[Samba] samba 3.0.2a & Win2003 AD controler

Tue May 4 10:10:54 GMT 2004

OK, thanks Bertram !

I do not use nss_ldap ; I don't know if it's really necessary (my
nss_winbind works pretty well). But I will check it out !
Anyway, I need winbind authentication (so the use of nss_winbind). I think
you use nss_ldap because you don't have winbind ? (so your
/etc/nsswitch.conf doesn't have any reference to winbind).

Tell me if your try with SFU worked !

And, if somebody has any idea about this kerberos problem, don't hesitate :)
I still have my ethereal log file, if someone wants it !

Thanks,

Christian Haessig
Software engineer/Administrator
IRCAD/EITS
Phone : +33. (0)3.88.11.90.76
Fax   : +33. (0)3.88.11.90.99
mailto:christian.haessig at ircad.u-strasbg.fr

> -----Message d'origine-----
> De : Yohann Ferreira [mailto:bertram25 at hotmail.com]
> Envoyé : mardi 4 mai 2004 11:52
> À : christian.haessig at ircad.u-strasbg.fr; samba at lists.samba.org
> Objet : RE: [Samba] samba 3.0.2a & Win2003 AD controler
>
>
> Sorry Christian !
>
> I explain :
>
> nss_ldap.so is a lib used by the nss switch (winbind) to look
> where to use
> authentification.
> In order to have some response from the 2k AD domain, I think, and it's
> purely theorical because I'm right now doing tests about it, you'll need
> then to install the 'Microsoft Windows Services For Unix' wich
> provides the
> LDAP and NIS communication protocol to your windows 2k AD controler.
>
> As for the others, if someone knows something about all of this,
> such as a
> configuration which works (!), please tell us !
>
> Thanks for reading
>
> Bertram
>
> >From: "Christian HAESSIG" <christian.haessig at ircad.u-strasbg.fr>
> >To: "Yohann Ferreira" <bertram25 at hotmail.com>, <samba at lists.samba.org>
> >Subject: RE: [Samba] samba 3.0.2a & Win2003 AD controler
> >Date: Tue, 4 May 2004 10:21:18 +0200
> >
> >Hi Bertram, hi the list,
> >
> >I added the samba list, so that they all get our mails :)
> >
> >No, I don't use the nss_ldap.so library. What does it do ?
> >You told about a tool set to install on the W2K3 server. What is
> this tool
> >?
> >I found on the Microsoft knowledge base a registry modification
> concerning
> >kerberos. I applied it, without any result.
> >
> >By the way, I sent an ethereal log showing the communication between the
> >W2K
> >client (192.168.2.33), the samba server (192.168.0.31) and the
> W2K3 server
> >(192.168.9.211). Did you get it ?
> >This log indicates the problem :
> >- there are first some krb5 exchanges between the W2K client and the W2K3
> >server
> >- then, the samba server sends a krb5 request using the encryptions 0x12
> >(unknown), 0x11 (unknown), des3-cbc-sha1, rc4-hmac, des-cbc-crc,
> >des-cbc-md5
> >and des-cbc-md4
> >- the W2K3 server responds : error_code: KRB5KDC_ERR_PREAUTH_REQUIRED
> >
> >Are there any krb5 experts in this list who could help us ? We
> would surely
> >appreciate !
> >
> >Christian Haessig
> >Software engineer/Administrator
> >IRCAD/EITS
> >Phone : +33. (0)3.88.11.90.76
> >Fax   : +33. (0)3.88.11.90.99
> >mailto:christian.haessig at ircad.u-strasbg.fr
> >
> > > -----Message d'origine-----
> > > De : Yohann Ferreira [mailto:bertram25 at hotmail.com]
> > > Envoyé : mardi 4 mai 2004 10:06
> > > À : christian.haessig at ircad.u-strasbg.fr
> > > Objet : RE: [Samba] samba 3.0.2a & Win2003 AD controler
> > >
> > >
> > > I've got EXACTLY the same problem ! Exactly !
> > >
> > > Do you use the nss_ldap.so tool from PADL ?
> > >
> > > Cause I've that you have install a tool set on the w2k AD server...
> > >
> > > Is that right samba Team ?
> > >
> > > Thanks for reading !
> > >
> > > Bertram
> > >
> > >
> > > >From: "Christian HAESSIG" <christian.haessig at ircad.u-strasbg.fr>
> > > >To: <samba at lists.samba.org>
> > > >Subject: [Samba] samba 3.0.2a & Win2003 AD controler
> > > >Date: Tue, 4 May 2004 09:07:35 +0200
> > > >
