[Samba] samba 3.0.2a & Win2003 AD controler

Tue May 4 08:04:16 GMT 2004

Oups, I made a mistake : the samba server communicates through kerberos with
the W2K3 server.
I attached the ethereal log which shows all the kerberos packages going to
or from the W2K3 server.

Thanks,

Christian Haessig
Software engineer/Administrator
IRCAD/EITS
Phone : +33. (0)3.88.11.90.76
Fax   : +33. (0)3.88.11.90.99
mailto:christian.haessig at ircad.u-strasbg.fr

> -----Message d'origine-----
> De : samba-bounces+christian.haessig=ircad.u-strasbg.fr at lists.samba.org
> [mailto:samba-bounces+christian.haessig=ircad.u-strasbg.fr at lists.samba.o
> rg]De la part de Christian HAESSIG
> Envoyé : mardi 4 mai 2004 09:08
> À : samba at lists.samba.org
> Objet : [Samba] samba 3.0.2a & Win2003 AD controler
>
>
> Hello samba experts !
>
> I have a big problem with my samba 3.0.2a on debian. I use winbindd, which
> seems to work (getent passwd/group and wbinfo -u works), and the net ads
> join worked too, but the authentication with the AD controler, hosted on
> Win2003 Server, fails.
>
> Sample of the level 3 log file :
>
> ...
> [2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685)
>   switch message SMBsesssetupX (pid 1210)
> [2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
>   wct=12 flg2=0xc807
> [2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would
> close all
> old resources.
> [2004/05/04 08:47:20, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
>   Doing spnego session setup
> [2004/05/04 08:47:20, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
>   NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> PrimaryDomain=[]
> [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
>   Got OID 1 2 840 48018 1 2 2
> [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
>   Got OID 1 2 840 113554 1 2 2
> [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
>   Got OID 1 3 6 1 4 1 311 2 2 10
> [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430)
>   Got secblob of size 1263
> [2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
>   ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
> integrity check failed
> [2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
>   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>   Failed to verify incoming ticket!
> ...
>
> So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found a
> technet article talking from a krb problem on win2003, and registry
> modifications to apply. I did so, but nothing changed.
>
> Another point : I did a tcpdump between the samba server and the 2003
> server. When I do a kinit, there is communication between the servers. But
> when I try to connect to the samba server from a W2K client, there is no
> communication between the samba and the W2K server !
>
> So, do you have an explanation ?
>
> Here is my krb5.conf file :
>
> [logging]
>   default = FILE:/var/log/krb5/libs.log
>   kdc = FILE:/var/log/krb5/kdc.log
>   admin_server = FILE:/var/log/krb5/admin.log
>
> [libdefaults]
>   ticket_lifetime = 24000
>   default_realm = IRCADSTAGE.FR
>
> [realms]
>   IRCADSTAGE.FR = {
>     kdc = stageadmin11.ircadstage.fr:88
>     default_domain = ircadstage.fr
>   }
>
> [domain_realm]
>    .ircadstage.fr = IRCADSTAGE.FR
>    ircadstage.fr = IRCADSTAGE.FR
>
> Thanks !
>
> Christian Haessig
> Software engineer/Administrator
> IRCAD/EITS
> Phone : +33. (0)3.88.11.90.76
> Fax   : +33. (0)3.88.11.90.99
> mailto:christian.haessig at ircad.u-strasbg.fr
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba