[Samba] Windows 2000 and krb5 tickets...SOLVED

Fernando Ruza fernandor at sescam.jccm.es
Thu Dec 18 11:32:19 GMT 2003


Hi Tim,

I'm still with the krb5_tickets+AD problem. It worked for me once and I
still don't know what I did. I thought it was the Administrator password
change however I've done a clean installation in another server (RH8
again and krb5 1.3.1 and samba_3.0.1rc2) and I have again the same
problem.

Could you give me your "klist -e" output for your KDC server ticket I'd
like to compare it with mine. I still have the encryption to
ARCFOUR-HMAC-MD5 for my KDC server and I cannot change to DES-CBC-MD5
although I have the following lines in my /etc/krb5.conf file:

default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
# Commented out the following line.
# permitted_enctypes = des-cbc-md5 des-cbc-crc

How can I change it to DES-CBC-MD5 ??
The ticket for my kdc server is:

12/18/03 11:15:22  12/18/03 21:03:19  hserofi1$@HGUV.LOCAL
renew until 12/19/03 10:14:31, Etype (skey, tkt): ArcFour with HMAC/md5,
ArcFour with HMAC/md5

Thanks and regards,

Fernando.


On Fri, 2003-12-12 at 21:56, Tim Jordan wrote:
> Browsing is working from my W2K and XP clients to the samba server
> using kerberos.
> Samba Server is joined to Active Directory as a Domain Member server.
>
> I commented out the following line of my krb5.conf:
>
>     #permitted_enctypes = des-cbc-crc des-cbc-md5
>
> Make sure these lines are correct:
>      default_tgs_enctypes = des-cbc-crc des-cbc-md5
>      efault_tkt_enctypes = des-cbc-crc des-cbc-md5
>
> *Make sure to stop and restart smbd, nmbd, and winbindd.  These
> changes did nothing for me until I restarted at least winbindd.
>
>
> I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586
> rpm's from:
>         http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/
>
>
> I'm working on a final write up of my configuration if anyone is
> interested in creating an Active Directory member server running Samba
> 3.
>
> Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for
> lending his Windows expertise!
>
> Tim
>
>
>
>
> On Fri, 2003-12-12 at 08:07, Tom Dickson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > You can try running the
> >
> > strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> >
> > command and looking at what you get. 1-3-1 or something is MIT.
> >
> > Also, I'm wondering if the fact that you can connect by IP and not by
> > name indicates that the 2000 server is looking up the name in, say, DNS
> > only and ignoring WINS. Perhaps my WINS server is misconfigured.
> >
> > Well, I have to run Netbench tests, so I just dropped back to NT4 style
> > auth, which works fine for me.
> >
> > - -Tom
> >
> > Tim Jordan wrote:
> >
> > | Perhaps we can work together.  Jerry mentioned in previous posts about
> > | the encryption options if the krb5.conf.
> > | The Official Samba How To states: " On a Windows 2000 client, try /net
> > | use * \\server\share/.  You should be logged in with Kerberos without
> > | needing to know a password.  If this fails then run /klist tickets./
> > | Did you get a tecket for the server?  Does it have an encryption type of
> > | DES-CBC-MD5?"
> > |
> > | "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
> > | encoding."
> > |
> > | I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
> > | Jerry sugested:
> > |
> > | /etc/krb5.conf:
> > |
> > |>[root at ANC-MDK-SMB3 samba3]# cat /etc/krb5.conf
> > |>[logging]
> > |> default = FILE:/var/log/kerberos/krb5libs.log
> > |> kdc = FILE:/var/log/kerberos/krb5kdc.log
> > |> admin_server = FILE:/var/log/kerberos/kadmind.log
> > |>
> > |>[libdefaults]
> > |> ticket_lifetime = 24000
> > |> default_realm = LABOR.AK
> > |> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> > |> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > |> permitted_enctypes = des-cbc-md5 des-cbc-crc
> > |> dns_lookup_realm = false
> > |> dns_lookup_kdc = false
> > |> kdc_req_checksum_type = 2
> > |> checksum_type = 2
> > |> ccache_type = 1
> > |> forwardable = true
> > |> proxiable = true
> > |>
> > |>[realms]
> > |> LABOR.AK = {
> > |>  kdc = MY-KDC.LABOR.AK:88
> > |>  admin_server = MY-KDC.LABOR.AK:749
> > |>  default_domain = LABOR.AK
> > |> }
> > |>
> > |>[domain_realm]
> > |> .LABOR.AK = LABOR.AK
> > |>
> > |>[kdc]
> > |> profile = /etc/kerberos/krb5kdc/kdc.conf
> > |>
> > |>[pam]
> > |> debug = false
> > |> ticket_lifetime = 36000
> > |> renew_lifetime = 36000
> > |> forwardable = true
> > |> krb4_convert = false
> > |>
> > |> [login]
> > |> krb4_convert = false
> > |> krb4_get_tickets = fals
> > |>
