SV: [Samba] Getting ads_connect: Strong authentication required w
hendoing ne t ads join
jonas.back at ppm.nu
jonas.back at ppm.nu
Thu Feb 24 22:11:13 GMT 2005
Thanks for that interesting information. But how come it works in my lab
(where I'm running Fedora Core 3)? Could it be because I'm running a newer
version of LDAP? You think this will be fixed in future releases without the
need to put certificated on the DC?
Are there any detailinformation where to put the certificate on our DC:s?
Unfourtunately we're not running any CA in our Windows environment.
// Jonas
-----Ursprungligt meddelande-----
Från: Kaplan, Marc [mailto:marc_kaplan at adaptec.com]
Skickat: den 24 februari 2005 17:50
Till: jonas.back at ppm.nu; samba at samba.org
Ämne: RE: [Samba] Getting ads_connect: Strong authentication required
whendoing ne t ads join
Yes, this is in fact caused by LDAP server signing requirements set to
"Require Siging". I put a bug in previously here:
https://bugzilla.samba.org/show_bug.cgi?id=765
And Jeremy Naylor created a patch to add TLS support in libads. The TLS
method is potentially more secure, but it requires a certificate be
installed on the KDC.
You could try applying the patch and setting up the certificates to see if
it works for you. The patch is attached to the bugzilla bug.
-Marc
> -----Original Message-----
> From: samba-bounces+marc_kaplan=adaptec.com at lists.samba.org
[mailto:samba-
> bounces+marc_kaplan=adaptec.com at lists.samba.org] On Behalf Of
> jonas.back at ppm.nu
> Sent: Thursday, February 24, 2005 8:41 AM
> To: samba at samba.org
> Subject: [Samba] Getting ads_connect: Strong authentication required
> whendoing ne t ads join
>
> In my lab I successfully got everything working running our secured
Active
> Directory and Fedora Core 3. In our AD we have secured settings like
> refusing NTLMv2, require LDAP signing, SMB signing and more. In the
lab we
> have the following rpm's:
> krb5-workstation-1.3.4.7
> samba-3.0.8.0.pre1.3
> openldap-2.2.13-2
>
> But now we're implementing this in production and there we're running
Red
> Hat ES3 and have the following rpm's (newest so far):
> krb5-workstation-1.2.7-38
> samba-3.0.9-1.3E.2
> openldap-2.0.27-11
>
> Kinit and smbclient works fine but when I run net ads join it fails
with
> "ads_connect: Strong authentication required". I've read somewhere
that
> the
> security policy setting: "Domain Controller: LDAP server signing
> requirements" set to "Require signing" is the reason for this but our
> security team will not let me disable this setting. Is there any other
way
> to get around this?
>
> I've made sure all configuration files (krb5.conf, smb.conf and
ldap.conf)
> have the same options.
>
> Also found an earlier posts, but they don't really give me a solution:
>
http://lists.samba.org/archive/samba-technical/2003-October/032422.html
>
<http://lists.samba.org/archive/samba-technical/2003-October/032422.html
>
> and here http://lists.samba.org/archive/samba/2003-October/000806.html
> <http://lists.samba.org/archive/samba/2003-October/000806.html>
>
> [root at xtmplin1 /]# kinit domainuser
> Password for domainuser at PPM.NU:
> [root at xtmplin1 /]# klist
> Ticket cache: FILE:/tmp/krb5cc_0 <FILE:/tmp/krb5cc_0> Default
> principal: domainuser at PPM.NU
>
> Valid starting Expires Service principal
> 02/24/05 17:00:27 02/25/05 03:00:27 krbtgt/PPM.NU at PPM.NU
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root at xtmplin1 /]# net ads join "ServrarSamba" -U domainuser
> domainuser's password:
> [2005/02/24 17:00:45, 0] utils/net_ads.c:ads_startup(186)
> ads_connect: Strong authentication required
> [root at xtmplin1 /]#
>
>
>
> Here's the complete debug for net ads join:
>
> [root at xtmplin1 samba]# net ads join "ServrarSamba" -U domainuser -d 10
> [2005/02/24 16:15:22, 5] lib/debug.c:debug_dump_status(366)
> INFO: Current debug levels:
> all: True/10
> tdb: False/0
> printdrivers: False/0
> lanman: False/0
> smb: False/0
> rpc_parse: False/0
> rpc_srv: False/0
> rpc_cli: False/0
> passdb: False/0
> sam: False/0
> auth: False/0
> winbind: False/0
> vfs: False/0
> idmap: False/0
> quota: False/0
> acls: False/0
> [2005/02/24 16:15:22, 3] param/loadparm.c:lp_load(3911)
> lp_load: refreshing parameters
> [2005/02/24 16:15:22, 3] param/loadparm.c:init_globals(1312)
> Initialising global parameters
> [2005/02/24 16:15:22, 3] param/params.c:pm_process(566)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2005/02/24 16:15:22, 3] param/loadparm.c:do_section(3404)
> Processing section "[global]"
> doing parameter workgroup = EXAMPLE
> doing parameter realm = EXAMPLE.NU
> doing parameter use spnego = yes
> doing parameter client signing = yes
> doing parameter client use spnego = yes
> doing parameter server string = Samba Server
> doing parameter printcap name = /etc/printcap
> doing parameter load printers = yes
> doing parameter cups options = raw
> doing parameter log file = /var/log/samba/%m.log
> doing parameter max log size = 50
> doing parameter security = ads
> doing parameter encrypt passwords = yes
> doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> doing parameter dns proxy = no
> [2005/02/24 16:15:22, 4] param/loadparm.c:lp_load(3942)
