[Samba] Windows 2000 and krb5 tickets...SOLVED
M.C.Hudson
M.C.Hudson at open.ac.uk
Sat Dec 13 00:23:45 GMT 2003
Fantastic! On Monday I'll give it a try!
-----Original Message-----
From: Tim Jordan [mailto:timothy_jordan at labor.state.ak.us]
Sent: Fri 12/12/2003 20:56
To: Tom Dickson; m.c.hudson at open.ac.uk; admina at labor.ak.us
Cc: fernandor at sescam.jccm.es; jerry at samba.org; samba at samba.org
Subject: Re: [Samba] Windows 2000 and krb5 tickets...SOLVED
Browsing is working from my W2K and XP clients to the samba server using kerberos.
Samba Server is joined to Active Directory as a Domain Member server.
I commented out the following line of my krb5.conf:
#permitted_enctypes = des-cbc-crc des-cbc-md5
Make sure these lines are correct:
default_tgs_enctypes = des-cbc-crc des-cbc-md5
efault_tkt_enctypes = des-cbc-crc des-cbc-md5
*Make sure to stop and restart smbd, nmbd, and winbindd. These changes did nothing for me until I restarted at least winbindd.
I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586 rpm's from:
http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/
I'm working on a final write up of my configuration if anyone is interested in creating an Active Directory member server running Samba 3.
Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for lending his Windows expertise!
Tim
On Fri, 2003-12-12 at 08:07, Tom Dickson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You can try running the
strings /usr/lib/libkrb5.so.3.2 | grep BRAND
command and looking at what you get. 1-3-1 or something is MIT.
Also, I'm wondering if the fact that you can connect by IP and not by
name indicates that the 2000 server is looking up the name in, say, DNS
only and ignoring WINS. Perhaps my WINS server is misconfigured.
Well, I have to run Netbench tests, so I just dropped back to NT4 style
auth, which works fine for me.
- -Tom
Tim Jordan wrote:
| Perhaps we can work together. Jerry mentioned in previous posts about
| the encryption options if the krb5.conf.
| The Official Samba How To states: " On a Windows 2000 client, try /net
| use * \\server\share/. You should be logged in with Kerberos without
| needing to know a password. If this fails then run /klist tickets./
| Did you get a tecket for the server? Does it have an encryption type of
| DES-CBC-MD5?"
|
| "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
| encoding."
|
| I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
| Jerry sugested:
|
| /etc/krb5.conf:
|
|>[root at ANC-MDK-SMB3 samba3]# cat /etc/krb5.conf
|>[logging]
|> default = FILE:/var/log/kerberos/krb5libs.log
|> kdc = FILE:/var/log/kerberos/krb5kdc.log
|> admin_server = FILE:/var/log/kerberos/kadmind.log
|>
|>[libdefaults]
|> ticket_lifetime = 24000
|> default_realm = LABOR.AK
|> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
|> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
|> permitted_enctypes = des-cbc-md5 des-cbc-crc
|> dns_lookup_realm = false
|> dns_lookup_kdc = false
|> kdc_req_checksum_type = 2
|> checksum_type = 2
|> ccache_type = 1
|> forwardable = true
|> proxiable = true
|>
|>[realms]
|> LABOR.AK = {
|> kdc = MY-KDC.LABOR.AK:88
|> admin_server = MY-KDC.LABOR.AK:749
|> default_domain = LABOR.AK
|> }
|>
|>[domain_realm]
|> .LABOR.AK = LABOR.AK
|>
|>[kdc]
|> profile = /etc/kerberos/krb5kdc/kdc.conf
|>
|>[pam]
|> debug = false
|> ticket_lifetime = 36000
|> renew_lifetime = 36000
|> forwardable = true
|> krb4_convert = false
|>
|> [login]
|> krb4_convert = false
|> krb4_get_tickets = fals
|>
| It did change the encryption ticket I'm getting when /kinit/ as my
username.
