[Samba] Custom SAMBA4/OpenChage ZEG applicance

John Russell jb.fresh at gmail.com
Sat Sep 15 09:02:15 MDT 2012 

Ran wireshark on the XP client while joining the domain and saw SAM LOGON
request from client and SAM Active Directory Response - user unknown.

I noticed on the request and the response packets the user name field in
the packet is blank (yes, I am typing the user name and password into the
prompt from the XP machine!).

Any ideas on what causes this? I disabled the windows firewall on the XP
machine as well just to eliminate that as a possibility. On this post (
http://lists.samba.org/archive/samba-technical/2011-February/076323.html)
they have a similar problem but they appear to have already successfully
joined the domain.

On Sat, Sep 15, 2012 at 1:06 AM, John Russell <jb.fresh at gmail.com> wrote:

> Was able to fix one problem with kinit not working. Added the following
> lines to /etc/krb5.conf:
> [realms]
>         EXAMPLE.COM = {
>                 kdc = sogo
>                 admin_server = sogo
>                 default_domain = EXAMPLE.COM
>         }
>
> [domain_realm]
>         .example.com = EXAMPLE.COM
>         example.com = EXAMPLE.COM
> This gave me the following output when running kinit sogo at EXAMPLE.COM
> Kerberos: AS-REQ sogo at EXAMPLE.COM from ipv4:172.16.1.20:59784 for krbtgt/
> EXAMPLE.COM at EXAMPLE.COM
> Kerberos: Client sent patypes: REQ-ENC-PA-REP
> Kerberos: Looking for PK-INIT(ietf) pa-data -- sogo at EXAMPLE.COM
> Kerberos: Looking for PK-INIT(win2k) pa-data -- sogo at EXAMPLE.COM
> Kerberos: Looking for ENC-TS pa-data -- sogo at EXAMPLE.COM
> Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> Kerberos: AS-REQ sogo at EXAMPLE.COM from ipv4:172.16.1.20:50248 for krbtgt/
> EXAMPLE.COM at EXAMPLE.COM
> Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
> Kerberos: Looking for PK-INIT(ietf) pa-data -- sogo at EXAMPLE.COM
> Kerberos: Looking for PK-INIT(win2k) pa-data -- sogo at EXAMPLE.COM
> Kerberos: Looking for ENC-TS pa-data -- sogo at EXAMPLE.COM
> Kerberos: ENC-TS Pre-authentication succeeded -- sogo at EXAMPLE.COM using
> arcfour-hmac-md5
> Kerberos: ENC-TS pre-authentication succeeded -- sogo at EXAMPLE.COM
> Kerberos: AS-REQ authtime: 2012-09-15T01:02:47 starttime: unset endtime:
> 2012-09-15T11:02:47 renew till: 2012-09-16T01:02:43
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
> arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: renewable-ok
>
> samba_dnsupdate still fails as mentioned before and I still can not join
> an XP client to the domain.
>
>
>
> On Fri, Sep 14, 2012 at 3:54 PM, John Russell <jb.fresh at gmail.com> wrote:
>
>> Changing direction yet again. I decided do some testing with the latest *SOGo
>> ZEG v2.0.0 rc5 appliance.*
>>
>> Since this is supposed to be a turnkey package with SAMBA4, OpenChange
>> and SOGo all somewhat working together I figured i'd give it a shot.
>>
>> Started up the appliance and try to join an XP client to the "EXAMPLE"
>> domain... FAILED: The error was: "DNS name does not exist." (error code
>> 0x0000232B RCODE_NAME_ERROR)
>> Try to join an XP client to the "OPENCHANGE" domain... FAILED: The error
>> was: "Network path was not found". The DNS lookup partially worked buttail /var/log/samba/log.sambashowed:
>> RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC
>> for requested realm)
>> Basically samba_dnsupdate fails with the following output.
>> Traceback (most recent call last):
>>   File "/usr/sbin/samba_dnsupdate", line 485, in <module>
>>     get_credentials(lp)
>>   File "/usr/sbin/samba_dnsupdate", line 120, in get_credentials
>>     creds.get_named_ccache(lp, ccachename)
>> RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC
>> for requested realm)
>>
>> This is the same problem found here
>> http://thread.gmane.org/gmane.comp.groupware.sogo.user/11358
>>
>> At this point I know I have a KRB/KDC related issue and possibly DNS is
>> not running properly. kinit isnt installed and Bind9 isnt configured with'--with-dlopen=yes'.
>> Here is the output of
>> /usr/sbin/named -V:
>> BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man'
>> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var'
>> '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared'
>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6'
>> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
>> 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro'
>> 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
>> using OpenSSL version: OpenSSL 1.0.1 14 Mar 2012
>> using libxml2 version: 2.7.8
>>
>> From here:
>> I installed krb5-user dpkg-dev libkrb5-dev libssl-dev libgeoip-dev
>> Recompiled bind9 with the '--with-dlopen=yes' option
>> Re-provisioned samba4 with domain EXAMPLE and realm EXAMPLE.COM
>> Added tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; to
>> /etc/bind/named.conf.options
>> Copied /var/lib/samba/private/krb5.conf to /etc/krb5.conf
>> Modified /etc/hosts so that "sogo.example.com        sogo" uses
>> interface IP instead of loopback.
>> Restarted bind and samba
>>
>> And still get the same error. Any ideas? Just trying to add a windows
>> client to the domain at this point. Thanks
>>
>>
>>
>> On Tue, Apr 17, 2012 at 1:20 PM, John Russell <jb.fresh at gmail.com> wrote:
>>
>>> Question following HowTo build your own OpenChange/SOGo appliance:
>>> I have been building my own SAMBA4/OpenChange appliance *MOSTLY*following the instructions at
>>> http://tracker.openchange.org/projects/openchange/wiki/HowTo_build_your_own_OpenChangeSOGo_appliance
>>> .
>>>
>>> I am using Ubuntu-Server 12.04 LTS (Precise Pangolin)
>>> precise-server-amd64.iso
>>> OpenChange from svn co -r 3923
>>> https://svn.openchange.org/openchange/branches/sogo
>>> SAMBA4 - Samba-4.0.0Alpha18
>>>
>>> At the step titled "Configure DNS service"
>>> # cd /etc/bind
>>> # mkdir samba
>>> # cp /usr/local/samba/private/named.* samba/
>>> # cp –rfi /usr/local/samba/private/dns samba/
>>>
>>> my named.* files are actually in "/usr/local/samba/share/setup/" (no big
>>> deal)
>>> logically I would assume my dns files would be in
>>> "/usr/local/samba/share/setup/dns" but no cookie :(
>>>
>>> Find reveals:
>>> find / -name "dns"
>>> /openchange/sogo/samba4/lib/dnspython/dns
>>> /openchange/sogo/samba4/libcli/dns
>>> /openchange/sogo/samba4/bin/default/libcli/dns
>>> /openchange/sogo/samba4/bin/default/source4/dsdb/dns
>>> /openchange/sogo/samba4/source4/selftest/provisions/alpha13/private/dns
>>> /openchange/sogo/samba4/source4/dsdb/dns
>>> /usr/share/pyshared/dns
>>> /usr/lib/python2.7/dist-packages/dns
>>> /usr/src/linux-headers-3.2.0-23-generic/include/config/ceph/lib/use/dns
>>> /usr/src/linux-headers-3.2.0-23-generic/include/config/dns
>>>
>>> Does anyone know the correct dns file or directory to copy to the bind
>>> directory?
>>>
>>> Thanks
>>>
>>
>>
>>
>> --
>> "It's better to be boldly decisive and risk being wrong than to agonize
>> at length and be right too late."
>> Marilyn Moats Kennedy
>>
>
>
>
> --
> "It's better to be boldly decisive and risk being wrong than to agonize at
> length and be right too late."
> Marilyn Moats Kennedy
>



-- 
"It's better to be boldly decisive and risk being wrong than to agonize at
length and be right too late."
Marilyn Moats Kennedy

More information about the samba mailing list