|>
|>[pam]
|> debug = false
|> ticket_lifetime = 36000
|> renew_lifetime = 36000
|> forwardable = true
|> krb4_convert = false
|>
|> [login]
|> krb4_convert = false
|> krb4_get_tickets = fals
|>
| It did change the encryption ticket I'm getting when /kinit/ as my
username.
|
|>Valid starting     Expires            Service principal
|>12/11/03 16:00:49  12/12/03 02:01:00  krbtgt/LABOR.AK at LABOR.AK
|>        renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode
with RSA-MD5, DES cbc mode with RSA-MD5
|>
|>
|>Kerberos 4 ticket cache: /tmp/tkt0
|>
| Notice I'm getting "DES cbc mode with RSA-MD5".
|
| This did not solve the underlying problem of being able to view the
samba shares from a w2k or xp client.
|
| How would I be able to tell if I'm using MIT or Hemidal kerberos?
|
| I did get this working on a Gentoo system, so I know it works.
|
| Who knows encryption on the list that can advise....anyone?
|
| Tim
|
| On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote:
|
|>/Same problem. I have been with it for weeks. I can connect using IP
|>address from the Win2k clients however with the netbios name I get the
|>error.
|>
|>Someone has told me today that this was solved in the new release
|>samba-3.0.1rc2-1 , however I've already tested it and I still have the
|>same problem.
|>
|>Please any more clues.
|>
|>Thanks,
|>
|>Fernando.
|>
|>
|>On Fri, 2003-12-12 at 00:26, Tim Jordan wrote:
|>> I'm getting same error about encryption ...
|>>
|>> I have taken Tom's lead and have provided the output below.  Is there a
|>> certain version of krb5 that we should be running?
|>>
|>>
|>> root at ANC-MDK-SMB3 tim]# smbd3 --version
|>> Version 3.0.1pre3
|>>
|>> [root at ANC-MDK-SMB3 tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
|>> KRB5_BRAND: krb5-1-3-final 1.3 20030708
|>>
|>> I'm running Mandrake 9.2
|>>
|>> Thank You Samba Team!
|>> Tim
|>>
|>> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
|>>
|>> > -----BEGIN PGP SIGNED MESSAGE-----
|>> > Hash: SHA1
|>> >
|>> > OK. I've done some more research, and here's what I get.
|>> >
|>> > smbd --version
|>> > Version 3.0.0
|>> >
|>> > strings libkrb5.so.3.2 | grep BRAND
|>> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
|>> >
|>> > Everything seems to work, but trying to access the Samba server
results in:
|>> >
|>> > [2003/12/11 14:54:19, 3]
libads/kerberos_verify.c:ads_verify_ticket(308)
|>> > ~  ads_verify_ticket: enc type [23] failed to decrypt with error
Decrypt
|>> > integrity check failed
|>> > [2003/12/11 14:54:19, 3]
libads/kerberos_verify.c:ads_verify_ticket(316)
|>> > ~  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption
type)
|>> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
|>> > ~  Failed to verify incoming ticket!
|>> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
|>> > ~  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
|>> > NT_STATUS_LOGON_FAILURE
|>> >
|>> > This is the same error you get if you're running the wrong KRB5 libs,
|>> > but I've the right ones. The windows 2000 machine is 5.00.2195
|>> >
|>> > Windows 2000 clients connect to the ADS server fine, and will
connect to
|>> > the Samba server if you enter Username/Password. The 2000 server
cannot
|>> > connect to the Samba machine at all, even with the right
username/pass.
|>> >
|>> > Is there a magic registry setting I'm missing? I've changed the
|>> > Administrator password at least once.
|>> >
|>> > - -Tom
|>> > -----BEGIN PGP SIGNATURE-----
|>> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
|>> > Comment: Using GnuPG with Mozilla - //_http://enigmail.mozdev.org_
|>> >
|>> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO
|>> > F9F+8BTOPIyoybZBYIlCouU=
|>> > =94FA
|>> > -----END PGP SIGNATURE-----
|>/
|>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows 2000)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/2fXg2dxAfYNwANIRAlFEAJ9uSUkNH5u/O2PBb8eY8PExrsq2rACdE6r/
xbPZjNjGNK2FYhHQZnqmgYs=
=2f/q
-----END PGP SIGNATURE-----