[Samba] Windows 2000 and krb5 tickets...SOLVED

Fernando Ruza fernandor at sescam.jccm.es
Mon Dec 15 09:57:40 GMT 2003


Hi,

I did what you advise. I still have the same problem. Can see the shares
from Win2k and XP but cannot browse the share that need authentication
(valid users). I can map them with IP address but not with netbios name.
I don't get any ticket from win2k and XP clients.

All of the following works right: net ads leave, net ads join, wbinfo
-u, wbinfo -g, getent passwd, getent group, smbclient
//win2k_server/share -k

Could you see something wrong in my conf files?? Any more things to try
??

My krb5.conf file is the following:

======================= krb5.conf ==========================

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = HGUV.LOCAL
 default_etypes = des-cbc-crc des-cbc-md5
 default_etypes_des = des-cbc-crc des-cbc-md5
 default_tgs_enctypes = des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
# permitted_enctypes = des-cbc-md5 des-cbc-crc
 kdc_req_checksum_type = 2
 clockskew = 600
 dns_lookup_realm = false
 dns_lookup_kdc = true
 forwardable = true
 proxiable = true
 checksum_type = 2
 ccache_type = 1

[realms]
 HGUV.LOCAL = {
  kdc = 10.36.192.24:88
  admin_server = 10.36.192.24:749
  default_domain = hguv.local
 }

[domain_realm]
 .hguv.local = HGUV.LOCAL
 hguv.local = HGUV.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[login]
 krb4_convert = false
 krb4_get_tickets = false

================================================================

The tickets I get are:

[root at HSERINT1 etc]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADMINISTRADOR at HGUV.LOCAL

Valid starting     Expires            Service principal
12/15/03 09:34:53  12/15/03 19:34:54  krbtgt/HGUV.LOCAL at HGUV.LOCAL
	renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
12/15/03 09:35:09  12/15/03 19:34:54  hserofi1$@HGUV.LOCAL
	renew until 12/16/03 09:34:53, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
12/15/03 09:35:09  12/15/03 19:34:54  kadmin/changepw at HGUV.LOCAL
	renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

=================================================================

I don't get a ticket for Win2k and XP clients.
More interested info:

================ libs used by winbindd and smbd ================
[root at HSERINT1 sbin]# ldd winbindd
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x4002c000)
	libresolv.so.2 => /lib/libresolv.so.2 (0x4005a000)
	libnsl.so.1 => /lib/libnsl.so.1 (0x4006c000)
	libdl.so.2 => /lib/libdl.so.2 (0x40081000)
	libpopt.so.0 => /usr/lib/libpopt.so.0 (0x40084000)
	libcrypto.so.2 => /lib/libcrypto.so.2 (0x4008c000)
	libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x40160000)
	libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40172000)
	libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x401d0000)
	libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x401f0000)
	libldap.so.2 => /usr/lib/libldap.so.2 (0x401f2000)
	liblber.so.2 => /usr/lib/liblber.so.2 (0x4021c000)
	libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
	libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40228000)
	libssl.so.2 => /lib/libssl.so.2 (0x40233000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
	libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40263000)
	libpam.so.0 => /lib/libpam.so.0 (0x4026a000)

[root at HSERINT1 sbin]# ldd smbd
	libldap.so.2 => /usr/lib/libldap.so.2 (0x4002c000)
	liblber.so.2 => /usr/lib/liblber.so.2 (0x40057000)
	libcrypto.so.2 => /lib/libcrypto.so.2 (0x40062000)
	libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x40136000)
	libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40147000)
	libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x401a5000)
	libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x401c5000)
	libresolv.so.2 => /lib/libresolv.so.2 (0x401c8000)
	libcups.so.2 => /usr/lib/libcups.so.2 (0x401da000)
	libssl.so.2 => /lib/libssl.so.2 (0x401f4000)
	libnsl.so.1 => /lib/libnsl.so.1 (0x40224000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x40239000)
	libpam.so.0 => /lib/libpam.so.0 (0x40266000)
	libattr.so.1 => /lib/libattr.so.1 (0x4026f000)
	libacl.so.1 => /lib/libacl.so.1 (0x40273000)
	libdl.so.2 => /lib/libdl.so.2 (0x4027b000)
	libpopt.so.0 => /usr/lib/libpopt.so.0 (0x4027e000)
	libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
	libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40286000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
	libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40292000)

======================== kerberos version ===============

[root at HSERINT1 sbin]# strings /usr/local/lib/libkrb5.so.3.2 | grep BRAND
KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730

======================== ld.so.conf =====================

/usr/local/lib
/usr/X11R6/lib
/usr/lib/mysql
/usr/lib/qt-3.0.5/lib
/usr/lib/sane
/usr/lib/qt2/lib
/usr/lib/wine

