[Samba] Kerberos pre-authentication failure with samba 3.0.22
Holger Richter
holger.richter at klst.com
Wed May 3 14:21:34 GMT 2006
Hello,
I have a problem with the kerberos pre-authentication of samba against
a W2k Active Directory. It seems to work, but in the Windows event log
I can see many pre-authentication errors (error 0x19) of the samba
server. The server itself is a member of the Windows domain.
This is a part of smb.conf
[global]
unix charset = ISO-8859-1
display charset = ISO-8859-1
workgroup = WKG
realm = WKG.COM
server string = SRV8XXX
security = ADS
auth methods = winbind
client schannel = Yes
server schannel = Yes
password server = *
...
and krb5.conf:
[libdefaults]
renew_lifetime = 1w
ticket_lifetime = 1560
default_tgs_enctypes = arcfour-hmac-md5
default_tkt_enctypes = arcfour-hmac-md5
permitted_enctypes = arcfour-hmac-md5
kdc_req_checksum_type = -138
ap_req_checksum_type = -138
safe_checksum_type = -138
dns_lookup_kdc = true
dns_lookup_realm = true
kdc_timesync = true
proxiable = false
forwardable = true
[logging]
default = FILE:/var/log/kdc.log
[login]
krb4_get_tickets = false
krb4_convert = false
Kerberos gets the information about realm and kdc server from DNS. If
I define realm and kdc server directly in krb5.conf I get the same
error. How can I tell MIT Kerberos to send the correct
pre-authentication?
Holger
More information about the samba
mailing list