We have serveral RHEL 3.0 Update 2 servers running Samba.
These have been working flawlessly for several months..
Recently, the base upgraded all the Windows 2000 servers
to Windows 2003..
NOTE: we don't have admin rights to the Domain Controllers.. (wish we did..)
Previous to the Domain (and kdc) controllers to 2003 we had
no issues joining a new Samba Sever to the ADS..
Using the same krb5.conf and kdc.conf and smb.conf file.. it
is no longer possible to join a Samba 3.0 server to the domain..
Any help direction is appreciated..
VR
Charles
Samba packages
-------------
samba-common-3.0.4-6.3E
samba-3.0.4-6.3E
samba-client-3.0.4-6.3E
Kerberos Packages..
-----------------
pam_krb5-1.73-1
krb5-libs-1.2.7-24
krb5-workstation-1.2.7-24
krbafs-1.1.1-11
krbafs-utils-1.1.1-11
krb5-server-1.2.7-24
krbafs-devel-1.1.1-11
krb5-devel-1.2.7-24
Things tried..(per the samba docs. this is the first step..)
kinit USERNAME@REALM
error..
kinit(v5): KRB5 error code 52 while getting initial credentials
net ads join "/IT/Computers/Servers-2" -U adminOFthisOU
error..
kerberos_kinit_password ADMINOFTHISOU@USAF.AFMC.DS.AF.MIL failed: KRB5 error
code 52
Not much on google about this error..
krb5.conf
**************
logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = USAF.AFMC.DS.AF.MIL
# default_tgs_enctypes = rc4-hmac
# default_tkt_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
USAF.AFMC.DS.AF.MIL = {
kdc = xxx.xxx.xxx.241:88
admin_server = xxx.xxx.xxx.241:749
default_domain = usaf.af.mil
}
[domain_realm]
.usaf.af.mil = USAF.AFMC.DS.AF.MIL
usaf.af.mil = USAF.AFMC.DS.AF.MIL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
*****************************
kdc.conf
*********
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
USAF.AFMC.DS.AF.MIL = {
master_key_type = des-cbc-crc
supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal
des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3
des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4
des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm
des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
}
*********
smb.conf
*****[global]
workgroup = USAF-2K
realm = USAF.AFMC.DS.AF.MIL
server string =
security = ADS
obey pam restrictions = Yes
password server = xxx.xxx.xxx.241
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
log file = /var/log/samba/%m.log
max log size = 0
announce version = 5.0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
domain master = No
wins server = 10.50.1.52
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
# winbind separator = +
# valid users = @oracle
printing = cups
[testshare]
comment = System Share
path = /home2/share
force group = share
writeable = yes
case sensitive = Yes
hide dot files = No
On Thu, 2004-07-29 at 10:08, Tran Charles A Civ OC-ALC/ITMA wrote:> We have serveral RHEL 3.0 Update 2 servers running Samba. > These have been working flawlessly for several months.. > > Recently, the base upgraded all the Windows 2000 servers > to Windows 2003.. > NOTE: we don't have admin rights to the Domain Controllers.. (wish we did..) > > Previous to the Domain (and kdc) controllers to 2003 we had > no issues joining a new Samba Sever to the ADS.. > > Using the same krb5.conf and kdc.conf and smb.conf file.. it > is no longer possible to join a Samba 3.0 server to the domain.. > > Any help direction is appreciated.. > VR > Charles > > Samba packages > ------------- > samba-common-3.0.4-6.3E > samba-3.0.4-6.3E > samba-client-3.0.4-6.3E > > Kerberos Packages.. > ----------------- > pam_krb5-1.73-1 > krb5-libs-1.2.7-24 > krb5-workstation-1.2.7-24 > krbafs-1.1.1-11 > krbafs-utils-1.1.1-11 > krb5-server-1.2.7-24 > krbafs-devel-1.1.1-11 > krb5-devel-1.2.7-24First off, you need to use MIT kerberos v1.3.x, install it (I had to use source to do this. v1.3.4 works nice. I just left the RHES krb5 stuff inplace. as then it feels just like it was compiled for it. I used a fugly configure line, for kerberos. You will prolly have to do the same for krbafs. I also updated the pam_smb and pam_krb5 packages from Fedora Core (got the src rpm and did a rpmbuild --rebuild on it) Your samba should be okay, but given that 3.0.5 was just release last week Wednesday as a security release... dunno. I had many little problems at MIT krb5 v1.2.7. Why I went to v1.3.4. You might also try the "currently broken" option called: spnego = Yes It may or may not work. If you want to know the configure options I used... let me know. -- greg, greg@gregfolkert.net The technology that is Stronger, better, faster: Linux -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040729/11266888/attachment.bin