> > > >Hello samba experts !
> > > >
> > > >I have a big problem with my samba 3.0.2a on debian. I use
> > > winbindd, which
> > > >seems to work (getent passwd/group and wbinfo -u works), and the net
> >ads
> > > >join worked too, but the authentication with the AD
> controler, hosted
> >on
> > > >Win2003 Server, fails.
> > > >
> > > >Sample of the level 3 log file :
> > > >
> > > >...
> > > >[2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685)
> > > >   switch message SMBsesssetupX (pid 1210)
> > > >[2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> > > >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
> > > >   wct=12 flg2=0xc807
> > > >[2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591)
> > > >   setup_new_vc_session: New VC == 0, if NT4.x compatible we would
> >close
> > > >all
> > > >old resources.
> > > >[2004/05/04 08:47:20, 3]
> > > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
> > > >   Doing spnego session setup
> > > >[2004/05/04 08:47:20, 3]
> > > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
> > > >   NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> > > >PrimaryDomain=[]
> > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> > > >   Got OID 1 2 840 48018 1 2 2
> > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> > > >   Got OID 1 2 840 113554 1 2 2
> > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> > > >   Got OID 1 3 6 1 4 1 311 2 2 10
> > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430)
> > > >   Got secblob of size 1263
> > > >[2004/05/04 08:47:20, 3]
> >libads/kerberos_verify.c:ads_verify_ticket(323)
> > > >   ads_verify_ticket: enc type [3] failed to decrypt with
> error Decrypt
> > > >integrity check failed
> > > >[2004/05/04 08:47:20, 3]
> >libads/kerberos_verify.c:ads_verify_ticket(330)
> > > >   ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption
> >type)
> > > >[2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> > > >   Failed to verify incoming ticket!
> > > >...
> > > >
> > > >So, it seems there is a kerberos problem. I use MIT krb5
> 1.3.3. I found
> >a
> > > >technet article talking from a krb problem on win2003, and registry
> > > >modifications to apply. I did so, but nothing changed.
> > > >
> > > >Another point : I did a tcpdump between the samba server and the 2003
> > > >server. When I do a kinit, there is communication between the
> > > servers. But
> > > >when I try to connect to the samba server from a W2K client,
> there is
> >no
> > > >communication between the samba and the W2K server !
> > > >
> > > >So, do you have an explanation ?
> > > >
> > > >Here is my krb5.conf file :
> > > >
> > > >[logging]
> > > >   default = FILE:/var/log/krb5/libs.log
> > > >   kdc = FILE:/var/log/krb5/kdc.log
> > > >   admin_server = FILE:/var/log/krb5/admin.log
> > > >
> > > >[libdefaults]
> > > >   ticket_lifetime = 24000
> > > >   default_realm = IRCADSTAGE.FR
> > > >
> > > >[realms]
> > > >   IRCADSTAGE.FR = {
> > > >     kdc = stageadmin11.ircadstage.fr:88
> > > >     default_domain = ircadstage.fr
> > > >   }
> > > >
> > > >[domain_realm]
> > > >    .ircadstage.fr = IRCADSTAGE.FR
> > > >    ircadstage.fr = IRCADSTAGE.FR
> > > >
> > > >Thanks !
> > > >
> > > >Christian Haessig
> > > >Software engineer/Administrator
> > > >IRCAD/EITS
> > > >Phone : +33. (0)3.88.11.90.76
> > > >Fax   : +33. (0)3.88.11.90.99
> > > >mailto:christian.haessig at ircad.u-strasbg.fr
> > > >
> > > >--
> > > >To unsubscribe from this list go to the following URL and read the
> > > >instructions:  http://lists.samba.org/mailman/listinfo/samba
> > >
> > > _________________________________________________________________
> > > Bloquez les fenêtres pop-up, c'est gratuit ! http://toolbar.msn.fr
> > >
> >
>
> _________________________________________________________________
> Hotmail : un compte GRATUIT qui vous suit partout et tout le temps !
> http://g.msn.fr/FR1000/9493
>