[Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK
though)
Andrew Bartlett
abartlet at samba.org
Thu Oct 30 10:09:26 GMT 2003
On Thu, 2003-10-30 at 20:34, Jochen Schmidt wrote:
> Hi Christoph,
>
> On Wed, 29 Oct 2003 christoph.beyer at desy.de wrote:
> > I'm using the production release of 3.0.0 and can not join a W2003 domain:
> >
> > [printsrv4] /spool/samba-3.0.0/bin $ ./net -d 10 ads join -Uhumpty_dumpty
> > [2003/10/29 15:35:39, 3] libads/sasl.c:ads_sasl_spnego_bind(191)
> > got principal=adc1$@WIN.DESY.DE
> > [2003/10/29 15:35:39, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
> > krb5_cc_get_principal failed (No credentials cache found)
> > [2003/10/29 15:35:40, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385)
> > Got KRB5 session key of length 16
> > [2003/10/29 15:35:40, 1] utils/net_ads.c:ads_startup(181)
> > ads_connect: Strong authentication required
>
> Maybe your Domain only allows NTLMv2. See smb.conf Manpage about "client
> ntlmv2 auth" (and maybe also about "client schannel", "client signing",
> "client use spnego")
No, it's not related to NTLMv2. The issue is that we do not support AD
servers that require signing of the LDAP connection. I'm not sure if
mkaplan has logged it in bugzilla yet, but we have seen it.
(We also know how to fix it, it's mainly a matter of implementation).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031030/80d9eaa2/attachment.bin
More information about the samba
mailing list