[Samba] Samba 3: is LDAP required?

Derek T. Yarnell derek at cs.umd.edu
Wed Oct 22 19:38:03 GMT 2003 

On Tue, Oct 21, 2003 at 09:43:03PM +0000, John H Terpstra wrote:
> > Alright, does samba support joining a Samba Win2k3 domain in native 2003
> > mode? I have asked this before and not gotten a straight answer. The
> > HOWTO does not cover this specific topic, I get "Decrypt Integrity
> > Failed" errors for the kerberos tickets from said domain. I see
> > something about heimdal less than version 0.6 not working with Win2k3
> > (no mention of native 2k3 or native or whatever).
> 
> It will work if Samba-3 has been compiled with MIT Kerberos 1.3.x, not
> 1.2.x. Alternately, Samba-3 compiled with Heimdal 0.6.1 or later should
> work fine with Win2003 Native ADS.

Alright background, Windows 2003 running in Native 2003 Mode (the
highest one). Samba 3.0.1pre1 , two version compiled one with mit krb5
1.3.1 and one with the latest snapshot of heimdal 0.6-20031022. 

Ok I don't think that you are correct, with Heimdal (0.6 release
20031022, there is no 0.6.1 that I can find) I get this,

[2003/10/22 15:22:45, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No such file or directory)
[2003/10/22 15:22:46, 0] libads/kerberos.c:ads_kinit_password(133)
  kerberos_kinit_password derek at PC.CS.UMD.EDU failed: Unknown error -1765328332

The error is KRB5KRB_ERR_RESPONSE_TOO_BIG.

[derek at ramjet heimdal-0.6-20031022]# grep -r "1765328332" *
include/krb5_err.h:     KRB5KRB_ERR_RESPONSE_TOO_BIG = -1765328332,
lib/krb5/krb5_err.h:    KRB5KRB_ERR_RESPONSE_TOO_BIG = -1765328332,

This is when running `net ads join -U derek` and typing in my windows
administrator password.

I can get further with mit krb5-1.3.1, I can do a net ads join and
successfully join the domain. But then get the decrypt integrity failed
error when a client tries to connect.

The log for heimdal is attached, I will send the one for mit krb5 after.

-- 
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek at cs.umd.edu
-------------- next part --------------
[2003/10/22 15:31:49, 5] lib/debug.c:debug_dump_status(359)
  INFO: Current debug levels:
    all: True/10
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
[2003/10/22 15:31:49, 3] param/loadparm.c:lp_load(3914)
  lp_load: refreshing parameters
[2003/10/22 15:31:49, 3] param/loadparm.c:init_globals(1301)
  Initialising global parameters
[2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(87)
  Attempting to register new charset UCS-2LE
[2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(95)
  Registered charset UCS-2LE
[2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(87)
  Attempting to register new charset UTF8
[2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(95)
  Registered charset UTF8
[2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(87)
  Attempting to register new charset ASCII
[2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(95)
  Registered charset ASCII
[2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(87)
  Attempting to register new charset 646
[2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(95)
  Registered charset 646
[2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(87)
  Attempting to register new charset UCS2-HEX
[2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(95)
  Registered charset UCS2-HEX
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file "/usr/local/samba-3.0.1pre1/lib/smb.conf"
[2003/10/22 15:31:49, 3] param/loadparm.c:do_section(3417)
  Processing section "[global]"
  doing parameter workgroup = UMD-CSD-NT
  doing parameter server string = printer
  doing parameter security = ads
  doing parameter realm = PC.CS.UMD.EDU
  doing parameter use spnego = yes
  doing parameter load printers = yes
  doing parameter printing = cups
  doing parameter printcap name = cups
  doing parameter log file = /var/log/samba/log.%m
  doing parameter max log size = 500
  doing parameter log level = 10
  doing parameter socket options = TCP_NODELAY
  doing parameter local master = no
  doing parameter wins server = 128.8.130.59
  doing parameter dns proxy = no
[2003/10/22 15:31:49, 4] param/loadparm.c:lp_load(3946)
  pm_process() returned Yes
[2003/10/22 15:31:49, 7] param/loadparm.c:lp_servicenumber(4056)
  lp_servicenumber: couldn't find homes
[2003/10/22 15:31:49, 10] param/loadparm.c:set_server_role(3864)
  set_server_role: role = ROLE_DOMAIN_MEMBER
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74)
  Substituting charset 'ISO-8859-1' for LOCALE
[2003/10/22 15:31:49, 5] lib/util.c:init_names(270)
  Netbios name list:-
  my_netbios_names[0]="ATLANTIS"
[2003/10/22 15:31:49, 2] lib/interface.c:add_interface(79)
  added interface ip=128.8.126.5 bcast=128.8.126.127 nmask=255.255.255.128
[2003/10/22 15:31:49, 2] lib/interface.c:add_interface(79)
  added interface ip=128.8.127.43 bcast=128.8.127.255 nmask=255.255.255.0
[2003/10/22 15:31:49, 2] lib/interface.c:add_interface(79)
  added interface ip=128.8.128.33 bcast=128.8.129.255 nmask=255.255.254.0
[2003/10/22 15:31:49, 2] lib/interface.c:add_interface(79)
  added interface ip=172.16.0.8 bcast=172.16.255.255 nmask=255.255.0.0
[2003/10/22 15:31:49, 2] lib/interface.c:add_interface(79)
  added interface ip=128.8.130.14 bcast=128.8.131.255 nmask=255.255.254.0
[2003/10/22 15:31:49, 2] lib/interface.c:add_interface(79)
  added interface ip=128.8.126.155 bcast=128.8.126.159 nmask=255.255.255.240
[2003/10/22 15:31:49, 2] lib/interface.c:add_interface(79)
  added interface ip=172.18.0.3 bcast=172.18.255.255 nmask=255.255.0.0
[2003/10/22 15:31:49, 2] lib/interface.c:add_interface(79)
  added interface ip=172.17.0.3 bcast=172.17.255.255 nmask=255.255.0.0
[2003/10/22 15:31:49, 2] lib/interface.c:add_interface(79)
  added interface ip=128.8.126.138 bcast=128.8.126.143 nmask=255.255.255.240
[2003/10/22 15:31:49, 2] lib/interface.c:add_interface(79)
  added interface ip=172.19.0.4 bcast=172.19.255.255 nmask=255.255.0.0
[2003/10/22 15:31:51, 6] libads/ldap.c:ads_find_dc(147)
  ads_find_dc: looking for realm 'PC.CS.UMD.EDU'
[2003/10/22 15:31:51, 8] libsmb/namequery.c:get_sorted_dc_list(1215)
  get_sorted_dc_list: attempting lookup using [hosts]
[2003/10/22 15:31:51, 10] libsmb/namequery.c:internal_resolve_name(989)
  internal_resolve_name: looking up PC.CS.UMD.EDU#1c
[2003/10/22 15:31:51, 5] lib/gencache.c:gencache_init(59)
  Opening cache file at /usr/local/samba-3.0.1pre1/var/locks/gencache.tdb
[2003/10/22 15:31:51, 10] lib/gencache.c:gencache_get(264)
  Returning valid cache entry: key = NBT/PC.CS.UMD.EDU#1C, value = 128.8.130.146:389,128.8.130.159:389, timeout = Wed Oct 22 15:33:30 2003
  