> > | It did change the encryption ticket I'm getting when /kinit/ as my
> > username.
> > |
> > |>Valid starting     Expires            Service principal
> > |>12/11/03 16:00:49  12/12/03 02:01:00  krbtgt/LABOR.AK at LABOR.AK
> > |>        renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode
> > with RSA-MD5, DES cbc mode with RSA-MD5
> > |>
> > |>
> > |>Kerberos 4 ticket cache: /tmp/tkt0
> > |>
> > | Notice I'm getting "DES cbc mode with RSA-MD5".
> > |
> > | This did not solve the underlying problem of being able to view the
> > samba shares from a w2k or xp client.
> > |
> > | How would I be able to tell if I'm using MIT or Hemidal kerberos?
> > |
> > | I did get this working on a Gentoo system, so I know it works.
> > |
> > | Who knows encryption on the list that can advise....anyone?
> > |
> > | Tim
> > |
> > | On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote:
> > |
> > |>/Same problem. I have been with it for weeks. I can connect using IP
> > |>address from the Win2k clients however with the netbios name I get the
> > |>error.
> > |>
> > |>Someone has told me today that this was solved in the new release
> > |>samba-3.0.1rc2-1 , however I've already tested it and I still have the
> > |>same problem.
> > |>
> > |>Please any more clues.
> > |>
> > |>Thanks,
> > |>
> > |>Fernando.
> > |>
> > |>
> > |>On Fri, 2003-12-12 at 00:26, Tim Jordan wrote:
> > |>> I'm getting same error about encryption ...
> > |>>
> > |>> I have taken Tom's lead and have provided the output below.  Is there a
> > |>> certain version of krb5 that we should be running?
> > |>>
> > |>>
> > |>> root at ANC-MDK-SMB3 tim]# smbd3 --version
> > |>> Version 3.0.1pre3
> > |>>
> > |>> [root at ANC-MDK-SMB3 tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> > |>> KRB5_BRAND: krb5-1-3-final 1.3 20030708
> > |>>
> > |>> I'm running Mandrake 9.2
> > |>>
> > |>> Thank You Samba Team!
> > |>> Tim
> > |>>
> > |>> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
> > |>>
> > |>> > -----BEGIN PGP SIGNED MESSAGE-----
> > |>> > Hash: SHA1
> > |>> >
> > |>> > OK. I've done some more research, and here's what I get.
> > |>> >
> > |>> > smbd --version
> > |>> > Version 3.0.0
> > |>> >
> > |>> > strings libkrb5.so.3.2 | grep BRAND
> > |>> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
> > |>> >
> > |>> > Everything seems to work, but trying to access the Samba server
> > results in:
> > |>> >
> > |>> > [2003/12/11 14:54:19, 3]
> > libads/kerberos_verify.c:ads_verify_ticket(308)
> > |>> > ~  ads_verify_ticket: enc type [23] failed to decrypt with error
> > Decrypt
> > |>> > integrity check failed
> > |>> > [2003/12/11 14:54:19, 3]
> > libads/kerberos_verify.c:ads_verify_ticket(316)
> > |>> > ~  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption
> > type)
> > |>> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > |>> > ~  Failed to verify incoming ticket!
> > |>> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
> > |>> > ~  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
> > |>> > NT_STATUS_LOGON_FAILURE
> > |>> >
> > |>> > This is the same error you get if you're running the wrong KRB5 libs,
> > |>> > but I've the right ones. The windows 2000 machine is 5.00.2195
> > |>> >
> > |>> > Windows 2000 clients connect to the ADS server fine, and will
> > connect to
> > |>> > the Samba server if you enter Username/Password. The 2000 server
> > cannot
> > |>> > connect to the Samba machine at all, even with the right
> > username/pass.
> > |>> >
> > |>> > Is there a magic registry setting I'm missing? I've changed the
> > |>> > Administrator password at least once.
> > |>> >
> > |>> > - -Tom
> > |>> > -----BEGIN PGP SIGNATURE-----
> > |>> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > |>> > Comment: Using GnuPG with Mozilla - //_http://enigmail.mozdev.org_
> > |>> >
> > |>> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO
> > |>> > F9F+8BTOPIyoybZBYIlCouU=
> > |>> > =94FA
> > |>> > -----END PGP SIGNATURE-----
> > |>/
> > |>
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQE/2fXg2dxAfYNwANIRAlFEAJ9uSUkNH5u/O2PBb8eY8PExrsq2rACdE6r/
> > xbPZjNjGNK2FYhHQZnqmgYs=
> > =2f/q
> > -----END PGP SIGNATURE-----

--
Fernando Ruza (fernandor at sescam.jccm.es)
Tfl: 949 209 215
     661 123 845
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.4.20 & ext3)
-------------------------------------------------------------------
Por favor, NO utilice formatos de archivo propietarios para el
intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o
cualquier otro que no obligue a utilizar un programa de un fabricante
concreto. Gracias.




More information about the samba mailing list