[Samba] Windows 2000 and krb5 tickets...SOLVED
Tim Jordan
timothy_jordan at labor.state.ak.us
Tue Dec 16 11:19:32 GMT 2003
> > Should I have got one ticket for each Win2k or XP client connected ?? Is
> > this correct ??
My Samba server does not cache tickets for each Windows workstation that connects.
Tim
On Mon, 2003-12-15 at 11:10, Fernando Ruza wrote:
> Well, I think I have already solved my problem.
>
> I've changed the Administrator password (as it says in the samba howto
> page 84, 7.4.6. Notes) and now it works great :-D
>
> However, I have a doubt. After mapping from win2k client using:
>
> net use * \\MySambaServer\share
>
> The share is mapped properly but in my samba server I don't have a
> ticket for this win2k client:
>
> [root at HSERINT1 samba]# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ADMINISTRADOR at HGUV.LOCAL
>
> Valid starting Expires Service principal
> 12/15/03 10:57:13 12/15/03 20:57:14 krbtgt/HGUV.LOCAL at HGUV.LOCAL
> renew until 12/16/03 10:57:13, Etype (skey, tkt): DES cbc mode with
> CRC-32, DES cbc mode with CRC-32
> 12/15/03 10:57:49 12/15/03 20:57:14 hserofi1$@HGUV.LOCAL
> renew until 12/16/03 10:57:13, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
> 12/15/03 10:57:49 12/15/03 20:57:14 kadmin/changepw at HGUV.LOCAL
> renew until 12/16/03 10:57:13, Etype (skey, tkt): DES cbc mode with
> CRC-32, DES cbc mode with CRC-32
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
>
> Should I have got one ticket for each Win2k or XP client connected ?? Is
> this correct ??
>
> Thanks in advanced,
>
> Fernando.
>
>
> On Mon, 2003-12-15 at 10:57, Fernando Ruza wrote:
> > Hi,
> >
> > I did what you advise. I still have the same problem. Can see the shares
> > from Win2k and XP but cannot browse the share that need authentication
> > (valid users). I can map them with IP address but not with netbios name.
> > I don't get any ticket from win2k and XP clients.
> >
> > All of the following works right: net ads leave, net ads join, wbinfo
> > -u, wbinfo -g, getent passwd, getent group, smbclient
> > //win2k_server/share -k
> >
> > Could you see something wrong in my conf files?? Any more things to try
> > ??
> >
> > My krb5.conf file is the following:
> >
> > ======================= krb5.conf ==========================
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > ticket_lifetime = 24000
> > default_realm = HGUV.LOCAL
> > default_etypes = des-cbc-crc des-cbc-md5
> > default_etypes_des = des-cbc-crc des-cbc-md5
> > default_tgs_enctypes = des-cbc-crc des-cbc-md5
> > default_tkt_enctypes = des-cbc-crc des-cbc-md5
> > # permitted_enctypes = des-cbc-md5 des-cbc-crc
> > kdc_req_checksum_type = 2
> > clockskew = 600
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> > forwardable = true
> > proxiable = true
> > checksum_type = 2
> > ccache_type = 1
> >
> > [realms]
> > HGUV.LOCAL = {
> > kdc = 10.36.192.24:88
> > admin_server = 10.36.192.24:749
> > default_domain = hguv.local
> > }
> >
> > [domain_realm]
> > .hguv.local = HGUV.LOCAL
> > hguv.local = HGUV.LOCAL
> >
> > [kdc]
> > profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > [appdefaults]
> > pam = {
> > debug = false
> > ticket_lifetime = 36000
> > renew_lifetime = 36000
> > forwardable = true
> > krb4_convert = false
> > }
> >
> > [login]
> > krb4_convert = false
> > krb4_get_tickets = false
> >
> > ================================================================
> >
> > The tickets I get are:
> >
> > [root at HSERINT1 etc]# klist -e
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: ADMINISTRADOR at HGUV.LOCAL
> >
> > Valid starting Expires Service principal
> > 12/15/03 09:34:53 12/15/03 19:34:54 krbtgt/HGUV.LOCAL at HGUV.LOCAL
> > renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with
> > CRC-32, DES cbc mode with CRC-32
> > 12/15/03 09:35:09 12/15/03 19:34:54 hserofi1$@HGUV.LOCAL
> > renew until 12/16/03 09:34:53, Etype (skey, tkt): ArcFour with
> > HMAC/md5, ArcFour with HMAC/md5
> > 12/15/03 09:35:09 12/15/03 19:34:54 kadmin/changepw at HGUV.LOCAL
> > renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with
> > CRC-32, DES cbc mode with CRC-32
> >
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> >
> > =================================================================
> >
> > I don't get a ticket for Win2k and XP clients.
