Igor-
I have tried this type of setup and it does not work.
If the user logs in to the "REALMNAME (Kerberos Realm)" on the Windows
2000 workstation, the kerberos tickets he has are slightly different
from the ones he gets when he logs into the Windows 2000 domain. These
tickets aren't authenticated by the Samba server and the user gets
prompted for a password (which would then be compared against the one in
the Windows 2000 domain and unless it matches the one in your UNIX
kerberos, it'll fail.). Apparently this isn't a popular architecture yet
and so it's not being worked on currently.
I haven't had time to get more information to the developers that would
help in solving the problem.
Donald
On Thu, 2002-10-17 at 02:00, Igor Korzinek wrote:> Hi,
> I've posted this one also to comp.protocols.smb, but the list seems to
be
> more hacky :-)
>
> I have M$ Win2K PDC with Kerberos authentication system.
>
> PDC
> Win2K--------------SAMBA-3.020-------------LINUX
> Kerberos5
>
> It was somewhere told (Samba 3.0 prealpha guide to Kerberos
> authentication)that this should work.
> I'm using RedHat 7.2 with latest patches (obtained via net from redhat
> site).
> Kerberos is 1.2.2-14
> klist showes after kinit:
> -------------------------------
> [root@pan log]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ADMINISTRATOR@ZG.CORP.FGMICROTEC.COM
>
> Valid starting Expires Service principal
> 10/16/02 17:58:48 10/17/02 03:58:48
> krbtgt/ZG.CORP.FGMICROTEC.COM@ZG.CORP.FGMI
> CROTEC.COM
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> --------------------------------
> So I assume that kerberos client is running fine. I've tryed with wrong
> passwd, and it complains, so this should be fine.
>
> I did change execution path so that the Samba 3.0.20 is started and log
> files said that everything is fine.
>
> When I did net ads join, then I've got Segmentation fault....
> Any hint ? (oh, yes, gcc is 2.96)
>
> If someone has succeeded with such a connection, please let me know.
>
> Yes, there is an additional info...
> instead of net ads join,
> I've used should use
>
> net ads join -Uadministrator
>
> because, default is a logged user, which is allmost never administrator on
> UNIXes, but can be root or some local user... (I've discovered that
with
> kdbg and 1 hour session :-)).
>
> And when I execute:
>
> [root@pan root]# net ads status -Uadministrator
>
> I've got the following:
>
> administrator password:
> accountExpires: 9223372036854775807
> badPasswordTime: 0
> badPwdCount: 0
> codePage: 0
> cn: pan
> countryCode: 0
> dNSHostName: pan
> instanceType: 4
> isCriticalSystemObject: FALSE
> lastLogoff: 0
> lastLogon: 0
> logonCount: 0
> -------------- Security Descriptor (revision: 1, type: 0x8c14)
> owner SID: S-1-5-21-353111985-644491385-32730383-512
> group SID: S-1-5-21-353111985-644491385-32730383-513
> ------- (system) ACL (revision: 2, size: 28, number of ACEs: 1)
> ------- ACE (type: 0x02, flags: 0xd2, size: 0x14, mask: 0xd016b)
> access SID: S-1-1-0
> access type: SYSTEM AUDIT
> Permissions:
> [Create All Child Objects]
> [Delete All Child Objects]
> [All validate writes]
> [Write All Properties]
> [Delete Subtree]
> [Change Password]
> [Reset Password]
> [Delete]
> [Modify Permissions]
> [Modify Owner]
> ------- (user) ACL (revision: 4, size: 1284, number of ACEs: 30)
> ------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
> access SID: S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED
> Permissions: [Full Control]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
> access SID: S-1-5-32-548
> access type: ALLOWED
> Permissions: [Full Control]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff)
> access SID: S-1-5-18
> access type: ALLOWED
> Permissions: [Full Control]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4)
> access SID: S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED
> Permissions:
> [List Contents]
> [Read All Properties]
> [Delete Subtree]
> [List Object]
> [Change Password]
> [Reset Password]
> [Delete]
> [Read Permissions]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED OBJECT
> Permissions:
> [Write All Properties]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094)
> access SID: S-1-5-11
> access type: ALLOWED
> Permissions:
> [List Contents]
> [Read All Properties]
> [List Object]
> [Read Permissions]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object
flags:
> 0x1)
> access SID: S-1-1-0
> access type: ALLOWED OBJECT
> Permissions:
> [Change Password]
> [Reset Password]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3)
> access SID: S-1-5-10
> access type: ALLOWED
> Permissions:
> [Create All Child Objects]
> [Delete All Child Objects]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x3, object flags:
> 0x1)
> access SID: S-1-5-32-550
> access type: ALLOWED OBJPermissions:
> [Create All Child Objects]
> [Delete All Child Objects]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x30, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-517
> access type: ALLOWED OBJECT
> Permissions:
> [Read All Properties]
> [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
> 0x1)
> access SID: S-1-5-10
> access type: ALLOWED OBJECT
> Permissions:
> [All validate writes]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x30, object flags:
> 0x1)
> access SID: S-1-5-10
> access type: ALLOWED OBJECT
> Permissions:
> [Read All Properties]
> [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
> 0x1)
> access SID: S-1-5-10
> access type: ALLOWED OBJECT
> Permissions:
> [All validate writes]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED OBJECT
> Permissions:
> [All validate writes]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-512ECT
>
> .... etc etc etc...
