Jon Rabone
2002-Sep-02 05:38 UTC
[Samba] Problem with Samba 3 as member server in Win2K/ADS domain
Hi, I'm having problems getting Samba 3 working in a Win2K/ADS domain. I don't want Samba to be a PDC - just a member server. I have two boxes, aquarius (Windows 2000 Server DC) and gemini (Debian Linux, current development version) I do both a kinit, and a net ads join successfully, but if I try to access shares on the DC, I get: # smbclient -k -L aquarius added interface ip=192.168.0.5 bcast=192.168.0.255 nmask=255.255.255.0 Doing spnego session setup (blob length=118) Doing kerberos session setup krb5_get_credentials failed for aquarius$@EDI.COMPANY.COM (No credentials found with supported encryption types) session setup failed: NT_STATUS_MORE_PROCESSING_REQUIRED klist on gemini shows: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: GEMINI$@EDI.COMPANY.COM Valid starting Expires Service principal 09/01/02 18:12:14 09/02/02 04:12:14 krbtgt/EDI.COMPANY.COM@EDI.COMPANY.COM 09/01/02 18:12:14 09/02/02 04:12:14 ldap/aquarius@EDI.COMPANY.COM Kerberos 4 ticket cache: /tmp/tkt0 I think this might be something to do with NTLMv2 - our Win2K domain is a native-mode domain, with no down-level clients. The domain policy is set to only allow NTLMv2 auth. Running klist on the Win2K server, I get (amongst others): Server: AQUARIUS$@EDI.CRITICALBLUE.COM KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) End Time: 9/2/2002 15:31:01 Renew Time: 9/9/2002 5:31:01 Server: HOST/gemini@EDI.CRITICALBLUE.COM KerbTicket Encryption Type: Kerberos DES-CBC-MD5 End Time: 9/2/2002 3:57:26 Renew Time: 9/8/2002 17:57:26 Is the error message from "krb5_get_credentials" indicating that RSADSI RC4-HMAC(NT) is unsupported in Samba at the moment? Is this something that I've not configured at the Linux end, or is it a limitation of Samba at the present? I'm using a CVS snapshot of Samba dated 2002-08-27 (Debian packaged version). I'm happy to experiment on the linux server - the Windows server is in production use so I don't want to do anything too drastic to it. Thanks, Jon
Possibly Parallel Threads
- Connection dropping every 24 hours from Windows Client.
- Debian Stable Samba 3.0.5 to 3.0.6 upgrade - broke my config?
- samba-tool domain ldapcmp compared failed
- samba-tool domain ldapcmp compared failed
- access is denied to the Windows share folder because of the ticket kerberos