[Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)

Christoph Beyer chbeyer at mail.desy.de
Thu Oct 30 13:18:58 GMT 2003 

Hi Andrew et al,

thank you for the tip, is there any way to get around this, my windows
admins don't know how to disable this feature. Is it possible to set it on
a 'per host base' on the windows side, if yes: where ?

Are there plans to realize the feature in an upcoming release in the near
future ?

thanks again for any advice !
	~christoph


-- 
/*   Christoph Beyer     |   Office: Building 2b / 23     *\
 *   DESY                |    Phone: 040-8998-2317        *
 *   - IT -              |      Fax: 040-8998-4060        *
\*   22603 Hamburg       |     http://www.desy.de         */


On 30 Oct 2003, Andrew Bartlett wrote:

> On Thu, 2003-10-30 at 20:34, Jochen Schmidt wrote:
> > Hi Christoph,
> >
> > On Wed, 29 Oct 2003 christoph.beyer at desy.de wrote:
> > > I'm using the production release of 3.0.0 and can not join a W2003 domain:
> > >
> > > [printsrv4] /spool/samba-3.0.0/bin $ ./net -d 10 ads join -Uhumpty_dumpty
> > > [2003/10/29 15:35:39, 3] libads/sasl.c:ads_sasl_spnego_bind(191)
> > >   got principal=adc1$@WIN.DESY.DE
> > > [2003/10/29 15:35:39, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
> > >   krb5_cc_get_principal failed (No credentials cache found)
> > > [2003/10/29 15:35:40, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385)
> > >   Got KRB5 session key of length 16
> > > [2003/10/29 15:35:40, 1] utils/net_ads.c:ads_startup(181)
> > >   ads_connect: Strong authentication required
> >
> > Maybe your Domain only allows NTLMv2. See smb.conf Manpage about "client
> > ntlmv2 auth" (and maybe also about "client schannel", "client signing",
> > "client use spnego")
>
> No, it's not related to NTLMv2.  The issue is that we do not support AD
> servers that require signing of the LDAP connection.  I'm not sure if
> mkaplan has logged it in bugzilla yet, but we have seen it.
>
> (We also know how to fix it, it's mainly a matter of implementation).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net
>

More information about the samba mailing list