> > More interested info:
> >
> > ================ libs used by winbindd and smbd ================
> > [root at HSERINT1 sbin]# ldd winbindd
> > libcrypt.so.1 => /lib/libcrypt.so.1 (0x4002c000)
> > libresolv.so.2 => /lib/libresolv.so.2 (0x4005a000)
> > libnsl.so.1 => /lib/libnsl.so.1 (0x4006c000)
> > libdl.so.2 => /lib/libdl.so.2 (0x40081000)
> > libpopt.so.0 => /usr/lib/libpopt.so.0 (0x40084000)
> > libcrypto.so.2 => /lib/libcrypto.so.2 (0x4008c000)
> > libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x40160000)
> > libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40172000)
> > libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x401d0000)
> > libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x401f0000)
> > libldap.so.2 => /usr/lib/libldap.so.2 (0x401f2000)
> > liblber.so.2 => /usr/lib/liblber.so.2 (0x4021c000)
> > libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
> > libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40228000)
> > libssl.so.2 => /lib/libssl.so.2 (0x40233000)
> > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
> > libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40263000)
> > libpam.so.0 => /lib/libpam.so.0 (0x4026a000)
> >
> > [root at HSERINT1 sbin]# ldd smbd
> > libldap.so.2 => /usr/lib/libldap.so.2 (0x4002c000)
> > liblber.so.2 => /usr/lib/liblber.so.2 (0x40057000)
> > libcrypto.so.2 => /lib/libcrypto.so.2 (0x40062000)
> > libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x40136000)
> > libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40147000)
> > libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x401a5000)
> > libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x401c5000)
> > libresolv.so.2 => /lib/libresolv.so.2 (0x401c8000)
> > libcups.so.2 => /usr/lib/libcups.so.2 (0x401da000)
> > libssl.so.2 => /lib/libssl.so.2 (0x401f4000)
> > libnsl.so.1 => /lib/libnsl.so.1 (0x40224000)
> > libcrypt.so.1 => /lib/libcrypt.so.1 (0x40239000)
> > libpam.so.0 => /lib/libpam.so.0 (0x40266000)
> > libattr.so.1 => /lib/libattr.so.1 (0x4026f000)
> > libacl.so.1 => /lib/libacl.so.1 (0x40273000)
> > libdl.so.2 => /lib/libdl.so.2 (0x4027b000)
> > libpopt.so.0 => /usr/lib/libpopt.so.0 (0x4027e000)
> > libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
> > libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40286000)
> > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
> > libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40292000)
> >
> > ======================== kerberos version ===============
> >
> > [root at HSERINT1 sbin]# strings /usr/local/lib/libkrb5.so.3.2 | grep BRAND
> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
> >
> > ======================== ld.so.conf =====================
> >
> > /usr/local/lib
> > /usr/X11R6/lib
> > /usr/lib/mysql
> > /usr/lib/qt-3.0.5/lib
> > /usr/lib/sane
> > /usr/lib/qt2/lib
> > /usr/lib/wine
> >
> > ================= smb.conf ========================
> > [global]
> > workgroup = HGUV
> > realm = HGUV.LOCAL
> > server string = %h server (Samba %v)
> > security = ADS
> > password server = 10.36.192.24
> > log level = 2 winbind:5
> > log file = /var/log/samba/%m.log
> > max log size = 0
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > dns proxy = No
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > template shell = /bin/bash
> > winbind separator = +
> > printing = lprng
> >
> > [homes]
> > comment = Home Directories
> > path = /home/%U
> > valid users = %D+%U
> > read only = No
> > create mask = 0664
> > directory mask = 0775
> > browseable = No
> >
> > [printers]
> > comment = All Printers
> > path = /var/spool/samba
> > printable = Yes
> > browseable = No
> >
> > [tmp]
> > comment = Temporary file space
> > path = /tmp
> > force user = inform
> > force group = inform
> > read only = No
> > guest ok = Yes
> >
> > [Intranet]
> > comment = DocumentRoot del servidor web de la intranet del HGUV
> > path = /var/www
> > valid users = root, HGUV+Administrador, HGUV+fruza, HGUV+bperez
> > force user = inform
> > force group = inform
> > read only = No
> > create mask = 0777
> > directory mask = 0777
> >
> > [mysql]
> > comment = Base de datos mysql
> > path = /var/lib/mysql
> > force user = inform
> > force group = inform
> > read only = No
> > guest ok = Yes
> >
> > =========================================================
> >
> > Thanks in advanced for any reply,
> >
> > Fernando.
> >
> >
> > On Fri, 2003-12-12 at 21:56, Tim Jordan wrote:
> > > Browsing is working from my W2K and XP clients to the samba server
> > > using kerberos.