> pm_process() returned Yes
> [2005/02/24 16:15:22, 7] param/loadparm.c:lp_servicenumber(4052)
> lp_servicenumber: couldn't find homes
> [2005/02/24 16:15:22, 10] param/loadparm.c:set_server_role(3851)
> set_server_role: role = ROLE_DOMAIN_MEMBER
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
> Attempting to register new charset UCS-2LE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
> Registered charset UCS-2LE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
> Attempting to register new charset UTF-16LE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
> Registered charset UTF-16LE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
> Attempting to register new charset UCS-2BE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
> Registered charset UCS-2BE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
> Attempting to register new charset UTF-16BE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
> Registered charset UTF-16BE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
> Attempting to register new charset UTF8
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
> Registered charset UTF8
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
> Attempting to register new charset UTF-8
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
> Registered charset UTF-8
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
> Attempting to register new charset ASCII
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
> Registered charset ASCII
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
> Attempting to register new charset 646
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
> Registered charset 646
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
> Attempting to register new charset ISO-8859-1
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
> Registered charset ISO-8859-1
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
> Attempting to register new charset UCS2-HEX
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
> Registered charset UCS2-HEX
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
> Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/util.c:init_names(278)
> Netbios name list:-
> my_netbios_names[0]="XTMPLIN1"
> [2005/02/24 16:15:22, 2] lib/interface.c:add_interface(79)
> added interface ip=192.168.25.231 bcast=192.168.25.255
> nmask=255.255.255.0 domainuser's password:
> [2005/02/24 16:15:35, 6] libads/ldap.c:ads_find_dc(176)
> ads_find_dc: looking for realm 'EXAMPLE.NU'
> [2005/02/24 16:15:35, 8] libsmb/namequery.c:get_sorted_dc_list(1433)
> get_sorted_dc_list: attempting lookup using [ads]
> [2005/02/24 16:15:35, 10]
libsmb/namequery.c:internal_resolve_name(1028)
> internal_resolve_name: looking up EXAMPLE.NU#1c
> [2005/02/24 16:15:35, 5] lib/gencache.c:gencache_init(59)
> Opening cache file at /var/cache/samba/gencache.tdb
> [2005/02/24 16:15:35, 10] lib/gencache.c:gencache_get(263)
> Returning valid cache entry: key = NBT/EXAMPLE.NU#1C, value =
> 192.168.40.100:389,192.168.129.100:389,192.168.115.100:389, timeout =
Thu
> Feb 24 16:16:40 2005
>
> [2005/02/24 16:15:35, 5] libsmb/namecache.c:namecache_fetch(201)
> name EXAMPLE.NU#1C found.
> [2005/02/24 16:15:35, 8] libsmb/namequery.c:get_dc_list(1316)
> Adding 3 DC's from auto lookup
> [2005/02/24 16:15:35, 10]
libsmb/namequery.c:remove_duplicate_addrs2(320)
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> [2005/02/24 16:15:35, 4] libsmb/namequery.c:get_dc_list(1406)
> get_dc_list: returning 3 ip addresses in an unordered list
> [2005/02/24 16:15:35, 4] libsmb/namequery.c:get_dc_list(1407)
> get_dc_list: 192.168.40.100:389 192.168.129.100:389
192.168.115.100:389
> [2005/02/24 16:15:35, 5] libads/ldap.c:ads_try_connect(85)
> ads_try_connect: trying ldap server '192.168.40.100' port 389
> [2005/02/24 16:15:35, 3] libads/ldap.c:ads_connect(247)
> Connected to LDAP server 192.168.40.100
> [2005/02/24 16:15:35, 3] libads/ldap.c:ads_server_info(2432)
> got ldap server name server1 at EXAMPLE.NU, using bind path:
> dc=EXAMPLE,dc=NU
> [2005/02/24 16:15:35, 4] libads/ldap.c:ads_server_info(2438)
> time offset is 0 seconds
> [2005/02/24 16:15:35, 4] libads/sasl.c:ads_sasl_bind(447)
> Found SASL mechanism GSS-SPNEGO
> [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
> ads_sasl_spnego_bind: got server principal name =server1$@EXAMPLE.NU
> [2005/02/24 16:15:35, 3] libsmb/clikrb5.c:ads_krb5_mk_req(382)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found)
> [2005/02/24 16:15:36, 3]
libsmb/clikrb5.c:ads_cleanup_expired_creds(319)
> Ticket in ccache[MEMORY:net_ads] expiration Fri, 25 Feb 2005
02:15:35
> GMT
> [2005/02/24 16:15:36, 10] libsmb/clikrb5.c:ads_krb5_mk_req(409)
> ads_krb5_mk_req: Ticket (server1$@EXAMPLE.NU) in ccache
(MEMORY:net_ads)
> is valid until: (Fri, 25 Feb 2005 02:15:35 GMT - 1109294135)
> [2005/02/24 16:15:36, 10]
libsmb/clikrb5.c:get_krb5_smb_session_key(510)
> Got KRB5 session key of length 16
> [2005/02/24 16:15:36, 0] utils/net_ads.c:ads_startup(186)
> ads_connect: Strong authentication required
> [2005/02/24 16:15:36, 2] utils/net.c:main(859)
> return code = -1
> [root at xtmplin1 samba]#
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list