[2003/10/22 15:31:51, 5] libsmb/namecache.c:namecache_fetch(201)
  name PC.CS.UMD.EDU#1C found.
[2003/10/22 15:31:51, 8] libsmb/namequery.c:get_dc_list(1274)
  Adding 2 DC's from auto lookup
[2003/10/22 15:31:51, 10] libsmb/namequery.c:remove_duplicate_addrs2(312)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2003/10/22 15:31:51, 4] libsmb/namequery.c:get_dc_list(1350)
  get_dc_list: returning 2 ip addresses in an unordered list
[2003/10/22 15:31:51, 4] libsmb/namequery.c:get_dc_list(1351)
  get_dc_list: 128.8.130.146:389 128.8.130.159:389 
[2003/10/22 15:31:51, 5] libads/ldap.c:ads_try_connect(56)
  ads_try_connect: trying ldap server '128.8.130.146' port 389
[2003/10/22 15:31:52, 3] libads/ldap.c:ads_connect(218)
  Connected to LDAP server 128.8.130.146
[2003/10/22 15:31:52, 3] libads/ldap.c:ads_server_info(1887)
  got ldap server name krycek at PC.CS.UMD.EDU, using bind path: dc=PC,dc=CS,dc=UMD,dc=EDU
[2003/10/22 15:31:52, 4] libads/ldap.c:ads_server_info(1893)
  time offset is 1 seconds
[2003/10/22 15:31:52, 4] libads/sasl.c:ads_sasl_bind(416)
  Found SASL mechanism GSS-SPNEGO
[2003/10/22 15:31:52, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
  got OID=1 2 840 48018 1 2 2
[2003/10/22 15:31:52, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
  got OID=1 2 840 113554 1 2 2
[2003/10/22 15:31:52, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
  got OID=1 2 840 113554 1 2 2 3
[2003/10/22 15:31:52, 3] libads/sasl.c:ads_sasl_spnego_bind(184)
  got OID=1 3 6 1 4 1 311 2 2 10
[2003/10/22 15:31:52, 3] libads/sasl.c:ads_sasl_spnego_bind(191)
  got principal=krycek$@PC.CS.UMD.EDU
[2003/10/22 15:31:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No such file or directory)
[2003/10/22 15:31:52, 0] libads/kerberos.c:ads_kinit_password(133)
  kerberos_kinit_password derek at PC.CS.UMD.EDU failed: Unknown error -1765328332
[2003/10/22 15:31:52, 1] utils/net_ads.c:ads_startup(181)
  ads_connect: Operations error
[2003/10/22 15:31:52, 2] utils/net.c:main(758)
  return code = -1

More information about the samba mailing list