[Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 [SOLVED]

Bober, Mark mark at seas.wustl.edu
Tue Oct 13 15:49:24 MDT 2009


Well, playing around with the SPNs didn't quite work out, but, compiling Kerberos 1.7 and recompiling Samba 3.4.2 against that *did* work. I'll do some further testing and then update the rest of my machines with the same build, so we can go fully 2008 on the AD side.

Thank you very much for the hint!

For the record, the Kerberos I was on was CentOS 5.3's default 1.6.1-31.el5_3.3 RPM.

Mark


-----Original Message-----
From: ravi channavajhala [mailto:ravi.channavajhala at dciera.com] 
Sent: Tuesday, October 13, 2009 2:44 PM
To: Bober, Mark; samba at lists.samba.org
Subject: RE: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2


To my understanding, windows treat principal names as case insensitive.
Kerberos treats them as case sensitive.  MIT Kerberos version - 1.7 is
supposed to have fixed this.

The way to get around this is to add uppercase SPN names into the Kerberos
keytab. 

Regards,
/rkc

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Bober, Mark
Sent: Wednesday, October 14, 2009 12:17 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2

DNS, /etc/hosts, all that is correct, on the Samba box, the client, and the
2008 AD server.

It still works perfectly if you use \\128.252.x.x in the URI instead of the
name.

What is the functional difference between accessing a URI via IP rather than
the hostname or FQDN?

Mark


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Dirk Jakobsmeier
Sent: Tuesday, October 13, 2009 12:04 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2

Hello Mark,

Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark:
> Here's some things from log level 99:
> 
> [2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn)
>   name_to_fqdn: lookup for HOSTNAME -> hostname.domain.wustl.edu.
> [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
>   ads_keytab_verify_ticket:
> krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl.edu at D
> OMAIN.WUSTL.EDU) failed: Wrong principal in request
>  [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
>   ads_keytab_verify_ticket:
> krb5_rd_req_return_keyblock_from_keytab(host/hostname at DOMAIN.WUSTL.EDU)
> failed: Wrong principal in request
>  [2009/10/12 09:43:53,  3]
> libads/kerberos_verify.c:266(ads_keytab_verify_ticket)
>   ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
> principals
> [2009/10/12 09:43:53,  3]
> libads/kerberos_verify.c:567(ads_verify_ticket)
>   ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
> request)
> [2009/10/12 09:43:53, 10]
> libads/kerberos_verify.c:576(ads_verify_ticket)
>   ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE

i've found several informations about "wrong principal in request" errors 
pointing to a name resolution problem. Can you check dns, /etc/hosts ...?

> 
> I cut some of that out - it tried each name 6 times, hence the 12?
> Looking at the system keytab, and the computer account in AD, everything
> seems to match. FWIW, if I leave the domain and come back specifying the
> remaining 2003 server as the password server, this all looks the same
> and seems to work....
> 
> How much does capitalization matter? ADSIEDIT shows the
> ServicePrincipalNames as
> 
> HOST/hostname.domain.wustl.edu
> HOST/HOSTNAME
> 
> Where the keytab is:
> 
> host/hostname.domain.wustl.edu
> host/hostname
> 
> 
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Dirk Jakobsmeier
> Sent: Thursday, October 08, 2009 10:57 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
> 
> Hello Mark,
> 
> Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark:
> > Hello! I'm having an odd issue between Samba and Win2k8R2. We updated
> > one of our domain controllers to 2k8R2, and as such are working in a
> > 2003-level AD environment. If I force the 'password server' to the
> 
> 2003
> 
> > DC, then everything works fine, only working against the 2008 box has
> > issues.
> 
> we have several issues here depending on one of our servers (2008). E.g.
> 
> domainnames (username at domainname) has to be written in capital lettres
> when
> connecting to shares...
> 
> > \\128.252.123.123\sharename <file:///\\128.252.123.123\sharename>
> >
> > And it works as expected - my clients are in the same domain, no
> > password is asked for, etc.
> >
> > Using any form of the hostname in the URI, either \\hostname\sharename
> > <file:///\\hostname\sharename>  or \\hostname.domain.name\sharename
> > <file:///\\hostname.domain.name\sharename>  in the URI will
> 
> continually
> 
> > prompt for a password.  Using 'smbclient' with the names in the URI on
> > the Samba box itself works fine.
> >
> >
> > log level = 1
> 
> did you try to set this to a higher level (and restart samba)? I always
> use 99
> so i get large logfiles with nearly all informations i need. The
> clientlog
> (log.clienthostname or log.clientip) could be interresting.
> 

-- 

Mit freundlichem Gruß

Dirk Jakobsmeier / Systembetreuung
____________________________________________________________________________
______________________________________
WIGE Konstruktionen GmbH & Co. KG
Sitz Ravensburg
Amtsgericht Ravensburg HRA Nr. 1493
Schwanenstrasse 4, 88214 Ravensburg
Tel: 0751 / 36609 - 29
Fax: 0751 / 36609 - 66

Persönlich haftende Gesellschafterin:
WIGE Konstruktionen Verwaltungsgesellschaft mbH
Amtsgericht Ravensburg HRB Nr. 2534
Geschäftsführer: Eduard, Thomas & Jochen Geschwentner

Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen 
enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail 
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und 
löschen Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe 
dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you
are 
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately  and delete this e-mail. Any unauthorized 
copying, disclosure or distribution of contents of this e-mail is strictly 
forbidden.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list