[Samba] Samba ADS -- works with XP Pro, but not 2000 Pro

Thu Oct 14 11:06:12 GMT 2004

Hi,
AFAIR, this is a known problem with w2k clients.
You have to upgrade your kerberos to something > 1.3xxxx
preferably to the latest available version.
Christoph

Gordon Hopper schrieb:
> I am using Samba with Active Directory.  I have successfully joined my 
> Samba server to the domain D1 ( net ads join -U username at D2.DOMAIN.COM 
> ).  I am able to succesfully connect from Windows XP clients ( with no 
> password ), but not from Windows 2000 ( even when specifying a password 
> ).  With w2k, I always get "Failed to verify incoming ticket!".
> 
> I think it has something to do with the key type of the Kerberos tickets 
> ( etype or enctype in krb5.conf ).  Does Windows 2000 speak the same 
> Kerberos 5 as Windows XP?  Which key types are used by Windows?  How do 
> I know which enctype I need, and why doesn't the default enctype setting 
> negotiate something that works?
> 
> It might also have something to do with trust relationships, since my 
> samba machine is in domain D1.DOMAIN.COM, but my users are in domain 
> D2.DOMAIN.COM.  (And my client machine is in D3.DOMAIN.COM).  Each of 
> these domains is an active directory tree, with trust relationships 
> between them...
> 
> But it works with an XP client, so what's different between XP and 
> Windows 2000?
> 
> Thanks,
> 
> Gordon
> 
> 
> Configuration files follow.
> 
> -------------------------
> # smb.conf:
> [global]
> workgroup = D1
> realm = D1.DOMAIN.COM
> security = ADS
> password server = d1dc02.d1.domain.com
> log file = /etc/samba/samba.log
> 
> [t]
> comment = Test Share
> path = /tmp
> read only = No
> guest ok = Yes
> browseable = Yes
> 
> -------------------------
> # krb5.conf:
> [logging]
> default = FILE:/var/log/krb5.log
> 
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = D1.DOMAIN.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> # According to 
> http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
> # "the only supported encryption types are des3-hmac-sha1 and des-cbc-crc."
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> # However, http://lists.samba.org/archive/samba/2004-October/093761.html 
> suggests:
> # default_tgs_enctypes = des-cbc-crc des-cbc-md5
> # default_tkt_enctypes = des-cbc-crc des-cbc-md5
> 
> [realms]
> D1.DOMAIN.COM = {
>  kdc = d1dc01.d1.domain.com
> }
> D2.DOMAIN.COM = {
>  kdc = d2dc01.d2.domain.com
> }
> 
> ------------------------------
> # from an XP machine in the d2 Domain
> C:\>net use * \\samba07\t
> Drive Y: is now connected to \\samba07\t .
> 
> The command completed successfully.
> 
> -----------------------------
> # from an XP machine NOT in the Domain
> C:\>net use * \\samba07\t
> The password or user name is invalid for \\samba07\t .
> 
> Enter the user name for 'samba07': d2\username
> Enter the password for samba07:
> Drive Z: is now connected to \\samba07\t .
> 
> The command completed successfully.
> 
> ------------------------------
> # from a Windows 2000 machine in the d2 Domain:
> 
> C:\>net use * \\samba07\t
> The password or user name is invalid for \\samba07\t.
> 
> Type the password for \\samba07\t:
> System error 1326 has occurred.
> 
> Logon failure: unknown user name or bad password.
> 
> C:\>net use * \\samba07\t /USER:d2\username
> The password or user name is invalid for \\samba07\t .
> 
> Type the password for \\samba07\t :
> System error 1326 has occurred.
> 
> Logon failure: unknown user name or bad password.
> 
> # I get this message in the samba.log:
> 
> [2004/10/13 17:44:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>  Failed to verify incoming ticket!
> 
> ----------------------------
> # List of relevant packages (These are the latest updates available for 
> RHEL 3)
> $ rpm -qa | egrep 'krb5|samba'
> krb5-devel-1.2.7-28
> krb5-libs-1.2.7-28
> krb5-workstation-1.2.7-28
> samba-3.0.7-1.3E
> samba-client-3.0.7-1.3E
> samba-common-3.0.7-1.3E
> 
> ----------------------------
> 