[Samba] Windows 2000 and krb5 tickets...SOLVED
Fernando Ruza
fernandor at sescam.jccm.es
Mon Dec 15 09:57:40 GMT 2003
Hi,
I did what you advise. I still have the same problem. Can see the shares
from Win2k and XP but cannot browse the share that need authentication
(valid users). I can map them with IP address but not with netbios name.
I don't get any ticket from win2k and XP clients.
All of the following works right: net ads leave, net ads join, wbinfo
-u, wbinfo -g, getent passwd, getent group, smbclient
//win2k_server/share -k
Could you see something wrong in my conf files?? Any more things to try
??
My krb5.conf file is the following:
======================= krb5.conf ==========================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = HGUV.LOCAL
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
# permitted_enctypes = des-cbc-md5 des-cbc-crc
kdc_req_checksum_type = 2
clockskew = 600
dns_lookup_realm = false
dns_lookup_kdc = true
forwardable = true
proxiable = true
checksum_type = 2
ccache_type = 1
[realms]
HGUV.LOCAL = {
kdc = 10.36.192.24:88
admin_server = 10.36.192.24:749
default_domain = hguv.local
}
[domain_realm]
.hguv.local = HGUV.LOCAL
hguv.local = HGUV.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[login]
krb4_convert = false
krb4_get_tickets = false
================================================================
The tickets I get are:
[root at HSERINT1 etc]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADMINISTRADOR at HGUV.LOCAL
Valid starting Expires Service principal
12/15/03 09:34:53 12/15/03 19:34:54 krbtgt/HGUV.LOCAL at HGUV.LOCAL
renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
12/15/03 09:35:09 12/15/03 19:34:54 hserofi1$@HGUV.LOCAL
renew until 12/16/03 09:34:53, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
12/15/03 09:35:09 12/15/03 19:34:54 kadmin/changepw at HGUV.LOCAL
renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
=================================================================
I don't get a ticket for Win2k and XP clients.
More interested info:
================ libs used by winbindd and smbd ================
[root at HSERINT1 sbin]# ldd winbindd
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4002c000)
libresolv.so.2 => /lib/libresolv.so.2 (0x4005a000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4006c000)
libdl.so.2 => /lib/libdl.so.2 (0x40081000)
libpopt.so.0 => /usr/lib/libpopt.so.0 (0x40084000)
libcrypto.so.2 => /lib/libcrypto.so.2 (0x4008c000)
libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x40160000)
libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40172000)
libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x401d0000)
libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x401f0000)
libldap.so.2 => /usr/lib/libldap.so.2 (0x401f2000)
liblber.so.2 => /usr/lib/liblber.so.2 (0x4021c000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40228000)
libssl.so.2 => /lib/libssl.so.2 (0x40233000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40263000)
libpam.so.0 => /lib/libpam.so.0 (0x4026a000)
[root at HSERINT1 sbin]# ldd smbd
libldap.so.2 => /usr/lib/libldap.so.2 (0x4002c000)
liblber.so.2 => /usr/lib/liblber.so.2 (0x40057000)
libcrypto.so.2 => /lib/libcrypto.so.2 (0x40062000)
libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x40136000)
libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40147000)
libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x401a5000)
libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x401c5000)
libresolv.so.2 => /lib/libresolv.so.2 (0x401c8000)
libcups.so.2 => /usr/lib/libcups.so.2 (0x401da000)
libssl.so.2 => /lib/libssl.so.2 (0x401f4000)
libnsl.so.1 => /lib/libnsl.so.1 (0x40224000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x40239000)
libpam.so.0 => /lib/libpam.so.0 (0x40266000)
libattr.so.1 => /lib/libattr.so.1 (0x4026f000)
libacl.so.1 => /lib/libacl.so.1 (0x40273000)
libdl.so.2 => /lib/libdl.so.2 (0x4027b000)
libpopt.so.0 => /usr/lib/libpopt.so.0 (0x4027e000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40286000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40292000)
======================== kerberos version ===============
[root at HSERINT1 sbin]# strings /usr/local/lib/libkrb5.so.3.2 | grep BRAND
KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
======================== ld.so.conf =====================
/usr/local/lib
/usr/X11R6/lib
/usr/lib/mysql
/usr/lib/qt-3.0.5/lib
/usr/lib/sane
/usr/lib/qt2/lib
/usr/lib/wine
================= smb.conf ========================
[global]
workgroup = HGUV
realm = HGUV.LOCAL
server string = %h server (Samba %v)
security = ADS
password server = 10.36.192.24
log level = 2 winbind:5
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
printing = lprng
[homes]
comment = Home Directories
path = /home/%U
valid users = %D+%U
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[tmp]
comment = Temporary file space
path = /tmp
force user = inform
force group = inform
read only = No
guest ok = Yes
[Intranet]
comment = DocumentRoot del servidor web de la intranet del HGUV
path = /var/www
valid users = root, HGUV+Administrador, HGUV+fruza, HGUV+bperez
force user = inform
force group = inform
read only = No
create mask = 0777
directory mask = 0777
[mysql]
comment = Base de datos mysql
path = /var/lib/mysql
force user = inform
force group = inform
read only = No
guest ok = Yes
=========================================================
Thanks in advanced for any reply,
Fernando.
