samba - Oct 2003 - Still having touble with Redhat 7.1 and windows 2003 DC authentication.

Hi there

I'm still going round in circles trying to get winbindd authentication
against a 2003 server working.

I have what appears to be the same problem as:
http://www.ssite.org/articles/view.aspx?class=2&articleid=2
There's something wrong with the SMB Packet signing on this machine.

In parallel, I succcessfully built and have got working samba-devel on
FreeBSD 5.1 against the same ADS.
I used these hints:
http://www.mail-archive.com/freebsd-questions@freebsd.org/msg33123.html
and it works (using a pretty much identical smb.conf)
Key additions are:
        client signing = Yes
        server signing = Yes
        client use spnego = Yes

The box I'm having trouble with is a redhat 7.1 box. I've upgraded the
standard 7.1 RPMs re. krb & pam from:
[root@potato samba]# rpm -qa | grep krb
pam_krb5-1.31-1
krb5-libs-1.2.2-24
krb5-workstation-1.2.2-24
krb5-devel-1.2.2-24
krbafs-1.0.5-1
krbafs-utils-1.0.5-1
to:
pam_krb5-1.55-1
krb5-libs-1.2.2-24
krb5-workstation-1.2.2-24
krb5-devel-1.2.2-24
krbafs-1.0.9-2
krbafs-devel-1.0.9-2
krbafs-utils-1.0.9-2

Using some SRPMs from rh7.3.

I don't know how to work out what version of Heimdal is within these
packages which samba-3 has linked to. I have read that 2003 server requires
heimdal 1.6 or older, so I went and got that, compiled and built it
(from: ftp://ftp.pdc.kth.se/pub/heimdal/src/)

This built me a heimdal subdirectory (I wanted it seperate), which I then
configured in the samba.spec file:
        --with-krb5=/usr/local/heimdal.
but the Samba3 srpm wouldn't compile with this version of heimdal - there
seemed to be lots of bits missing.

smbclient works ok from the Redhat box against the XP, 2003 or FreeBSD SMB
Servers, domain authentication works for that.
No clients can attach to the redhat server, they all seem to fail for SMB
packet signing reasons.

I don't really want to change the DC settings, the BSD box works, I'd
like
to RedHat box to work too :)

I would like to know which RPM supplies the right version of heimdal for
2003AD authentication to work, right now I don't know which bit to look at.

Anyone got to the end of this struggle with a redhat box this age ??

Winbindd -i -vv shows:

client_check_incoming_message: BAD SIG: wanted SMB signature of
[000] 08 CE A3 BF F9 D5 1E 09                           .?????..
client_check_incoming_message: BAD SIG: got SMB signature of
[000] 91 F7 B2 53 5B CA EB 3F                           .??S[???
signing_good: SMB signature check failed on seq 1!
SMB Signature verification failed on incoming packet!
failed kerberos session setup with NT_STATUS_OK
anonymous connection attempt to BASHFUL from POTATO
failed anonymous session setup with NT_STATUS_OK
trusted_domains: Could not open a connection to GDA-ADSL.DEMON.CO.UK for
PIPE_NETLOGON (NT_STATUS_UNSUCCESSFUL)
convert_string_allocate: Conversion error: Illegal multibyte sequence(??)
convert_string_allocate: Conversion error: Illegal multibyte sequence(??)
rescan_trusted_domains: Can't find my own domain!

Is this a software version thing or is the PDC signing the SMB packets with
an old host key ??

Has anyone done ADS authentication on a Redhat 7.1 box/samba 3.0.0 host ??

Gavin Davenport

p.s. I've just tried the same build on a redhat 8.0 box. Thats failing for
the same reason.
Is it a password thing ??

On Tue, Oct 07, 2003 at 04:34:14PM +0100, Gavin Davenport
wrote:
> Hi there
> 
> I'm still going round in circles trying to get winbindd authentication
> against a 2003 server working.
> 
> I have what appears to be the same problem as:
> http://www.ssite.org/articles/view.aspx?class=2&articleid=2
> There's something wrong with the SMB Packet signing on this machine.
> 
> In parallel, I succcessfully built and have got working samba-devel on
> FreeBSD 5.1 against the same ADS.
> I used these hints:
> http://www.mail-archive.com/freebsd-questions@freebsd.org/msg33123.html
> and it works (using a pretty much identical smb.conf)
> Key additions are:
>         client signing = Yes
>         server signing = Yes
>         client use spnego = Yes
> 
> The box I'm having trouble with is a redhat 7.1 box. I've upgraded
the
> standard 7.1 RPMs re. krb & pam from:
> [root@potato samba]# rpm -qa | grep krb
> pam_krb5-1.31-1
> krb5-libs-1.2.2-24
> krb5-workstation-1.2.2-24
> krb5-devel-1.2.2-24
> krbafs-1.0.5-1
> krbafs-utils-1.0.5-1
> to:
> pam_krb5-1.55-1
> krb5-libs-1.2.2-24
> krb5-workstation-1.2.2-24
> krb5-devel-1.2.2-24
> krbafs-1.0.9-2
> krbafs-devel-1.0.9-2
> krbafs-utils-1.0.9-2
> 
> Using some SRPMs from rh7.3.
> 
> I don't know how to work out what version of Heimdal is within these
> packages which samba-3 has linked to. I have read that 2003 server requires
> heimdal 1.6 or older, so I went and got that, compiled and built it
> (from: ftp://ftp.pdc.kth.se/pub/heimdal/src/)
Have you tried using MIT krb5 1.3.1 ? I know the signing works with
that release. I'm wondering if Heimdal is doing the subkeys correctly.

Jeremy.