[Samba] Re: Kerberos Error
Martin Zielinski
mz at seh.de
Wed Dec 8 14:37:51 GMT 2004
Hello!
I'm currently trying to understand some problem reports from customers using
samba with ADS. Googling brought a lot of suggestions but no real solutions.
So I'd like to ask some general questions about that:
1. Has anyone a working ticket authentication with MIT kerberos?
I mean: really working. Not the NTLMSSP fallback when you enter an IP address
instead of a hostname. I haven't noticed this for month since I always used
the IP address :-(
2. If so, what does the trick ? Where to look at in the libraries.
3. What do we (samba users) need to know about the ticket received by kinit?
Do we ever need to renew it? Or is the ticket obsolete after joining the
domain?
I had LOGON errors even with heimdal 0.6.3 until I deleted the /tmp/krxxxx
file. No idea, why.
4. Does a W2k client ever do ticket authentication? I can't get my W2k client
to do this.
Thanks a lot,
Martin
On Wednesday 08 December 2004 14:29, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Norman Zhang wrote:
> |> I'm using samba-*-3.0.6-4.3.100mdk and libkrb51-1.3-6.3.100mdk on
> |> LM10.0. A similar summary to what I'm seeing could be found here.
> |>
> |> http://lists.samba.org/archive/samba/2004-July/090210.html
> |
> | Solve the problem by changing
> |
> | [libdefaults]
> | ticket_lifetime = 24000
> | default_realm = HQ.ARKONNETWORKS.COM
> | ; default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> | ; default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> | ; permitted_enctypes = des3-hmac-sha1 des-cbc-crc
> |
> | default_etypes = des-cbc-crc des-crc-md5
> | default_etypes_des = des-cbc-crc des-crc-md5
>
> unless you are pretty comfortable with krb5 enc types
> and have a specific reason to use the des keys, I would
> recommend not setting those 2 lines at all on MIT
> krb 1.3.x releases.
>
> cheers, jerry
> - ---------------------------------------------------------------------
> Alleviating the pain of Windows(tm) ------- http://www.samba.org
> GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
> "If we're adding to the noise, turn off this song"--Switchfoot (2003)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBtwG3IR7qMdg1EfYRAir/AJ9t7u9f24PH/bARPXKt0emKyWtobACfYpAK
> 7LvcSN/7GohUT7ND14YdUhQ=
> =+q/F
> -----END PGP SIGNATURE-----
--
Martin Zielinski mz at seh.de
Software Development
SEH Computertechnik GmbH www.seh.de
More information about the samba
mailing list