[Samba] samba 3.0.2a & Win2003 AD controler

Christian HAESSIG christian.haessig at ircad.u-strasbg.fr
Tue May 4 08:21:18 GMT 2004 

Hi Bertram, hi the list,

I added the samba list, so that they all get our mails :)

No, I don't use the nss_ldap.so library. What does it do ?
You told about a tool set to install on the W2K3 server. What is this tool ?
I found on the Microsoft knowledge base a registry modification concerning
kerberos. I applied it, without any result.

By the way, I sent an ethereal log showing the communication between the W2K
client (192.168.2.33), the samba server (192.168.0.31) and the W2K3 server
(192.168.9.211). Did you get it ?
This log indicates the problem :
- there are first some krb5 exchanges between the W2K client and the W2K3
server
- then, the samba server sends a krb5 request using the encryptions 0x12
(unknown), 0x11 (unknown), des3-cbc-sha1, rc4-hmac, des-cbc-crc, des-cbc-md5
and des-cbc-md4
- the W2K3 server responds : error_code: KRB5KDC_ERR_PREAUTH_REQUIRED

Are there any krb5 experts in this list who could help us ? We would surely
appreciate !

Christian Haessig
Software engineer/Administrator
IRCAD/EITS
Phone : +33. (0)3.88.11.90.76
Fax   : +33. (0)3.88.11.90.99
mailto:christian.haessig at ircad.u-strasbg.fr

> -----Message d'origine-----
> De : Yohann Ferreira [mailto:bertram25 at hotmail.com]
> Envoyé : mardi 4 mai 2004 10:06
> À : christian.haessig at ircad.u-strasbg.fr
> Objet : RE: [Samba] samba 3.0.2a & Win2003 AD controler
>
>
> I've got EXACTLY the same problem ! Exactly !
>
> Do you use the nss_ldap.so tool from PADL ?
>
> Cause I've that you have install a tool set on the w2k AD server...
>
> Is that right samba Team ?
>
> Thanks for reading !
>
> Bertram
>
>
> >From: "Christian HAESSIG" <christian.haessig at ircad.u-strasbg.fr>
> >To: <samba at lists.samba.org>
> >Subject: [Samba] samba 3.0.2a & Win2003 AD controler
> >Date: Tue, 4 May 2004 09:07:35 +0200
> >
> >Hello samba experts !
> >
> >I have a big problem with my samba 3.0.2a on debian. I use
> winbindd, which
> >seems to work (getent passwd/group and wbinfo -u works), and the net ads
> >join worked too, but the authentication with the AD controler, hosted on
> >Win2003 Server, fails.
> >
> >Sample of the level 3 log file :
> >
> >...
> >[2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685)
> >   switch message SMBsesssetupX (pid 1210)
> >[2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
> >   wct=12 flg2=0xc807
> >[2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591)
> >   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> >all
> >old resources.
> >[2004/05/04 08:47:20, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
> >   Doing spnego session setup
> >[2004/05/04 08:47:20, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
> >   NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> >PrimaryDomain=[]
> >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> >   Got OID 1 2 840 48018 1 2 2
> >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> >   Got OID 1 2 840 113554 1 2 2
> >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> >   Got OID 1 3 6 1 4 1 311 2 2 10
> >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430)
> >   Got secblob of size 1263
> >[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
> >   ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
> >integrity check failed
> >[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
> >   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> >[2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> >   Failed to verify incoming ticket!
> >...
> >
> >So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found a
> >technet article talking from a krb problem on win2003, and registry
> >modifications to apply. I did so, but nothing changed.
> >
> >Another point : I did a tcpdump between the samba server and the 2003
> >server. When I do a kinit, there is communication between the
> servers. But
> >when I try to connect to the samba server from a W2K client, there is no
> >communication between the samba and the W2K server !
> >
> >So, do you have an explanation ?
> >
> >Here is my krb5.conf file :
> >
> >[logging]
> >   default = FILE:/var/log/krb5/libs.log
> >   kdc = FILE:/var/log/krb5/kdc.log
> >   admin_server = FILE:/var/log/krb5/admin.log
> >
> >[libdefaults]
> >   ticket_lifetime = 24000
> >   default_realm = IRCADSTAGE.FR
> >
> >[realms]
> >   IRCADSTAGE.FR = {
> >     kdc = stageadmin11.ircadstage.fr:88
> >     default_domain = ircadstage.fr
> >   }
> >
> >[domain_realm]
> >    .ircadstage.fr = IRCADSTAGE.FR
> >    ircadstage.fr = IRCADSTAGE.FR
> >
> >Thanks !
> >
> >Christian Haessig
> >Software engineer/Administrator
> >IRCAD/EITS
> >Phone : +33. (0)3.88.11.90.76
> >Fax   : +33. (0)3.88.11.90.99
> >mailto:christian.haessig at ircad.u-strasbg.fr
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  http://lists.samba.org/mailman/listinfo/samba
>
> _________________________________________________________________
> Bloquez les fenêtres pop-up, c'est gratuit ! http://toolbar.msn.fr
>

More information about the samba mailing list