Solved: [Samba] RedHat+Samba+Winbind to ADS

Anton Velo avelo at
Mon Feb 21 17:34:41 GMT 2005

On Friday 18 February 2005 23:28, Andrew Bartlett wrote:
AB> On Wed, 2005-02-16 at 10:09 -0500, Greg Folkert wrote:
AB> > On Wed, 2005-02-16 at 11:49 +0100, Antón wrote:
AB> > > Hi,
AB> > > 
AB> > > I 've a gateway and I want to use squid authenticated with Windows 2000
AB> > > Active Directory users.
AB> > > 
AB> > > I've a development platform with Debian/Sarge as gateway, and it works.
AB> > > (samba 3.0.10-1 and Kerberos 1.3.6-1)
AB> > > 
AB> > > On the other side the production platform uses RedHat Enterprise AS3,
AB> > > initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not able to use
AB> > > Active directory groups without get smb panic errors in winbindd, so I
AB> > > update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 (last available
AB> > > updates).
AB> > 
AB> > You *ABSOLUTELY MUST USE* a version of MIT Kerberos5 v1.3.1 or newer.
AB> Yes and no.  My understanding is that the issues regarding MIT < 1.3.1
AB> have been again resolved, in the latest Samba (including what has been
AB> released for RHEL by RedHat).  Linking to another kerberos
AB> implementation is a real pain (you would need to statically link to even
AB> start).
AB> (Of course, life is much easier with krb5 1.3.1 or later, but I know
AB> what a pain it is for RHEL users)
AB> I think the issue here is that the machine must be rejoined to the
AB> domain, after the upgrade.
AB> Andrew Bartlett

Investigating more in deep in winbindd logs (d7777) I'noticed
that I was trying to do SMB signing:
|Got KRB5 session key of length 8
|SMB signing enabled!
|cli_simple_set_signing: user_session_key
· · ·
|get_sequence_for_reply: found seq = 1 mid = 2
|simple_packet_signature: sequence number 1
|client_check_incoming_message: BAD SIG: wanted SMB signature of
|srv_check_incoming_message: signing negotiated but not required and peer
|isn't sending correct signatures. Turning off.

I've tried with combinations of client signing=no, server signing=no and many, many others, with no luck.

Now I've set 
client use spnego = no

And all works :-)

last smb.conf is:

   workgroup = TEST
   netbios name = GATEWAY
   realm = TEST.COM
   security = ADS
   encrypt passwords = yes
   interfaces =
   password server = PDC, BDC
   winbind separator = /
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = true

   ######winbind nested groups = true

   time server = Yes

   client NTLMv2 auth = No
   client lanman auth = Yes
   client plaintext auth = Yes
   obey pam restrictions = Yes
   passdb backend = tdbsam, guest

   client use spnego = no

Some settings i'sure that are not needed, but I've set them,
because they was different with default values of my
nice working debian develop platform.

Strange is that spnego is true and works there .. ¿?

Thanks to all for your answers


More information about the samba mailing list