>
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [Write All Properties]
> ------- ACE (type: 0x00, flags: 0x12, size: 0x24, mask: 0x4)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED
> Permissions:
> [List Contents]
> ------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
> flags: 0x2)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [List Contents]
> [Read All Properties]
> [List Object]
> [Read Permissions]
> ------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
> flags: 0x2)
> access SID: S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
> [List Contents]
> [Read All Properties]
> [List Object]
> [Read Permissions]
> -------------- End Of Security Descriptor
> distinguishedName: CN=pan,CN=Computers,DC=zg,DC=corp,DC=fgmicrotec,DC=com
> objectCategory:
> CN=Computer,CN=Schema,CN=Configuration,DC=zg,DC=corp,DC=fgmicrotec,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> objectGUID: BCB686FB03DF4448A060FEB4F2AF844C
> objectSid: S-1-5-21-353111985-644491385-32730383-1175
> operatingSystem: Samba
> operatingSystemVersion: 3.0alpha20
> primaryGroupID: 515
> pwdLastSet: 126792633499442796
> name: pan
> sAMAccountName: pan$
> sAMAccountType: 805306369
> servicePrincipalName: HOST/pan
> userAccountControl: 2691072
> userPrincipalName: HOST/pan@ZG.CORP.FGMICROTEC.COM
> uSNChanged: 518176
> uSNCreated: 518173
> whenChanged: 20021016173549.0Z
> whenCreated: 20021016173549.0Z
>
> So it looks like I have joined the domain and zeus which is both Kerberos
> server and PDC Win2K for the domain.
>
> Am I correct ?
> What is wrong ?
> Is it smb.conf file ?
>
>
> Thank you for your time. And send me an address if you want a postcard :-)
>
> Igor
>
>
> ---smb.conf---------------------------------------
> [global]
> path = /home2/ftp/pub/
> dns proxy = no
> encrypt passwords = yes
> ads server = zeus
> realm = ZG.CORP.FGMICROTEC.COM
> workgroup = UNIX
> server string = Linux File/Application Server
> socket options = TCP_NODELAY
> log file = /var/log/samba/log.%m
> netbios name = PAN
> load printers = yes
> max log size = 50
> preferred master = no
> hosts allow = 192.168.0. 10.1.2. 127.
>
> [PublicExportedPath]
> writable = yes
> comment = Home Directories
>
> [printers]
> comment = All Printers
> path = /usr/spool/samba
> browseable = no
> # Set public = yes to allow user 'guest account' to print
> guest ok = no
> writable = no
> printable = yes
>
> # This one is useful for people to share files
> [Export]
> path = /export
> writable = yes
> browseable = yes
> comment = Temporary file space
> public = yes
> ----------------------------------------------------------
> --krb5.conf------------------------------------
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = ZG.CORP.FGMICROTEC.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> [realms]
> ZG.CORP.FGMICROTEC.COM = {
> kdc = zeus
> }
>
> [pam]
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> --------------------------------------
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>