================= smb.conf ========================
[global]
	workgroup = HGUV
	realm = HGUV.LOCAL
	server string = %h server (Samba %v)
	security = ADS
	password server = 10.36.192.24
	log level = 2 winbind:5
	log file = /var/log/samba/%m.log
	max log size = 0
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	dns proxy = No
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template shell = /bin/bash
	winbind separator = +
	printing = lprng

[homes]
	comment = Home Directories
	path = /home/%U
	valid users = %D+%U
	read only = No
	create mask = 0664
	directory mask = 0775
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

[tmp]
	comment = Temporary file space
	path = /tmp
	force user = inform
	force group = inform
	read only = No
	guest ok = Yes

[Intranet]
	comment = DocumentRoot del servidor web de la intranet del HGUV
	path = /var/www
	valid users = root, HGUV+Administrador, HGUV+fruza, HGUV+bperez
	force user = inform
	force group = inform
	read only = No
	create mask = 0777
	directory mask = 0777

[mysql]
	comment = Base de datos mysql
	path = /var/lib/mysql
	force user = inform
	force group = inform
	read only = No
	guest ok = Yes

=========================================================

Thanks in advanced for any reply,

Fernando.


On Fri, 2003-12-12 at 21:56, Tim Jordan wrote:
> Browsing is working from my W2K and XP clients to the samba server
> using kerberos.
> Samba Server is joined to Active Directory as a Domain Member server.
>
> I commented out the following line of my krb5.conf:
>
>     #permitted_enctypes = des-cbc-crc des-cbc-md5
>
> Make sure these lines are correct:
>      default_tgs_enctypes = des-cbc-crc des-cbc-md5
>      efault_tkt_enctypes = des-cbc-crc des-cbc-md5
>
> *Make sure to stop and restart smbd, nmbd, and winbindd.  These
> changes did nothing for me until I restarted at least winbindd.
>
>
> I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586
> rpm's from:
>         http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/
>
>
> I'm working on a final write up of my configuration if anyone is
> interested in creating an Active Directory member server running Samba
> 3.
>
> Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for
> lending his Windows expertise!
>
> Tim
>
>
>
>
> On Fri, 2003-12-12 at 08:07, Tom Dickson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > You can try running the
> >
> > strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> >
> > command and looking at what you get. 1-3-1 or something is MIT.
> >
> > Also, I'm wondering if the fact that you can connect by IP and not by
> > name indicates that the 2000 server is looking up the name in, say, DNS
> > only and ignoring WINS. Perhaps my WINS server is misconfigured.
> >
> > Well, I have to run Netbench tests, so I just dropped back to NT4 style
> > auth, which works fine for me.
> >
> > - -Tom
> >
> > Tim Jordan wrote:
> >
> > | Perhaps we can work together.  Jerry mentioned in previous posts about
> > | the encryption options if the krb5.conf.
> > | The Official Samba How To states: " On a Windows 2000 client, try /net
> > | use * \\server\share/.  You should be logged in with Kerberos without
> > | needing to know a password.  If this fails then run /klist tickets./
> > | Did you get a tecket for the server?  Does it have an encryption type of
> > | DES-CBC-MD5?"
> > |
> > | "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
> > | encoding."
> > |
> > | I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
> > | Jerry sugested:
> > |
> > | /etc/krb5.conf:
> > |
> > |>[root at ANC-MDK-SMB3 samba3]# cat /etc/krb5.conf
> > |>[logging]
> > |> default = FILE:/var/log/kerberos/krb5libs.log
> > |> kdc = FILE:/var/log/kerberos/krb5kdc.log
> > |> admin_server = FILE:/var/log/kerberos/kadmind.log
> > |>
> > |>[libdefaults]
> > |> ticket_lifetime = 24000
> > |> default_realm = LABOR.AK
> > |> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> > |> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > |> permitted_enctypes = des-cbc-md5 des-cbc-crc
> > |> dns_lookup_realm = false
> > |> dns_lookup_kdc = false
> > |> kdc_req_checksum_type = 2
> > |> checksum_type = 2
> > |> ccache_type = 1
> > |> forwardable = true
> > |> proxiable = true
> > |>
> > |>[realms]
> > |> LABOR.AK = {
> > |>  kdc = MY-KDC.LABOR.AK:88
> > |>  admin_server = MY-KDC.LABOR.AK:749
> > |>  default_domain = LABOR.AK
> > |> }
> > |>
> > |>[domain_realm]
> > |> .LABOR.AK = LABOR.AK
> > |>
> > |>[kdc]
