[Samba] Problem to access from Win to Win after classicupdate to Samba DC 4.10.7

Rowland penny rpenny at samba.org
Mon Sep 2 10:24:31 UTC 2019 

On 02/09/2019 11:04, Dario Lesca via samba wrote:
> Il giorno lun, 02/09/2019 alle 08.26 +0100, Rowland penny via samba ha
> scritto:
> Is it possible to cure it in some way?
>
>>> [2] ----[smb.conf]
>>>
>> Please do not post the output of 'testparm'
> [root at s-addc samba]# cat /etc/samba/smb.conf
> # Global parameters
> [global]
>          netbios name = S-ADDC
>          realm = STUDIOMOSCA.NET
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = STUDIO_MOSCA
>          idmap_ldb:use rfc2307 = yes
>          template shell = /bin/bash
>          template homedir = /home/%U
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> [netlogon]
>          path = /var/lib/samba/sysvol/studiomosca.net/scripts
>          read only = No
>
>
> May be, the firewalld is enable and it's possible that must open some
> other port...
> This is the port witch I have open:
>
>    182  firewall-cmd --permanent --add-service={samba,samba-dc,dns,dhcp,kerberos,kpasswd,ldap,ldaps,ntp}
>    183  firewall-cmd --permanent --add-port={135/tcp,137-138/udp,139/tcp,3268-3269/tcp,49152-65535/tcp}
>    184  firewall-cmd --reload
>
> Then now the port open are that[1]
The ports seem okay, but try turning the firewall off, if it starts 
working, then you know where to look ;-)
>
> The system is a Fedora 30 Server with default samba out of the box.
> Then yes, it's a krb5kdc (mit_kdc). I hope this is not a problem for
> this ml, otherwise let me know where I can post my question.

Well, it isn't a problem for this mailing list, but it could be a 
problem for you. Using MIT with a Samba AD DC is still experimental, you 
should not run it in production. There are numerous things that do not 
work, or give problems and you might have found another one.


>
> I have look into mit_kdc.log and I have see this recurred lament, (that
> I don't know what it means and whether it is important or not):
>
> set 02 11:54:36 s-addc.studiomosca.net krb5kdc[6764](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
> set 02 11:54:36 s-addc.studiomosca.net krb5kdc[6764](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), (-135), DEPRECATED:des-cbc-md5(3)}) 192.168.1.102: PREAUTH_FAILED: madrid$@STUDIO_MOSCA for krbtgt/STUDIO_MOSCA at STUDIO_MOSCA, Preauthentication failed
> set 02 11:54:36 s-addc.studiomosca.net krb5kdc[6764](info): closing down fd 20
> set 02 11:54:36 s-addc.studiomosca.net krb5kdc[6764](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
> set 02 11:54:36 s-addc.studiomosca.net krb5kdc[6764](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), (-135), DEPRECATED:des-cbc-md5(3)}) 192.168.1.102: PREAUTH_FAILED: madrid$@STUDIO_MOSCA for krbtgt/STUDIO_MOSCA at STUDIO_MOSCA, Preauthentication failed
> set 02 11:54:36 s-addc.studiomosca.net krb5kdc[6764](info): closing down fd 20
>
> But for now, apart the win-to-win problem in the subject, all seem workfine.
>
> Thanks for help
>
Kerberos problems due to using MIT ?????

Rowland

More information about the samba mailing list