[Samba] Samba ADS -- works with XP Pro, but not 2000 Pro

Gordon Hopper g.hopper at computer.org
Thu Oct 14 07:01:53 GMT 2004


I am using Samba with Active Directory.  I have successfully joined my 
Samba server to the domain D1 ( net ads join -U username at D2.DOMAIN.COM 
).  I am able to succesfully connect from Windows XP clients ( with no 
password ), but not from Windows 2000 ( even when specifying a password 
).  With w2k, I always get "Failed to verify incoming ticket!".

I think it has something to do with the key type of the Kerberos tickets 
( etype or enctype in krb5.conf ).  Does Windows 2000 speak the same 
Kerberos 5 as Windows XP?  Which key types are used by Windows?  How do 
I know which enctype I need, and why doesn't the default enctype setting 
negotiate something that works?

It might also have something to do with trust relationships, since my 
samba machine is in domain D1.DOMAIN.COM, but my users are in domain 
D2.DOMAIN.COM.  (And my client machine is in D3.DOMAIN.COM).  Each of 
these domains is an active directory tree, with trust relationships 
between them...

But it works with an XP client, so what's different between XP and 
Windows 2000?

Thanks,

Gordon


Configuration files follow.

-------------------------
# smb.conf:
[global]
 workgroup = D1
 realm = D1.DOMAIN.COM
 security = ADS
 password server = d1dc02.d1.domain.com
 log file = /etc/samba/samba.log

[t]
 comment = Test Share
 path = /tmp
 read only = No
 guest ok = Yes
 browseable = Yes

-------------------------
# krb5.conf:
[logging]
 default = FILE:/var/log/krb5.log
 
[libdefaults]
 ticket_lifetime = 24000
 default_realm = D1.DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
# According to 
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
# "the only supported encryption types are des3-hmac-sha1 and des-cbc-crc."
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
# However, http://lists.samba.org/archive/samba/2004-October/093761.html 
suggests:
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
 
[realms]
 D1.DOMAIN.COM = {
  kdc = d1dc01.d1.domain.com
 }
 D2.DOMAIN.COM = {
  kdc = d2dc01.d2.domain.com
 }
 
------------------------------
# from an XP machine in the d2 Domain
C:\>net use * \\samba07\t
Drive Y: is now connected to \\samba07\t .
 
The command completed successfully.
 
-----------------------------
# from an XP machine NOT in the Domain
C:\>net use * \\samba07\t
The password or user name is invalid for \\samba07\t .
 
Enter the user name for 'samba07': d2\username
Enter the password for samba07:
Drive Z: is now connected to \\samba07\t .
 
The command completed successfully.
 
------------------------------
# from a Windows 2000 machine in the d2 Domain:

C:\>net use * \\samba07\t
The password or user name is invalid for \\samba07\t.
 
Type the password for \\samba07\t:
System error 1326 has occurred.
 
Logon failure: unknown user name or bad password.

C:\>net use * \\samba07\t /USER:d2\username
The password or user name is invalid for \\samba07\t .
 
Type the password for \\samba07\t :
System error 1326 has occurred.
 
Logon failure: unknown user name or bad password.

# I get this message in the samba.log:
 
[2004/10/13 17:44:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
 
----------------------------
# List of relevant packages (These are the latest updates available for 
RHEL 3)
$ rpm -qa | egrep 'krb5|samba'
krb5-devel-1.2.7-28
krb5-libs-1.2.7-28
krb5-workstation-1.2.7-28
samba-3.0.7-1.3E
samba-client-3.0.7-1.3E
samba-common-3.0.7-1.3E

----------------------------



More information about the samba mailing list