[Samba] Numerous errors trying to authenticate samba against w2k3

Carissa Srugis csrugis at gmail.com
Tue Nov 30 21:25:44 GMT 2004 

My goal is to authenticate a Windows 2003 Server user from a FreeBSD
4.10 box via samba.  A week ago I had this working.  I then needed to
verify the procedure and test on a fresh install. Now it doesn't work,
despite doing the same steps (I think).

I generated a Kerberos ticket on the w2k3 box and transfered it to the
FreeBSD box.  I used the ktutil command to incorporate the ticket into
Kerberos on the FreeBSD machine.

freebsd# ktutil add
Principal: host/freebsd.template.state.company.com at DOMAIN.LOCAL
Encryption type: DES-CBC-MD5
Key version: 0x502
Password:
Verifying - Password:

>From what I've read, I should be able to see the ticket information
such as expiration dates, but I don't see this information.

freebsd# klist
Ticket file:    /tmp/tkt0
klist: No ticket file (tf_util)

freebsd# ktutil list
FILE:/etc/krb5.keytab:

Vno  Type         Principal
  0  des-cbc-md5  host/freebsd.template.state.company.com at DOMAIN.LOCAL

krb4:/etc/srvtab:

Vno  Type  Principal

When I try to authenticate with the kinit command I get an error:

freebsd# kinit administrator at DOMAIN.LOCAL
FreeBSD Inc. (freebsd.template.state.company.com)
Kerberos Initialization for "administrator at DOMAIN.LOCAL"
Password:
kinit: Retry count exceeded (send_to_kdc)

I seem to be having a hard time finding an helpful information about
this error message, which has been frustrating.

Since I can't connect via kinit, I obviously can't connect via samba (3.0.9):

freebsd# net ads join -U administrator%password -S 192.168.1.1 -W DOMAIN
[2004/11/30 15:41:48, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password administrator at DOMAIN.LOCAL failed: Unknown
error -1765328378
[2004/11/30 15:41:48, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Unknown error -1765328378

Here is my smb.conf file:

[global]
        realm = DOMAIN.LOCAL
        security = ads
        password server = W2K3.DOMAIN.LOCAL
        auth methods = winbind
        winbind separator = +
        encrypt passwords = yes
        workgroup = DOMAIN
        netbios name = FREEBSD
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        client use spnego = no

Here is my krb5.conf file:

[libdefaults]
        default_realm = DOMAIN.LOCAL
        clockskew = 300
        default_tkt_enctypes = des-cbc-crc des-cbc-md5
        default_tgs_enctypes = dex-cbc-crc des-cbc-md5
        default_etypes = des-cbc-crc des-cbc-md5
        default_etypes_des = des-cbc-crc des-cbc-md5
        default_keytab-name = FILE:/usr/src/crypto/heimdal/freebsd.keytab
        dns_lookup_realm = false
        dns_lookup_kdc = false
[realms]
        ANDLESS2.LOCAL = {
                kdc = W2K3.DOMAIN.LOCAL:88
                admin_server = W2K3.DOMAIN.LOCAL
                default_domain = DOMAIN.LOCAL
        }
[domain_realm]
        .DOMAIN.LOCAL = DOMAIN.LOCAL
        DOMAIN.LOCAL = DOMAIN.LOCAL

Now if I issue a "net rpc join" command instead, I get completely
different error messages.  The W2K3 machine also adds the FreeBSD
machine to it's computer list in AD USers & Computers, but I still
can't authenticate or use commands like wbinfo.

freebsd# net rpc join -U freebsd%password -W DOMAIN -S 192.168.1.1
[2004/11/30 15:54:34, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(256)
  cli_nt_setup_creds: request challenge failed
[2004/11/30 15:54:34, 0] libsmb/smb_signing.c:signing_good(240)
  signing_good: BAD SIG: seq 1
[2004/11/30 15:54:34, 0] libsmb/clientgen.c:cli_receive_smb(121)
  SMB Signature verification failed on incoming packet!
Could not connect to server 192.168.1.1
The username or password was not correct.

The /usr/local/etc/winbindd/log/main/current file only contians this
error which seems to be difficult to research online:
ads_connect for domain ANDLESS2 failed: Unknown error -1765328254

I also noticed something odd when I did a packet capture on the W2K3
machine while the kinit authentication was tested.  The FreeBSD
machine was querying the DNS server (also on the W2K3 machine) for
names like kerberos-iv.udp.domain.com  kerberos-iv.tcp.domain.com
kerberos-iv.http.domain.com and kerberos.domain.com  I have no idea
where these requests are coming from, since the Kerberos server is
specified in the krb5.conf file.  Following these DNS queries, the
FreeBSD box tries to conect to the following source ports: 26077,
10008, 4811, 10096, 10282, and 13372 all from destination port:
kerberos-iv (750).  So it appears that the FreeBSD box is trying to
use Kerberos 4, even though it should be using Kerberos 5.  So
something somewhere is not correct, and I really don't know where to
look.

Any and all help is greatly appreciated.

Carissa

*********************************************************
Carissa Srugis
csrugis at gmail.com

More information about the samba mailing list