On Thursday 29 July 2004 08:08, Tran Charles A Civ OC-ALC/ITMA wrote:> We have serveral RHEL 3.0 Update 2 servers running Samba. > These have been working flawlessly for several months.. > > Recently, the base upgraded all the Windows 2000 servers > to Windows 2003..Only MIT Kerberos 1.3.1 or later will work with Windows 2003 Server ADS. - John T.> NOTE: we don't have admin rights to the Domain Controllers.. (wish we > did..) > > Previous to the Domain (and kdc) controllers to 2003 we had > no issues joining a new Samba Sever to the ADS.. > > Using the same krb5.conf and kdc.conf and smb.conf file.. it > is no longer possible to join a Samba 3.0 server to the domain.. > > Any help direction is appreciated.. > VR > Charles > > Samba packages > ------------- > samba-common-3.0.4-6.3E > samba-3.0.4-6.3E > samba-client-3.0.4-6.3E > > Kerberos Packages.. > ----------------- > pam_krb5-1.73-1 > krb5-libs-1.2.7-24 > krb5-workstation-1.2.7-24 > krbafs-1.1.1-11 > krbafs-utils-1.1.1-11 > krb5-server-1.2.7-24 > krbafs-devel-1.1.1-11 > krb5-devel-1.2.7-24 > > > Things tried..(per the samba docs. this is the first step..) > > kinit USERNAME@REALM > error.. > kinit(v5): KRB5 error code 52 while getting initial credentials > > net ads join "/IT/Computers/Servers-2" -U adminOFthisOU > error.. > kerberos_kinit_password ADMINOFTHISOU@USAF.AFMC.DS.AF.MIL failed: KRB5 > error code 52 > > Not much on google about this error.. > > krb5.conf > ************** > logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > ticket_lifetime = 24000 > default_realm = USAF.AFMC.DS.AF.MIL > # default_tgs_enctypes = rc4-hmac > # default_tkt_enctypes = rc4-hmac > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > USAF.AFMC.DS.AF.MIL = { > kdc = xxx.xxx.xxx.241:88 > admin_server = xxx.xxx.xxx.241:749 > default_domain = usaf.af.mil > } > > [domain_realm] > .usaf.af.mil = USAF.AFMC.DS.AF.MIL > usaf.af.mil = USAF.AFMC.DS.AF.MIL > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > ***************************** > kdc.conf > ********* > [kdcdefaults] > acl_file = /var/kerberos/krb5kdc/kadm5.acl > dict_file = /usr/share/dict/words > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab > v4_mode = nopreauth > > [realms] > USAF.AFMC.DS.AF.MIL = { > master_key_type = des-cbc-crc > supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm > des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal > des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3 > des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4 > des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm > des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal > des-cbc-sha1:norealm des-cbc-sha1:onlyrealm > } > ********* > smb.conf > *****[global] > workgroup = USAF-2K > realm = USAF.AFMC.DS.AF.MIL > server string > security = ADS > obey pam restrictions = Yes > password server = xxx.xxx.xxx.241 > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > log file = /var/log/samba/%m.log > max log size = 0 > announce version = 5.0 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > preferred master = No > local master = No > domain master = No > wins server = 10.50.1.52 > ldap ssl = no > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template shell = /bin/bash > # winbind separator = + > # valid users = @oracle > printing = cups > > [testshare] > comment = System Share > path = /home2/share > force group = share > writeable = yes > case sensitive = Yes > hide dot files = No-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production.