|
|>Valid starting Expires Service principal
|>12/11/03 16:00:49 12/12/03 02:01:00 krbtgt/LABOR.AK at LABOR.AK
|> renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode
with RSA-MD5, DES cbc mode with RSA-MD5
|>
|>
|>Kerberos 4 ticket cache: /tmp/tkt0
|>
| Notice I'm getting "DES cbc mode with RSA-MD5".
|
| This did not solve the underlying problem of being able to view the
samba shares from a w2k or xp client.
|
| How would I be able to tell if I'm using MIT or Hemidal kerberos?
|
| I did get this working on a Gentoo system, so I know it works.
|
| Who knows encryption on the list that can advise....anyone?
|
| Tim
|
| On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote:
|
|>/Same problem. I have been with it for weeks. I can connect using IP
|>address from the Win2k clients however with the netbios name I get the
|>error.
|>
|>Someone has told me today that this was solved in the new release
|>samba-3.0.1rc2-1 , however I've already tested it and I still have the
|>same problem.
|>
|>Please any more clues.
|>
|>Thanks,
|>
|>Fernando.
|>
|>
|>On Fri, 2003-12-12 at 00:26, Tim Jordan wrote:
|>> I'm getting same error about encryption ...
|>>
|>> I have taken Tom's lead and have provided the output below. Is there a
|>> certain version of krb5 that we should be running?
|>>
|>>
|>> root at ANC-MDK-SMB3 tim]# smbd3 --version
|>> Version 3.0.1pre3
|>>
|>> [root at ANC-MDK-SMB3 tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
|>> KRB5_BRAND: krb5-1-3-final 1.3 20030708
|>>
|>> I'm running Mandrake 9.2
|>>
|>> Thank You Samba Team!
|>> Tim
|>>
|>> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
|>>
|>> > -----BEGIN PGP SIGNED MESSAGE-----
|>> > Hash: SHA1
|>> >
|>> > OK. I've done some more research, and here's what I get.
|>> >
|>> > smbd --version
|>> > Version 3.0.0
|>> >
|>> > strings libkrb5.so.3.2 | grep BRAND
|>> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
|>> >
|>> > Everything seems to work, but trying to access the Samba server
results in:
|>> >
|>> > [2003/12/11 14:54:19, 3]
libads/kerberos_verify.c:ads_verify_ticket(308)
|>> > ~ ads_verify_ticket: enc type [23] failed to decrypt with error
Decrypt
|>> > integrity check failed
|>> > [2003/12/11 14:54:19, 3]
libads/kerberos_verify.c:ads_verify_ticket(316)
|>> > ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption
type)
|>> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
|>> > ~ Failed to verify incoming ticket!
|>> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
|>> > ~ error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
|>> > NT_STATUS_LOGON_FAILURE
|>> >
|>> > This is the same error you get if you're running the wrong KRB5 libs,
|>> > but I've the right ones. The windows 2000 machine is 5.00.2195
|>> >
|>> > Windows 2000 clients connect to the ADS server fine, and will
connect to
|>> > the Samba server if you enter Username/Password. The 2000 server
cannot
|>> > connect to the Samba machine at all, even with the right
username/pass.
|>> >
|>> > Is there a magic registry setting I'm missing? I've changed the
|>> > Administrator password at least once.
|>> >
|>> > - -Tom
|>> > -----BEGIN PGP SIGNATURE-----
|>> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
|>> > Comment: Using GnuPG with Mozilla - //_http://enigmail.mozdev.org <http://enigmail.mozdev.org> _
|>> >
|>> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO
|>> > F9F+8BTOPIyoybZBYIlCouU=
|>> > =94FA
|>> > -----END PGP SIGNATURE-----
|>/
|>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows 2000)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org <http://enigmail.mozdev.org>
iD8DBQE/2fXg2dxAfYNwANIRAlFEAJ9uSUkNH5u/O2PBb8eY8PExrsq2rACdE6r/
xbPZjNjGNK2FYhHQZnqmgYs=
=2f/q
-----END PGP SIGNATURE-----
More information about the samba
mailing list