BUG 1717 [was Re: [Samba] Re: Samba 3.0.6 Problems w/AD
and Kerberos]
Doug VanLeuven
roamdad at sonic.net
Sat Sep 11 16:45:49 GMT 2004
Blindauer Emmanuel wrote:
>Le samedi 11 Septembre 2004 00:17, Blindauer Emmanuel a écrit :
>
>>attached are log from smbd, krb5.conf and smb.conf
>>
>[global]
> workgroup = DPTINFO
> server string = %h server (Samba %v)
>
>
> security = ads
> realm = DPTINFO.URS.LOCAL
>
>
> [libdefaults]
>
>default_realm = DPTINFO.URS.LOCAL
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
>
>[realms]
>DPTINFO.URS.LOCAL = {
> kdc = canard.u-strasbg.fr
> admin_server = canard.u-strasbg.fr
>}
>
>[domain_realm]
> .u-strasbg.fr = DPTINFO.URS.LOCAL
> u-strasbg.fr = DPTINFO.URS.LOCAL
>
Hi,
Your situation looks a lot like mine.
Your realm and DNS names are not equivalent.
See https://bugzilla.samba.org/show_bug.cgi?id=1651
You'll find a workarond in there.
For you and your domain_realm mapping,
it looks like a client machine called hypothetically poem.u-strasbg.fr
in the realm DPTINFO.URS.LOCAL ought to have
a servicePrincipalName of HOST/poem.u-strasbg.fr at DPTINFO.URS.LOCAL
That would comply with your domain_realm mapping.
But if you checked the AD, it would probably have been created by samba
as HOST/poem.dptinfo.usr.local at DPTINFO.URS.LOCAL
Attempts to communicate by constructing the long form servicePrincipalName
using the HOST/fully-qualified-domain-name at REALM will fail.
Although samba mostly works OK because it mostly seems to use the short form
of the service name HOST/poem at DPTINFO.URS.LOCAL when it builds
servicePrincipalName or CIFS/poem at DPTINFO.URS.LOCAL.
The hardest part of Kerberos AD integration is trying to talk sensibly about
HOST/shorthostname at REALM and HOST/longhostname at REALM
in an environment where REALM and DOMAIN get used interchangably.
Also, I found I had to explicitly state my default enctypes to include
rc4-hmac
or apply the hotfix from MS to allow des-cbc-crc enctypes
Also, if I want to make these log entries go away
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type
I have to explicitly set the order of the permitted enctypes so the
common case is the first in the list.
During debugging, I just listed every possible enctype in the permitted
list and just haven't cleaned it up.
MS AD uses rc4-hmac (arcfour-hmac-md5). If it's first in the default
list, the first attempt will succeed.
This krb5.conf works with MIT kerberos 3.1.4.
Oh, and you have to add the real dns names in MS AD servicePrincipalName
as HOST and CIFS
[libdefaults]
default_realm = NT.LDXNET.COM
default_keytab_name = FILE:/etc/krb5.keytab
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des-cbc-md4 des3-cbc-sha1 des-cbc-md4 ...
[realms]
NT.LDXNET.COM = {
kdc = ranger1.nt.ldxnet.com:88
admin_server = ranger1.nt.ldxnet.com:749
default_domain = nt.ldxnet.com
}
[domain_realm]
.nt.ldxnet.com = NT.LDXNET.COM
nt.ldxnet.com = NT.LDXNET.COM
gate.ldxnet.com = NT.LDXNET.COM
ldxnet.com = NT.LDXNET.COM
.ldxnet.com = NT.LDXNET.COM
Hope it helps.
Regards, Doug
More information about the samba
mailing list