> > |> profile = /etc/kerberos/krb5kdc/kdc.conf
> > |>
> > |>[pam]
> > |> debug = false
> > |> ticket_lifetime = 36000
> > |> renew_lifetime = 36000
> > |> forwardable = true
> > |> krb4_convert = false
> > |>
> > |> [login]
> > |> krb4_convert = false
> > |> krb4_get_tickets = fals
> > |>
> > | It did change the encryption ticket I'm getting when /kinit/ as my
> > username.
> > |
> > |>Valid starting     Expires            Service principal
> > |>12/11/03 16:00:49  12/12/03 02:01:00  krbtgt/LABOR.AK at LABOR.AK
> > |>        renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode
> > with RSA-MD5, DES cbc mode with RSA-MD5
> > |>
> > |>
> > |>Kerberos 4 ticket cache: /tmp/tkt0
> > |>
> > | Notice I'm getting "DES cbc mode with RSA-MD5".
> > |
> > | This did not solve the underlying problem of being able to view the
> > samba shares from a w2k or xp client.
> > |
> > | How would I be able to tell if I'm using MIT or Hemidal kerberos?
> > |
> > | I did get this working on a Gentoo system, so I know it works.
> > |
> > | Who knows encryption on the list that can advise....anyone?
> > |
> > | Tim
> > |
> > | On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote:
> > |
> > |>/Same problem. I have been with it for weeks. I can connect using IP
> > |>address from the Win2k clients however with the netbios name I get the
> > |>error.
> > |>
> > |>Someone has told me today that this was solved in the new release
> > |>samba-3.0.1rc2-1 , however I've already tested it and I still have the
> > |>same problem.
> > |>
> > |>Please any more clues.
> > |>
> > |>Thanks,
> > |>
> > |>Fernando.
> > |>
> > |>
> > |>On Fri, 2003-12-12 at 00:26, Tim Jordan wrote:
> > |>> I'm getting same error about encryption ...
> > |>>
> > |>> I have taken Tom's lead and have provided the output below.  Is there a
> > |>> certain version of krb5 that we should be running?
> > |>>
> > |>>
> > |>> root at ANC-MDK-SMB3 tim]# smbd3 --version
> > |>> Version 3.0.1pre3
> > |>>
> > |>> [root at ANC-MDK-SMB3 tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> > |>> KRB5_BRAND: krb5-1-3-final 1.3 20030708
> > |>>
> > |>> I'm running Mandrake 9.2
> > |>>
> > |>> Thank You Samba Team!
> > |>> Tim
> > |>>
> > |>> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
> > |>>
> > |>> > -----BEGIN PGP SIGNED MESSAGE-----
> > |>> > Hash: SHA1
> > |>> >
> > |>> > OK. I've done some more research, and here's what I get.
> > |>> >
> > |>> > smbd --version
> > |>> > Version 3.0.0
> > |>> >
> > |>> > strings libkrb5.so.3.2 | grep BRAND
> > |>> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
> > |>> >
> > |>> > Everything seems to work, but trying to access the Samba server
> > results in:
> > |>> >
> > |>> > [2003/12/11 14:54:19, 3]
> > libads/kerberos_verify.c:ads_verify_ticket(308)
> > |>> > ~  ads_verify_ticket: enc type [23] failed to decrypt with error
> > Decrypt
> > |>> > integrity check failed
> > |>> > [2003/12/11 14:54:19, 3]
> > libads/kerberos_verify.c:ads_verify_ticket(316)
> > |>> > ~  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption
> > type)
> > |>> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > |>> > ~  Failed to verify incoming ticket!
> > |>> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
> > |>> > ~  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
> > |>> > NT_STATUS_LOGON_FAILURE
> > |>> >
> > |>> > This is the same error you get if you're running the wrong KRB5 libs,
> > |>> > but I've the right ones. The windows 2000 machine is 5.00.2195
> > |>> >
> > |>> > Windows 2000 clients connect to the ADS server fine, and will
> > connect to
> > |>> > the Samba server if you enter Username/Password. The 2000 server
> > cannot
> > |>> > connect to the Samba machine at all, even with the right
> > username/pass.
> > |>> >
> > |>> > Is there a magic registry setting I'm missing? I've changed the
> > |>> > Administrator password at least once.
> > |>> >
> > |>> > - -Tom
> > |>> > -----BEGIN PGP SIGNATURE-----
> > |>> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > |>> > Comment: Using GnuPG with Mozilla - //_http://enigmail.mozdev.org_
> > |>> >
> > |>> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO
> > |>> > F9F+8BTOPIyoybZBYIlCouU=
> > |>> > =94FA
> > |>> > -----END PGP SIGNATURE-----
> > |>/
> > |>
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQE/2fXg2dxAfYNwANIRAlFEAJ9uSUkNH5u/O2PBb8eY8PExrsq2rACdE6r/
> > xbPZjNjGNK2FYhHQZnqmgYs=
> > =2f/q
> > -----END PGP SIGNATURE-----



More information about the samba mailing list