> > > Samba Server is joined to Active Directory as a Domain Member server.
> > >
> > > I commented out the following line of my krb5.conf:
> > >
> > > #permitted_enctypes = des-cbc-crc des-cbc-md5
> > >
> > > Make sure these lines are correct:
> > > default_tgs_enctypes = des-cbc-crc des-cbc-md5
> > > efault_tkt_enctypes = des-cbc-crc des-cbc-md5
> > >
> > > *Make sure to stop and restart smbd, nmbd, and winbindd. These
> > > changes did nothing for me until I restarted at least winbindd.
> > >
> > >
> > > I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586
> > > rpm's from:
> > > http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/
> > >
> > >
> > > I'm working on a final write up of my configuration if anyone is
> > > interested in creating an Active Directory member server running Samba
> > > 3.
> > >
> > > Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for
> > > lending his Windows expertise!
> > >
> > > Tim
> > >
> > >
> > >
> > >
> > > On Fri, 2003-12-12 at 08:07, Tom Dickson wrote:
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > You can try running the
> > > >
> > > > strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> > > >
> > > > command and looking at what you get. 1-3-1 or something is MIT.
> > > >
> > > > Also, I'm wondering if the fact that you can connect by IP and not by
> > > > name indicates that the 2000 server is looking up the name in, say, DNS
> > > > only and ignoring WINS. Perhaps my WINS server is misconfigured.
> > > >
> > > > Well, I have to run Netbench tests, so I just dropped back to NT4 style
> > > > auth, which works fine for me.
> > > >
> > > > - -Tom
> > > >
> > > > Tim Jordan wrote:
> > > >
> > > > | Perhaps we can work together. Jerry mentioned in previous posts about
> > > > | the encryption options if the krb5.conf.
> > > > | The Official Samba How To states: " On a Windows 2000 client, try /net
> > > > | use * \\server\share/. You should be logged in with Kerberos without
> > > > | needing to know a password. If this fails then run /klist tickets./
> > > > | Did you get a tecket for the server? Does it have an encryption type of
> > > > | DES-CBC-MD5?"
> > > > |
> > > > | "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
> > > > | encoding."
> > > > |
> > > > | I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
> > > > | Jerry sugested:
> > > > |
> > > > | /etc/krb5.conf:
> > > > |
> > > > |>[root at ANC-MDK-SMB3 samba3]# cat /etc/krb5.conf
> > > > |>[logging]
> > > > |> default = FILE:/var/log/kerberos/krb5libs.log
> > > > |> kdc = FILE:/var/log/kerberos/krb5kdc.log
> > > > |> admin_server = FILE:/var/log/kerberos/kadmind.log
> > > > |>
> > > > |>[libdefaults]
> > > > |> ticket_lifetime = 24000
> > > > |> default_realm = LABOR.AK
> > > > |> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> > > > |> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > > > |> permitted_enctypes = des-cbc-md5 des-cbc-crc
> > > > |> dns_lookup_realm = false
> > > > |> dns_lookup_kdc = false
> > > > |> kdc_req_checksum_type = 2
> > > > |> checksum_type = 2
> > > > |> ccache_type = 1
> > > > |> forwardable = true
> > > > |> proxiable = true
> > > > |>
> > > > |>[realms]
> > > > |> LABOR.AK = {
> > > > |> kdc = MY-KDC.LABOR.AK:88
> > > > |> admin_server = MY-KDC.LABOR.AK:749
> > > > |> default_domain = LABOR.AK
> > > > |> }
> > > > |>
> > > > |>[domain_realm]
> > > > |> .LABOR.AK = LABOR.AK
> > > > |>
> > > > |>[kdc]
> > > > |> profile = /etc/kerberos/krb5kdc/kdc.conf
> > > > |>
> > > > |>[pam]
> > > > |> debug = false
> > > > |> ticket_lifetime = 36000
> > > > |> renew_lifetime = 36000
> > > > |> forwardable = true
> > > > |> krb4_convert = false
> > > > |>
> > > > |> [login]
> > > > |> krb4_convert = false
> > > > |> krb4_get_tickets = fals
> > > > |>
> > > > | It did change the encryption ticket I'm getting when /kinit/ as my
> > > > username.
> > > > |
> > > > |>Valid starting Expires Service principal
> > > > |>12/11/03 16:00:49 12/12/03 02:01:00 krbtgt/LABOR.AK at LABOR.AK
> > > > |> renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode
> > > > with RSA-MD5, DES cbc mode with RSA-MD5
> > > > |>
> > > > |>
> > > > |>Kerberos 4 ticket cache: /tmp/tkt0
> > > > |>
> > > > | Notice I'm getting "DES cbc mode with RSA-MD5".
