samba - Apr 2004 - Samba 3.0.2a and ADS w2k3 Kerberos authentication problem

I am using Samba 3.0.2a as Domain member into ADS w2k3 domain. net ads
join -U administrator work fine.

This integration include support of kerberos ( krb5.conf) and winbind

wbinfo -u and -g works fine.

I am able to mapped Samba shares with IP address (\\192.168.0.x\share)
but it does not works if I use netbios name ( \\redhat9\share) the
system asks me for authentication but never I get into the Samba server
( Login and password are invalid ). 

Kerberos packed is 1.2.27 default redhat9 included.

Any help could be appreciate.


Best Regards

I've the same problem with debian and win 2k server ... but, of course 
I've no answer! I've googled a lot, an probably is a bug in samba
AFAIK...








----- Original Message ----- 
From: "Duran Munoz, Pedro" <Pedro.Duran@fujitsu-siemens.com>
To: <samba@lists.samba.org>
Sent: Wednesday, April 14, 2004 11:40 AM
Subject: [Samba] Samba 3.0.2a and ADS w2k3 Kerberos authentication problem 



I am using Samba 3.0.2a as Domain member into ADS w2k3 domain. net ads
join -U administrator work fine.

This integration include support of kerberos ( krb5.conf) and winbind

wbinfo -u and -g works fine.

I am able to mapped Samba shares with IP address (\\192.168.0.x\share)
but it does not works if I use netbios name ( \\redhat9\share) the
system asks me for authentication but never I get into the Samba server
( Login and password are invalid ). 

Kerberos packed is 1.2.27 default redhat9 included.

Any help could be appreciate.


Best Regards
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

>I am using Samba 3.0.2a as Domain member into ADS w2k3 domain. net ads
>join -U administrator work fine.
>wbinfo -u and -g works fine.
>I am able to mapped Samba shares with IP address (\\192.168.0.x\share)
>but it does not works if I use netbios name ( \\redhat9\share) the
>system asks me for authentication but never I get into the Samba server
>( Login and password are invalid ).
>Kerberos packed is 1.2.27 default redhat9 included.
Well, when I read this last line, I assumed that you've just run into the
w2k3 doesn't deal with non-rc4-hmac kerberos (that would be pre-1.3 MIT
kerberos), but it is strange that you can map via IP address...

There are several things to try here:
-upgrade kerberos to post 1.3
-try fixing windows, which has multiple options.  See
http://support.microsoft.com/default.aspx?scid=kb;en-us;833708

But the fact that it works via IP address puzzles me...

----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

jmcd@us.ibm.com
jmcd@samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984

Mapping by IP address causes samba to not use Kerberos.


Privileged/Confidential Information may be contained in this message. If you are
not the addressee indicated in this message (or responsible for delivery of the
message to such person), you may not copy or deliver this message to anyone. In
such case, you should destroy this message and kindly notify the sender by reply
email. Opinions, conclusions and other information contained in this message
that do not relate to official business shall be understood as neither given nor
endorsed by ITS

-----Original Message-----
From: Jim McDonough [mailto:jmcd@us.ibm.com] 
Sent: Wednesday, April 14, 2004 9:23 AM
To: Duran Munoz, Pedro
Cc: samba@lists.samba.org; samba-bounces+jmcd=samba.org@lists.samba.org
Subject: Re: [Samba] Samba 3.0.2a and ADS w2k3 Kerberos authentication
problem





>I am using Samba 3.0.2a as Domain member into ADS w2k3 domain. net ads
>join -U administrator work fine.
>wbinfo -u and -g works fine.
>I am able to mapped Samba shares with IP address (\\192.168.0.x\share)
>but it does not works if I use netbios name ( \\redhat9\share) the
>system asks me for authentication but never I get into the Samba server
>( Login and password are invalid ).
>Kerberos packed is 1.2.27 default redhat9 included.
Well, when I read this last line, I assumed that you've just run into
the
w2k3 doesn't deal with non-rc4-hmac kerberos (that would be pre-1.3 MIT
kerberos), but it is strange that you can map via IP address...

There are several things to try here:
-upgrade kerberos to post 1.3
-try fixing windows, which has multiple options.  See
http://support.microsoft.com/default.aspx?scid=kb;en-us;833708

But the fact that it works via IP address puzzles me...

----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

jmcd@us.ibm.com
jmcd@samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


_____________________________________________________
This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BH093739e7.00000001.mml

Thanks Jim for you reply.
 
When I said Kerberos packed is 1.2.27 default redhat9 included, I mind
what I use krb5-libs-1.2.27-10 from Redhat9. As you can see I am a
Linux beginner guy.
 
