[Samba] Samba ADS -- works with XP Pro, but not 2000 Pro
Gordon Hopper
g.hopper at computer.org
Thu Oct 14 07:01:53 GMT 2004
I am using Samba with Active Directory. I have successfully joined my
Samba server to the domain D1 ( net ads join -U username at D2.DOMAIN.COM
). I am able to succesfully connect from Windows XP clients ( with no
password ), but not from Windows 2000 ( even when specifying a password
). With w2k, I always get "Failed to verify incoming ticket!".
I think it has something to do with the key type of the Kerberos tickets
( etype or enctype in krb5.conf ). Does Windows 2000 speak the same
Kerberos 5 as Windows XP? Which key types are used by Windows? How do
I know which enctype I need, and why doesn't the default enctype setting
negotiate something that works?
It might also have something to do with trust relationships, since my
samba machine is in domain D1.DOMAIN.COM, but my users are in domain
D2.DOMAIN.COM. (And my client machine is in D3.DOMAIN.COM). Each of
these domains is an active directory tree, with trust relationships
between them...
But it works with an XP client, so what's different between XP and
Windows 2000?
Thanks,
Gordon
Configuration files follow.
-------------------------
# smb.conf:
[global]
workgroup = D1
realm = D1.DOMAIN.COM
security = ADS
password server = d1dc02.d1.domain.com
log file = /etc/samba/samba.log
[t]
comment = Test Share
path = /tmp
read only = No
guest ok = Yes
browseable = Yes
-------------------------
# krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
default_realm = D1.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
# According to
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
# "the only supported encryption types are des3-hmac-sha1 and des-cbc-crc."
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
# However, http://lists.samba.org/archive/samba/2004-October/093761.html
suggests:
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
[realms]
D1.DOMAIN.COM = {
kdc = d1dc01.d1.domain.com
}
D2.DOMAIN.COM = {
kdc = d2dc01.d2.domain.com
}
------------------------------
# from an XP machine in the d2 Domain
C:\>net use * \\samba07\t
Drive Y: is now connected to \\samba07\t .
The command completed successfully.
-----------------------------
# from an XP machine NOT in the Domain
C:\>net use * \\samba07\t
The password or user name is invalid for \\samba07\t .
Enter the user name for 'samba07': d2\username
Enter the password for samba07:
Drive Z: is now connected to \\samba07\t .
The command completed successfully.
------------------------------
# from a Windows 2000 machine in the d2 Domain:
C:\>net use * \\samba07\t
The password or user name is invalid for \\samba07\t.
Type the password for \\samba07\t:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
C:\>net use * \\samba07\t /USER:d2\username
The password or user name is invalid for \\samba07\t .
Type the password for \\samba07\t :
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
# I get this message in the samba.log:
[2004/10/13 17:44:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
----------------------------
# List of relevant packages (These are the latest updates available for
RHEL 3)
$ rpm -qa | egrep 'krb5|samba'
krb5-devel-1.2.7-28
krb5-libs-1.2.7-28
krb5-workstation-1.2.7-28
samba-3.0.7-1.3E
samba-client-3.0.7-1.3E
samba-common-3.0.7-1.3E
----------------------------
More information about the samba
mailing list