> > > > |
> > > > | This did not solve the underlying problem of being able to view the
> > > > samba shares from a w2k or xp client.
> > > > |
> > > > | How would I be able to tell if I'm using MIT or Hemidal kerberos?
> > > > |
> > > > | I did get this working on a Gentoo system, so I know it works.
> > > > |
> > > > | Who knows encryption on the list that can advise....anyone?
> > > > |
> > > > | Tim
> > > > |
> > > > | On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote:
> > > > |
> > > > |>/Same problem. I have been with it for weeks. I can connect using IP
> > > > |>address from the Win2k clients however with the netbios name I get the
> > > > |>error.
> > > > |>
> > > > |>Someone has told me today that this was solved in the new release
> > > > |>samba-3.0.1rc2-1 , however I've already tested it and I still have the
> > > > |>same problem.
> > > > |>
> > > > |>Please any more clues.
> > > > |>
> > > > |>Thanks,
> > > > |>
> > > > |>Fernando.
> > > > |>
> > > > |>
> > > > |>On Fri, 2003-12-12 at 00:26, Tim Jordan wrote:
> > > > |>> I'm getting same error about encryption ...
> > > > |>>
> > > > |>> I have taken Tom's lead and have provided the output below. Is there a
> > > > |>> certain version of krb5 that we should be running?
> > > > |>>
> > > > |>>
> > > > |>> root at ANC-MDK-SMB3 tim]# smbd3 --version
> > > > |>> Version 3.0.1pre3
> > > > |>>
> > > > |>> [root at ANC-MDK-SMB3 tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> > > > |>> KRB5_BRAND: krb5-1-3-final 1.3 20030708
> > > > |>>
> > > > |>> I'm running Mandrake 9.2
> > > > |>>
> > > > |>> Thank You Samba Team!
> > > > |>> Tim
> > > > |>>
> > > > |>> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
> > > > |>>
> > > > |>> > -----BEGIN PGP SIGNED MESSAGE-----
> > > > |>> > Hash: SHA1
> > > > |>> >
> > > > |>> > OK. I've done some more research, and here's what I get.
> > > > |>> >
> > > > |>> > smbd --version
> > > > |>> > Version 3.0.0
> > > > |>> >
> > > > |>> > strings libkrb5.so.3.2 | grep BRAND
> > > > |>> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
> > > > |>> >
> > > > |>> > Everything seems to work, but trying to access the Samba server
> > > > results in:
> > > > |>> >
> > > > |>> > [2003/12/11 14:54:19, 3]
> > > > libads/kerberos_verify.c:ads_verify_ticket(308)
> > > > |>> > ~ ads_verify_ticket: enc type [23] failed to decrypt with error
> > > > Decrypt
> > > > |>> > integrity check failed
> > > > |>> > [2003/12/11 14:54:19, 3]
> > > > libads/kerberos_verify.c:ads_verify_ticket(316)
> > > > |>> > ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption
> > > > type)
> > > > |>> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > > > |>> > ~ Failed to verify incoming ticket!
> > > > |>> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
> > > > |>> > ~ error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
> > > > |>> > NT_STATUS_LOGON_FAILURE
> > > > |>> >
> > > > |>> > This is the same error you get if you're running the wrong KRB5 libs,
> > > > |>> > but I've the right ones. The windows 2000 machine is 5.00.2195
> > > > |>> >
> > > > |>> > Windows 2000 clients connect to the ADS server fine, and will
> > > > connect to
> > > > |>> > the Samba server if you enter Username/Password. The 2000 server
> > > > cannot
> > > > |>> > connect to the Samba machine at all, even with the right
> > > > username/pass.
> > > > |>> >
> > > > |>> > Is there a magic registry setting I'm missing? I've changed the
> > > > |>> > Administrator password at least once.
> > > > |>> >
> > > > |>> > - -Tom
> > > > |>> > -----BEGIN PGP SIGNATURE-----
> > > > |>> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > > > |>> > Comment: Using GnuPG with Mozilla - //_http://enigmail.mozdev.org_
> > > > |>> >
> > > > |>> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO
> > > > |>> > F9F+8BTOPIyoybZBYIlCouU=
> > > > |>> > =94FA
> > > > |>> > -----END PGP SIGNATURE-----
> > > > |>/
> > > > |>
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > > >
> > > > iD8DBQE/2fXg2dxAfYNwANIRAlFEAJ9uSUkNH5u/O2PBb8eY8PExrsq2rACdE6r/
> > > > xbPZjNjGNK2FYhHQZnqmgYs=
> > > > =2f/q
> > > > -----END PGP SIGNATURE-----
More information about the samba
mailing list