On Fri, 2003-12-12 at 21:56, Tim Jordan wrote:
> Browsing is working from my W2K and XP clients to the samba server
> using kerberos.
> Samba Server is joined to Active Directory as a Domain Member server.
>
> I commented out the following line of my krb5.conf:
>
> #permitted_enctypes = des-cbc-crc des-cbc-md5
>
> Make sure these lines are correct:
> default_tgs_enctypes = des-cbc-crc des-cbc-md5
> efault_tkt_enctypes = des-cbc-crc des-cbc-md5
>
> *Make sure to stop and restart smbd, nmbd, and winbindd. These
> changes did nothing for me until I restarted at least winbindd.
>
>
> I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586
> rpm's from:
> http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/
>
>
> I'm working on a final write up of my configuration if anyone is
> interested in creating an Active Directory member server running Samba
> 3.
>
> Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for
> lending his Windows expertise!
>
> Tim
>
>
>
>
> On Fri, 2003-12-12 at 08:07, Tom Dickson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > You can try running the
> >
> > strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> >
> > command and looking at what you get. 1-3-1 or something is MIT.
> >
> > Also, I'm wondering if the fact that you can connect by IP and not by
> > name indicates that the 2000 server is looking up the name in, say, DNS
> > only and ignoring WINS. Perhaps my WINS server is misconfigured.
> >
> > Well, I have to run Netbench tests, so I just dropped back to NT4 style
> > auth, which works fine for me.
> >
> > - -Tom
> >
> > Tim Jordan wrote:
> >
> > | Perhaps we can work together. Jerry mentioned in previous posts about
> > | the encryption options if the krb5.conf.
> > | The Official Samba How To states: " On a Windows 2000 client, try /net
> > | use * \\server\share/. You should be logged in with Kerberos without
> > | needing to know a password. If this fails then run /klist tickets./
> > | Did you get a tecket for the server? Does it have an encryption type of
> > | DES-CBC-MD5?"
> > |
> > | "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
> > | encoding."
> > |
> > | I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
> > | Jerry sugested:
> > |
> > | /etc/krb5.conf:
> > |
> > |>[root at ANC-MDK-SMB3 samba3]# cat /etc/krb5.conf
> > |>[logging]
> > |> default = FILE:/var/log/kerberos/krb5libs.log
> > |> kdc = FILE:/var/log/kerberos/krb5kdc.log
> > |> admin_server = FILE:/var/log/kerberos/kadmind.log
> > |>
> > |>[libdefaults]
> > |> ticket_lifetime = 24000
> > |> default_realm = LABOR.AK
> > |> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> > |> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > |> permitted_enctypes = des-cbc-md5 des-cbc-crc
> > |> dns_lookup_realm = false
> > |> dns_lookup_kdc = false
> > |> kdc_req_checksum_type = 2
> > |> checksum_type = 2
> > |> ccache_type = 1
> > |> forwardable = true
> > |> proxiable = true
> > |>
> > |>[realms]
> > |> LABOR.AK = {
> > |> kdc = MY-KDC.LABOR.AK:88
> > |> admin_server = MY-KDC.LABOR.AK:749
> > |> default_domain = LABOR.AK
> > |> }
> > |>
> > |>[domain_realm]
> > |> .LABOR.AK = LABOR.AK
> > |>
> > |>[kdc]
> > |> profile = /etc/kerberos/krb5kdc/kdc.conf
> > |>
> > |>[pam]
> > |> debug = false
> > |> ticket_lifetime = 36000
> > |> renew_lifetime = 36000
> > |> forwardable = true
> > |> krb4_convert = false
> > |>
> > |> [login]
> > |> krb4_convert = false
> > |> krb4_get_tickets = fals
> > |>
> > | It did change the encryption ticket I'm getting when /kinit/ as my
> > username.