I have changed the Registry in my w2k3 DC as you tell me down without
any success ( I have create other ticket with "ktpass" tool and it was
apply to Samba server)
 
The other way for try solve the problem is : Update Kerberos in Redhat9
( Samba server) is possible to use an rpm packed from web, or I must
recompile the kernel including this Kerberos packed, in this case which
Kerberos packed I must use, and which could the correct procedure for
update ( I remember to you I am a Linux beginner and never I have
compile nothing).
 
Thanks in advanced for you help 

Saludos / Best Regards 

Pedro 



________________________________

From: Jim McDonough [mailto:jmcd@us.ibm.com] 
Sent: Wednesday, April 14, 2004 3:23 PM
To: Duran Munoz, Pedro
Cc: samba@lists.samba.org; samba-bounces+jmcd=samba.org@lists.samba.org
Subject: Re: [Samba] Samba 3.0.2a and ADS w2k3 Kerberos authentication
problem


>I am using Samba 3.0.2a as Domain member into ADS w2k3 domain. net ads
>join -U administrator work fine.
>wbinfo -u and -g works fine.
>I am able to mapped Samba shares with IP address (\\192.168.0.x\share)
>but it does not works if I use netbios name ( \\redhat9\share) the
>system asks me for authentication but never I get into the Samba server
>( Login and password are invalid ). 
>Kerberos packed is 1.2.27 default redhat9 included.
Well, when I read this last line, I assumed that you've just run into
the w2k3 doesn't deal with non-rc4-hmac kerberos (that would be pre-1.3
MIT kerberos), but it is strange that you can map via IP address...

There are several things to try here:
-upgrade kerberos to post 1.3
-try fixing windows, which has multiple options.  See
http://support.microsoft.com/default.aspx?scid=kb;en-us;833708

But the fact that it works via IP address puzzles me...

----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

jmcd@us.ibm.com 
jmcd@samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984

I've just setup the samba box on my debian server (woody) with the standard
debian packages provided by
http://us1.samba.org/samba/ftp/Binary_Packages/Debian/samba3/ that i know as
a standard samba package repository.

The other libs are the standard woody kerberos library (not the heimdal
one).

At this point the things that works are:

I can join into domain,
I can see with getent all the user and groups by my "active directory
server" ( so the winbind seems to works!)
I can use all the net commands
I can see any machine in my windos network.

The things that I can do is to enter with the machine name (
\\sambabox\share\ ) of course if I use the Ip i can enter into, but as i
read here, is because with ip, no check has been done.

I've check in my samba log .. and the error that i see is:
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!

I dunno if this is an error related with my kerberos library, I also tryed
( i'm going creazy) to install kerberos-heimdall library, but whit that
library the winbind daemon dosen't work....

I paste my configurations file ... PLEASE PLEASE PLEASE ..... HELP ME!!!!!


---- smb.conf

[global]
        workgroup = ULIXE
        realm = ULIXE.TO
        server string = %h server (Samba %v)
        security = ADS
        #ads server = 10.0.0.222
        update encrypted = Yes
        encrypt passwords = Yes
        obey pam restrictions = no
        password server = nexus.ulixe.to
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = Yes
        wins server = 10.0.0.222
        # ldap ssl = no
        # WINBIND OPTIONS
                  winbind separator = -
                  idmap uid = 10000-20000
                  idmap gid = 10000-20000
                  winbind uid = 10000-20000
                  winbind gid = 10000-20000
                  winbind enum users = yes
                  winbind enum groups = yes
                  winbind use default domain = no
                  template shell = /bin/bash
                  hostname lookups = Yes





[printers]
        comment = All Printers
        path = /tmp
        create mask = 0700
        printable = Yes
        browseable = No

[ftp]
        path = /var/ftp
        read only = No
        guest ok = Yes

[backup]
        comment = Directory di Backup
        path = /mnt/backup
        guest ok = No
        read only = Yes
-
-
-
-
-
---- kerberos.conf
  [logging]
    default = FILE:/var/log/krb5/libs.log
    kdc = FILE:/var/log/krb5/kdc.log
    admin_server = FILE:/var/log/krb5/admin.log

  [libdefaults]
    ticket_lifetime = 24000
    default_realm = ULIXE.TO

    default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc
    permitted_enctypes = des-cbc-md5 des-cbc-crc
    default_etypes = des-cbc-crc des-cbc-md5
    default_etypes_des = des-cbc-crc des-cbc-md5


    #default_tgs_enctypes = des-cbc-crc des-cbc-md5
    #default_tkt_enctypes = des-cbc-crc des-cbc-md5
    kdc_req_checksum_type = 2
    forwardable = true
    proxiable = true
    ccache_type = 1

    dns_lookup_realm = true
    dns_lookup_kdc = true

  [realms]
    ULIXE.TO = {
      kdc = nexus.ulixe.to
      default_domain = ulixe.to
    }

  [domain_realm]
    .ulixe.to = ULIXE.TO
     ulixe.to = ULIXE.TO


  [kdc]
    #profile = /etc/krb5kdc/kdc.conf

  [pam]
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false