[Samba] samba 3.0.2a & Win2003 AD controler

Yohann Ferreira bertram25 at hotmail.com
Tue May 4 09:52:16 GMT 2004 

Sorry Christian !

I explain :

nss_ldap.so is a lib used by the nss switch (winbind) to look where to use 
authentification.
In order to have some response from the 2k AD domain, I think, and it's 
purely theorical because I'm right now doing tests about it, you'll need 
then to install the 'Microsoft Windows Services For Unix' wich provides the 
LDAP and NIS communication protocol to your windows 2k AD controler.

As for the others, if someone knows something about all of this, such as a 
configuration which works (!), please tell us !

Thanks for reading

Bertram

>From: "Christian HAESSIG" <christian.haessig at ircad.u-strasbg.fr>
>To: "Yohann Ferreira" <bertram25 at hotmail.com>, <samba at lists.samba.org>
>Subject: RE: [Samba] samba 3.0.2a & Win2003 AD controler
>Date: Tue, 4 May 2004 10:21:18 +0200
>
>Hi Bertram, hi the list,
>
>I added the samba list, so that they all get our mails :)
>
>No, I don't use the nss_ldap.so library. What does it do ?
>You told about a tool set to install on the W2K3 server. What is this tool 
>?
>I found on the Microsoft knowledge base a registry modification concerning
>kerberos. I applied it, without any result.
>
>By the way, I sent an ethereal log showing the communication between the 
>W2K
>client (192.168.2.33), the samba server (192.168.0.31) and the W2K3 server
>(192.168.9.211). Did you get it ?
>This log indicates the problem :
>- there are first some krb5 exchanges between the W2K client and the W2K3
>server
>- then, the samba server sends a krb5 request using the encryptions 0x12
>(unknown), 0x11 (unknown), des3-cbc-sha1, rc4-hmac, des-cbc-crc, 
>des-cbc-md5
>and des-cbc-md4
>- the W2K3 server responds : error_code: KRB5KDC_ERR_PREAUTH_REQUIRED
>
>Are there any krb5 experts in this list who could help us ? We would surely
>appreciate !
>
>Christian Haessig
>Software engineer/Administrator
>IRCAD/EITS
>Phone : +33. (0)3.88.11.90.76
>Fax   : +33. (0)3.88.11.90.99
>mailto:christian.haessig at ircad.u-strasbg.fr
>
> > -----Message d'origine-----
> > De : Yohann Ferreira [mailto:bertram25 at hotmail.com]
> > Envoyé : mardi 4 mai 2004 10:06
> > À : christian.haessig at ircad.u-strasbg.fr
> > Objet : RE: [Samba] samba 3.0.2a & Win2003 AD controler
> >
> >
> > I've got EXACTLY the same problem ! Exactly !
> >
> > Do you use the nss_ldap.so tool from PADL ?
> >
> > Cause I've that you have install a tool set on the w2k AD server...
> >
> > Is that right samba Team ?
> >
> > Thanks for reading !
> >
> > Bertram
> >
> >
> > >From: "Christian HAESSIG" <christian.haessig at ircad.u-strasbg.fr>
> > >To: <samba at lists.samba.org>
> > >Subject: [Samba] samba 3.0.2a & Win2003 AD controler
> > >Date: Tue, 4 May 2004 09:07:35 +0200
> > >
> > >Hello samba experts !
> > >
> > >I have a big problem with my samba 3.0.2a on debian. I use
> > winbindd, which
> > >seems to work (getent passwd/group and wbinfo -u works), and the net 
>ads
> > >join worked too, but the authentication with the AD controler, hosted 
>on
> > >Win2003 Server, fails.
> > >
> > >Sample of the level 3 log file :
> > >
> > >...
> > >[2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685)
> > >   switch message SMBsesssetupX (pid 1210)
> > >[2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> > >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
> > >   wct=12 flg2=0xc807
> > >[2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591)
> > >   setup_new_vc_session: New VC == 0, if NT4.x compatible we would 
>close
> > >all
> > >old resources.
> > >[2004/05/04 08:47:20, 3]
> > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
> > >   Doing spnego session setup
> > >[2004/05/04 08:47:20, 3]
> > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
> > >   NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> > >PrimaryDomain=[]
> > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> > >   Got OID 1 2 840 48018 1 2 2
> > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> > >   Got OID 1 2 840 113554 1 2 2
> > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> > >   Got OID 1 3 6 1 4 1 311 2 2 10
> > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430)
> > >   Got secblob of size 1263
> > >[2004/05/04 08:47:20, 3] 
>libads/kerberos_verify.c:ads_verify_ticket(323)
> > >   ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
> > >integrity check failed
> > >[2004/05/04 08:47:20, 3] 
>libads/kerberos_verify.c:ads_verify_ticket(330)
> > >   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption 
>type)
> > >[2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> > >   Failed to verify incoming ticket!
> > >...
> > >
> > >So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found 
>a
> > >technet article talking from a krb problem on win2003, and registry
> > >modifications to apply. I did so, but nothing changed.
> > >
> > >Another point : I did a tcpdump between the samba server and the 2003
> > >server. When I do a kinit, there is communication between the
> > servers. But
> > >when I try to connect to the samba server from a W2K client, there is 
>no
> > >communication between the samba and the W2K server !
> > >
> > >So, do you have an explanation ?
> > >
> > >Here is my krb5.conf file :
> > >
> > >[logging]
> > >   default = FILE:/var/log/krb5/libs.log
> > >   kdc = FILE:/var/log/krb5/kdc.log
> > >   admin_server = FILE:/var/log/krb5/admin.log
> > >
> > >[libdefaults]
> > >   ticket_lifetime = 24000
> > >   default_realm = IRCADSTAGE.FR
> > >
> > >[realms]
> > >   IRCADSTAGE.FR = {
> > >     kdc = stageadmin11.ircadstage.fr:88
> > >     default_domain = ircadstage.fr
> > >   }
> > >
> > >[domain_realm]
> > >    .ircadstage.fr = IRCADSTAGE.FR
> > >    ircadstage.fr = IRCADSTAGE.FR
> > >
> > >Thanks !
> > >
> > >Christian Haessig
> > >Software engineer/Administrator
> > >IRCAD/EITS
> > >Phone : +33. (0)3.88.11.90.76
> > >Fax   : +33. (0)3.88.11.90.99
> > >mailto:christian.haessig at ircad.u-strasbg.fr
> > >
> > >--
> > >To unsubscribe from this list go to the following URL and read the
> > >instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
> > _________________________________________________________________
> > Bloquez les fenêtres pop-up, c'est gratuit ! http://toolbar.msn.fr
> >
>

_________________________________________________________________
Hotmail : un compte GRATUIT qui vous suit partout et tout le temps ! 
http://g.msn.fr/FR1000/9493

More information about the samba mailing list