[Samba] kerberos @ samba4 DC

Jason Gerfen u0368839 at umail.utah.edu
Wed Dec 1 07:42:05 MST 2010


You really should be replying to the list as well as I may not have the 
answer but others monitoring the list might.

The smb.conf would be beneficial for review. Here is a copy of mine...

Of course it is sanitized so modification would need to be made. Also 
because you are using an upgraded version of NT to Win2k you may need to 
scour the logs to see what is taking place when you authenticate. Those 
errors may aid further.

[global]
         workgroup = DOMAIN
         realm = DOMAIN.COM
         server string = server.domain.com
         netbios name = server

         password server = *
         encrypt passwords = true
         security = ads

         lanman auth = no
         ntlm auth = no

         os level = 20

         allow trusted domains = yes
         auth methods = winbind

         interfaces = eth0, lo
         bind interfaces only = yes
         socket options = TCP_NODELAY

         hosts allow = xxx.xxx.xxx.xxx/24
         hosts deny = 0.0.0.0/0

         log level = 40
         log file = /var/log/samba/log.%m
         max log size = 50

         client signing = yes
         client schannel = no
         client use spnego = yes
         client lanman auth = no
         client NTLMv2 auth = yes
         client plaintext auth = no

         preferred master = no
         local master = no
         domain master = no
         wins proxy = no
         dns proxy = No

         obey pam restrictions = yes

         template shell = /bin/bash
         nt acl support = yes
         inherit permissions = yes
         create mask = 0022
         template homedir = /home/Authenticated Users/%U

         winbind uid = 1000-2000000
         winbind gid = 500-2000000
         winbind separator = +
         winbind enum users = yes
         winbind enum groups = yes
         winbind nested groups = yes
         winbind use default domain = yes
         winbind offline logon = true
         winbind nss info = rfc2307

         idmap uid = 1000-2000000
         idmap gid = 500-2000000
         idmap domains = DOMAIN
         idmap config DOMAIN:backend = ad
         idmap config DOMAIN:default = yes
         idmap config DOMAIN:schema_mode = rfc2307
         idmap config DOMAIN:range = 1000 - 300000000



On 12/01/10 07:27, Rafa Toucedo wrote:
> Finally I send the contents of my krb5.conf
>
>
> thank you for your time, I remain at your disposal!
>
>
> Rafael Toucedo
> gtalk: rtoucedo at gmail.com <mailto:rtoucedo at gmail.com>
>
> 2010/12/1 Rafa Toucedo <debian.vigo at gmail.com 
> <mailto:debian.vigo at gmail.com>>
>
>     Hi, I'm using the latest alpha version of Samba (updated
>     yesterday) and I want to replace a server with Windows 2000 (AD),
>     the problem is that the server comes from a migration of NT4 and
>     "tricked" to continue the realm without extension
>     (dominio.extension) = (domain) for which the samba-tool I have to
>     launch with. next to the realm to avoid being interpreted as
>     dominio.extensión.
>
>     It runs all on a SuSE SLES 11 (64 bits).
>
>     a greeting and thank you very much
>
>     PS: I attached the full log.
>
>     Before I sent the email "incomplete" because I did it from the
>     phone and sometimes escapes me the finger ...
>
>
>     Thank you!
>
>
>     2010/12/1 Rafa Toucedo <debian.vigo at gmail.com
>     <mailto:debian.vigo at gmail.com>>
>
>
>         Thanks for your answer, but that happened I do, I follow the
>         manual of the "wiki" Samba 4, do the kinit, I put my password,
>         etc. etc. I play the part of the "dark side" (the windows
>         2000) the type of user, etc ...
>
>         I understand that the problem is the encryption type which
>         defined in krb5.conf
>
>
>
>                 default_tkt_enctypes = arcfour-hmac-md5
>                 default_tgs_enctypes = arcfour-hmac-md5
>                 permited_enctypes = arcfour-hmac-md5
>
>
>
>         2010/12/1 Jason Gerfen <jason.gerfen at utah.edu
>         <mailto:jason.gerfen at utah.edu>>
>
>             You need to first obtain a valid tgt. Use  kinit prior to
>             running net ads join
>
>             Jason Gerfen
>             Jason.Gerfen at gmail.com <mailto:Jason.Gerfen at gmail.com>
>             http://phpDHCPAdmin.sourceforge.net
>             http://www.github.com/jas-
>
>             On Dec 1, 2010, at 4:23 AM, "Rafa Toucedo"
>             <debian.vigo at gmail.com <mailto:debian.vigo at gmail.com>> wrote:
>
>             > Hello, when I try to put my SAMBA4 as DC from a domain
>             controller in windows
>             > 2000
>             >
>             > /usr/local/samba # bin/samba-tool join (WINDOWS 2000
>             DOMAIN). DC
>             > -U(USER)@(WINDOWS 2000 DOMAIN)%(PASSWORD)
>             --realm=(WINDOWS 2000 DOMAIN). -d5
>             >
>             > throws me the following error:
>             >
>             > Failed to get CCACHE for GSSAPI client: KDC has no
>             support for encryption
>             > type
>             > Aquiring initiator credentials failed: kinit for
>             ADMCONST at DOMD4086 failed
>             > (KDC has no support for encryption type: KDC has no
>             support for encryption
>             > type)
>             > Failed to start GENSEC client mech gssapi_krb5:
>             NT_STATUS_UNSUCCESSFUL
>             >
>             >
>             > My krb5.conf is as follows:
>             >
>             > [libdefaults]
>             >        default_realm = (WINDOWS 2000 DOMAIN)
>             >        dns_lookup_realm = true
>             >        dns_lookup_kdc = true
>             >        clockskew = 300
>             >        default_keytab_name  = FILE:/home/pilote/rafa.keytab
>             >        default_tkt_enctypes = des-cbc-crc
>             >        default_tgs_enctypes = des-cbc-crc
>             >
>             > [realms]
>             > (WINDOWS 2000 DOMAIN) = {
>             >        kdc = (HOSTNAME).(WINDOWS 2000 DOMAIN):88
>             > }
>             >
>             > [logging]
>             >        kdc = FILE:/var/log/krb5/krb5kdc.log
>             >        admin_server = FILE:/var/log/krb5/kadmind.log
>             >        default = SYSLOG:NOTICE:DAEMON
>             >
>             > [appdefaults]
>             > pam = {
>             >        debug = false
>             >        ticket_lifetime = 1d
>             >        renew_lifetime = 1d
>             >        forwardable = true
>             >        krb4_convert = false
>             >        proxiable = false
>             >        minimum_uid = 1
>             >        external = sshd
>             >        use_shmem = sshd
>             > }
>             >
>             >
>             > I'm desperate!
>             > --
>             > P Antes de imprimir este e-mail, piense si es necesario
>             hacerlo. El medio
>             > ambiente es cosa de todos.
>             > Think twice before printing this e-mail. Environmental
>             protection is in our
>             > hands.
>             > --
>             > To unsubscribe from this list go to the following URL
>             and read the
>             > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>


-- 
Jas
http://www.github.com/jas-



More information about the samba mailing list