[Samba] Samba meet Kerberos on a debian woody

Marco F. Cavaliere marco.cavaliere at ulixe.com
Mon Apr 19 21:53:38 GMT 2004


I've just setup the samba box on my debian server (woody) with the standard
debian packages provided by
http://us1.samba.org/samba/ftp/Binary_Packages/Debian/samba3/ that i know as
a standard samba package repository.

The other libs are the standard woody kerberos library (not the heimdal
one).

At this point the things that works are:

I can join into domain,
I can see with getent all the user and groups by my "active directory
server" ( so the winbind seems to works!)
I can use all the net commands
I can see any machine in my windos network.

The things that I can do is to enter with the machine name (
\\sambabox\share\ ) of course if I use the Ip i can enter into, but as i
read here, is because with ip, no check has been done.

I've check in my samba log .. and the error that i see is:
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!

I dunno if this is an error related with my kerberos library, I also tryed
( i'm going creazy) to install kerberos-heimdall library, but whit that
library the winbind daemon dosen't work....

I paste my configurations file ... PLEASE PLEASE PLEASE ..... HELP ME!!!!!


---- smb.conf

[global]
        workgroup = ULIXE
        realm = ULIXE.TO
        server string = %h server (Samba %v)
        security = ADS
        #ads server = 10.0.0.222
        update encrypted = Yes
        encrypt passwords = Yes
        obey pam restrictions = no
        password server = nexus.ulixe.to
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = Yes
        wins server = 10.0.0.222
        # ldap ssl = no
        # WINBIND OPTIONS
                  winbind separator = -
                  idmap uid = 10000-20000
                  idmap gid = 10000-20000
                  winbind uid = 10000-20000
                  winbind gid = 10000-20000
                  winbind enum users = yes
                  winbind enum groups = yes
                  winbind use default domain = no
                  template shell = /bin/bash
                  hostname lookups = Yes





[printers]
        comment = All Printers
        path = /tmp
        create mask = 0700
        printable = Yes
        browseable = No

[ftp]
        path = /var/ftp
        read only = No
        guest ok = Yes

[backup]
        comment = Directory di Backup
        path = /mnt/backup
        guest ok = No
        read only = Yes
-
-
-
-
-
---- kerberos.conf
  [logging]
    default = FILE:/var/log/krb5/libs.log
    kdc = FILE:/var/log/krb5/kdc.log
    admin_server = FILE:/var/log/krb5/admin.log

  [libdefaults]
    ticket_lifetime = 24000
    default_realm = ULIXE.TO

    default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc
    permitted_enctypes = des-cbc-md5 des-cbc-crc
    default_etypes = des-cbc-crc des-cbc-md5
    default_etypes_des = des-cbc-crc des-cbc-md5


    #default_tgs_enctypes = des-cbc-crc des-cbc-md5
    #default_tkt_enctypes = des-cbc-crc des-cbc-md5
    kdc_req_checksum_type = 2
    forwardable = true
    proxiable = true
    ccache_type = 1

    dns_lookup_realm = true
    dns_lookup_kdc = true

  [realms]
    ULIXE.TO = {
      kdc = nexus.ulixe.to
      default_domain = ulixe.to
    }

  [domain_realm]
    .ulixe.to = ULIXE.TO
     ulixe.to = ULIXE.TO


  [kdc]
    #profile = /etc/krb5kdc/kdc.conf

  [pam]
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false




More information about the samba mailing list