[Samba] Samba 3.0.1 ADS/Kerberos problems relating to Win2k/xp browsing to samba server

Cedric Puddy cedric at cadence.thinkers.org
Mon Jan 5 02:08:50 GMT 2004

Hello All,

I've been discovering the joys of Samba/ADS integration here
(the environment is a chip design concern that has chip
simulation tools, many of which run in Linux, but some of
which only run in Windows.  Winbind, and a Linux based
NAS server are the cornerstone through which Windows and
Linux elements of the toolchain will be able to seamlessly
communicate, once we get all the little wrinkles worked out :)

First, THE PROBLEM:  When I upgrade from 3.0.0 to 3.0.1, or
install 3.0.1 from scratch, something in 3.0.1 "libads" seems
to be broken, which absolutely prevents win2k/xp clients from
doing kerberos authentication with my 3.0.1 server.  This
doesn't seem to be a problem with 3.0.0.  I can't figure out
what's been broken, and I would *really* like a fix.  If someone
knows about a pending patch, I would really like to know about

Failing a fix for 3.0.1, I would really like
to know if there's any simple way that I can pre-map ADS
users to particular Unix UIDs in the TDB database, or any way
of manually fixing them up after the fact.  (My unix
user lists are primarily in NIS, but we have some
NIS-hostile boxes, and the long and short of it is that
changing unix UID's is a big pain that's worth going some
lengths to avoid).

Now, here's all the background info for those who are

I set up a Samba 3.0.0 Server, enabled ADS integration with
our local domain (I found the FAQ was unclear on a few key points,
though ultimately correct -- fates willing, I will endevour
to submit proposals for improving the FAQs :)

I was able to go to the Samba server from Win2k/XP clients,
no problem, fully authenticated by the ADS infrastructure.

Then I realized that the "winbind trusted domains only"
function didn't actually seem to be working -- my understanding
is that if I have it enabled, and two users such as
"ADSDOMAIN.COM+joeuser" and a Unix user "joeuser (@uid: 513)",
then as soon as "joeuser" trys to connect from his XP desktop
to the Samba server, it should say "aha! - we already have
a Unix joeuser @ uid 513, so I'll automap ADSDOMAIN.COM+joeuser
to uid 513 (not some random ID like 20005)".  Let me know if
this understanding is wrong, please!

What 3.0.0 was doing was mapping everyone to random ID's
(starting from 20000, regardless of existing Unix usernames).

>From the 3.0.1 changelog, I got the idea that 3.0.1 fixes things
such that the feature works per my understanding, so I tried to

After upgrading, I started getting errors in my
/var/log/samba/log.workstation file, wherein
libads/kerberos_verify.c:setup_keytab was
throwing "unable to create MEMORY: keytab (Unknown Key table type)",
which resulted in the more general error "Failed to verify incoming
ticket!", and the connection attempt from the win2k/xp client
then failing to authenticate, which pretty much prevented anything
further from happening.

My first attempts to downgrade back to 3.0.0 failed (for reasons
I don't know).  I just retried downgrading (twice) and it's worked
both times.  Rolling forward to 3.0.1 definately reinstates the

I tried examining diffs between the 3.0.0 and 3.0.1 trees,
in particular the libads directory, but between being
tired, low code-fu and low experience with
both Samba internals and coding with Kerberos, I basicly
have no idea what actual change might be needed to fix
the matter.  On a lark (doomed, I know) I even tried compiling
3.0.1 with the 3.0.0 libads directory (it failed, naturally,
but it would have like winning the lottery if it worked :P ).

Incidentally, this is all on Redhat 9.0, on i386, with the
current stock RH kernel, using the Samba.org i386 RH9 RPMS and
SRPMS (for what playing with source I did do).  The network
layer is ordinary Ethernet & IPV4.

If anyone here would benefit from detailed debugging information,
a willing beta tester for a proposed fix, etc, then
I am very, very interested providing whatever I can to
assist the process!

	Thanks for your time everyone,

	Best Regards,


|  CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
|  118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157
   Cedric Puddy, IS Director		cedric at thinkers.org
     PGP Key Available at: 		http://www.thinkers.org/cedric

>From cedric at cadence.thinkers.org Sun Jan  4 20:51:26 2004
Date: Sun, 4 Jan 2004 18:09:40 -0500 (EST)
From: Cedric Puddy <cedric at cadence.thinkers.org>
To: Russell McOrmond <russell at flora.ca>
Subject: SAMBA integration issue

Hi Russell,

I know of you through the CLIC SCO list, and have a matter which
you may be able to be of professsional assistance in.

Essentially, I have an engineering client which runs a variety
of IC design tools, many of which run on Linux and some of which
run on Windows.  The Windows side of the network has an Active
Directory, and the Linux workstations and servers primarily
use NIS/NFS.  In order to bring greater harmony to the network,
we're testing (and have actually had working) Samba 3.0 with
AD integration for a new NAS server.  Down the road, we'll
possibly run winbind on the servers (on the principal that we'll
work around the least flexable part of the puzzle), so as to
allow more seamless interaction between the pieces of the
chip simulation tool chain.

The problem is that having upgraded to Samba 3.0.1 (we needed
a bug fix in the Windows<->Linux automatic user ID mapping
feature), we now get Kerberos errors from the Samba daemon
(even if we downgrade to the previous version, which I currently
can't explain).  The actual error is libads/kerberos_verify.c:setup_keytab
throwing "unable to create MEMORY: keytab (Unknown Key table type)",
which results in the more general error "Failed to verify incoming
ticket!", and the connection attempt from the win2k/xp client
then failing to authenticate, which pretty much prevents anything
further from happening.

More information about the samba mailing list