> > |
> > |>Valid starting Expires Service principal
> > |>12/11/03 16:00:49 12/12/03 02:01:00 krbtgt/LABOR.AK at LABOR.AK
> > |> renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode
> > with RSA-MD5, DES cbc mode with RSA-MD5
> > |>
> > |>
> > |>Kerberos 4 ticket cache: /tmp/tkt0
> > |>
> > | Notice I'm getting "DES cbc mode with RSA-MD5".
> > |
> > | This did not solve the underlying problem of being able to view the
> > samba shares from a w2k or xp client.
> > |
> > | How would I be able to tell if I'm using MIT or Hemidal kerberos?
> > |
> > | I did get this working on a Gentoo system, so I know it works.
> > |
> > | Who knows encryption on the list that can advise....anyone?
> > |
> > | Tim
> > |
> > | On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote:
> > |
> > |>/Same problem. I have been with it for weeks. I can connect using IP
> > |>address from the Win2k clients however with the netbios name I get the
> > |>error.
> > |>
> > |>Someone has told me today that this was solved in the new release
> > |>samba-3.0.1rc2-1 , however I've already tested it and I still have the
> > |>same problem.
> > |>
> > |>Please any more clues.
> > |>
> > |>Thanks,
> > |>
> > |>Fernando.
> > |>
> > |>
> > |>On Fri, 2003-12-12 at 00:26, Tim Jordan wrote:
> > |>> I'm getting same error about encryption ...
> > |>>
> > |>> I have taken Tom's lead and have provided the output below. Is there a
> > |>> certain version of krb5 that we should be running?
> > |>>
> > |>>
> > |>> root at ANC-MDK-SMB3 tim]# smbd3 --version
> > |>> Version 3.0.1pre3
> > |>>
> > |>> [root at ANC-MDK-SMB3 tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> > |>> KRB5_BRAND: krb5-1-3-final 1.3 20030708
> > |>>
> > |>> I'm running Mandrake 9.2
> > |>>
> > |>> Thank You Samba Team!
> > |>> Tim
> > |>>
> > |>> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
> > |>>
> > |>> > -----BEGIN PGP SIGNED MESSAGE-----
> > |>> > Hash: SHA1
> > |>> >
> > |>> > OK. I've done some more research, and here's what I get.
> > |>> >
> > |>> > smbd --version
> > |>> > Version 3.0.0
> > |>> >
> > |>> > strings libkrb5.so.3.2 | grep BRAND
> > |>> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
> > |>> >
> > |>> > Everything seems to work, but trying to access the Samba server
> > results in:
> > |>> >
> > |>> > [2003/12/11 14:54:19, 3]
> > libads/kerberos_verify.c:ads_verify_ticket(308)
> > |>> > ~ ads_verify_ticket: enc type [23] failed to decrypt with error
> > Decrypt
> > |>> > integrity check failed
> > |>> > [2003/12/11 14:54:19, 3]
> > libads/kerberos_verify.c:ads_verify_ticket(316)
> > |>> > ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption
> > type)
> > |>> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > |>> > ~ Failed to verify incoming ticket!
> > |>> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
> > |>> > ~ error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
> > |>> > NT_STATUS_LOGON_FAILURE
> > |>> >
> > |>> > This is the same error you get if you're running the wrong KRB5 libs,
> > |>> > but I've the right ones. The windows 2000 machine is 5.00.2195
> > |>> >
> > |>> > Windows 2000 clients connect to the ADS server fine, and will
> > connect to
> > |>> > the Samba server if you enter Username/Password. The 2000 server
> > cannot
> > |>> > connect to the Samba machine at all, even with the right
> > username/pass.
> > |>> >
> > |>> > Is there a magic registry setting I'm missing? I've changed the
> > |>> > Administrator password at least once.
> > |>> >
> > |>> > - -Tom
> > |>> > -----BEGIN PGP SIGNATURE-----
> > |>> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > |>> > Comment: Using GnuPG with Mozilla - //_http://enigmail.mozdev.org_
> > |>> >
> > |>> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO
> > |>> > F9F+8BTOPIyoybZBYIlCouU=
> > |>> > =94FA
> > |>> > -----END PGP SIGNATURE-----
> > |>/
> > |>
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQE/2fXg2dxAfYNwANIRAlFEAJ9uSUkNH5u/O2PBb8eY8PExrsq2rACdE6r/
> > xbPZjNjGNK2FYhHQZnqmgYs=
> > =2f/q
> > -----END PGP SIGNATURE-----
More information about the samba
mailing list