[Samba] Still having touble with Redhat 7.1 and windows 2003 DC authentication.

Gavin Davenport gavdav at gavdav.demon.co.uk
Tue Oct 7 15:34:14 GMT 2003

Hi there

I'm still going round in circles trying to get winbindd authentication
against a 2003 server working.

I have what appears to be the same problem as:
There's something wrong with the SMB Packet signing on this machine.

In parallel, I succcessfully built and have got working samba-devel on
FreeBSD 5.1 against the same ADS.
I used these hints:
and it works (using a pretty much identical smb.conf)
Key additions are:
        client signing = Yes
        server signing = Yes
        client use spnego = Yes

The box I'm having trouble with is a redhat 7.1 box. I've upgraded the
standard 7.1 RPMs re. krb & pam from:
[root at potato samba]# rpm -qa | grep krb

Using some SRPMs from rh7.3.

I don't know how to work out what version of Heimdal is within these
packages which samba-3 has linked to. I have read that 2003 server requires
heimdal 1.6 or older, so I went and got that, compiled and built it
(from: ftp://ftp.pdc.kth.se/pub/heimdal/src/)

This built me a heimdal subdirectory (I wanted it seperate), which I then
configured in the samba.spec file:
but the Samba3 srpm wouldn't compile with this version of heimdal - there
seemed to be lots of bits missing.

smbclient works ok from the Redhat box against the XP, 2003 or FreeBSD SMB
Servers, domain authentication works for that.
No clients can attach to the redhat server, they all seem to fail for SMB
packet signing reasons.

I don't really want to change the DC settings, the BSD box works, I'd like
to RedHat box to work too :)

I would like to know which RPM supplies the right version of heimdal for
2003AD authentication to work, right now I don't know which bit to look at.

Anyone got to the end of this struggle with a redhat box this age ??

Winbindd -i -vv shows:

client_check_incoming_message: BAD SIG: wanted SMB signature of
[000] 08 CE A3 BF F9 D5 1E 09                           .Σ¿ùÕ..
client_check_incoming_message: BAD SIG: got SMB signature of
[000] 91 F7 B2 53 5B CA EB 3F                           .÷²S[Êë?
signing_good: SMB signature check failed on seq 1!
SMB Signature verification failed on incoming packet!
failed kerberos session setup with NT_STATUS_OK
anonymous connection attempt to BASHFUL from POTATO
failed anonymous session setup with NT_STATUS_OK
trusted_domains: Could not open a connection to GDA-ADSL.DEMON.CO.UK for
convert_string_allocate: Conversion error: Illegal multibyte sequence(ˆÌ)
convert_string_allocate: Conversion error: Illegal multibyte sequence(ˆÌ)
rescan_trusted_domains: Can't find my own domain!

Is this a software version thing or is the PDC signing the SMB packets with
an old host key ??

Has anyone done ADS authentication on a Redhat 7.1 box/samba 3.0.0 host ??

Gavin Davenport

p.s. I've just tried the same build on a redhat 8.0 box. Thats failing for
the same reason.
Is it a password thing ??

More information about the samba mailing list