samba - Oct 2002 - Samba 3.020 and Win2K with Kerberos 5

Hi,
I've posted this one also to comp.protocols.smb, but the list seems to be
more hacky :-)

I have M$ Win2K PDC with Kerberos authentication system.

PDC
Win2K--------------SAMBA-3.020-------------LINUX
Kerberos5

It was somewhere told (Samba 3.0 prealpha guide to Kerberos
authentication)that this should work.
I'm using RedHat 7.2 with latest patches (obtained via net from redhat
site).
Kerberos is 1.2.2-14
klist showes after kinit:
-------------------------------
[root@pan log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ADMINISTRATOR@ZG.CORP.FGMICROTEC.COM

Valid starting     Expires            Service principal
10/16/02 17:58:48  10/17/02 03:58:48
krbtgt/ZG.CORP.FGMICROTEC.COM@ZG.CORP.FGMI
CROTEC.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
--------------------------------
So I assume that kerberos client is running fine. I've tryed with wrong
passwd, and it complains, so this should be fine.

I did change execution path so that the Samba 3.0.20 is started and log
files said that everything is fine.

When I did net ads join, then I've got Segmentation fault....
Any hint ? (oh, yes, gcc is 2.96)

If someone has succeeded with such a connection, please let me know.

Yes, there is an additional info...
instead of  net ads join,
I've used should use

net ads join -Uadministrator

because, default is a logged user, which is allmost never administrator on
UNIXes, but can be root or some local user... (I've discovered that with
kdbg and 1 hour session :-)).

And when I execute:

[root@pan root]# net ads status -Uadministrator

I've got the following:

administrator password:
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: pan
countryCode: 0
dNSHostName: pan
instanceType: 4
isCriticalSystemObject: FALSE
lastLogoff: 0
lastLogon: 0
logonCount: 0
-------------- Security Descriptor (revision: 1, type: 0x8c14)
owner SID: S-1-5-21-353111985-644491385-32730383-512
group SID: S-1-5-21-353111985-644491385-32730383-513
------- (system) ACL (revision: 2, size: 28, number of ACEs: 1)
------- ACE (type: 0x02, flags: 0xd2, size: 0x14, mask: 0xd016b)
access SID:  S-1-1-0
access type: SYSTEM AUDIT
Permissions:
        [Create All Child Objects]
        [Delete All Child Objects]
        [All validate writes]
        [Write All Properties]
        [Delete Subtree]
        [Change Password]
        [Reset Password]
        [Delete]
        [Modify Permissions]
        [Modify Owner]
------- (user) ACL (revision: 4, size: 1284, number of ACEs: 30)
------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
access SID:  S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
access SID:  S-1-5-32-548
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff)
access SID:  S-1-5-18
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4)
access SID:  S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED
Permissions:
        [List Contents]
        [Read All Properties]
        [Delete Subtree]
        [List Object]
        [Change Password]
        [Reset Password]
        [Delete]
        [Read Permissions]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED OBJECT
Permissions:
        [Write All Properties]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094)
access SID:  S-1-5-11
access type: ALLOWED
Permissions:
        [List Contents]
        [Read All Properties]
        [List Object]
        [Read Permissions]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object flags:
0x1)
access SID:  S-1-1-0
access type: ALLOWED OBJECT
Permissions:
        [Change Password]
        [Reset Password]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3)
access SID:  S-1-5-10
access type: ALLOWED
Permissions:
        [Create All Child Objects]
        [Delete All Child Objects]
------- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x3, object flags:
0x1)
access SID:  S-1-5-32-550
access type: ALLOWED OBJPermissions:
        [Create All Child Objects]
        [Delete All Child Objects]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x30, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-517
access type: ALLOWED OBJECT
Permissions:
        [Read All Properties]
        [Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
0x1)
access SID:  S-1-5-10
access type: ALLOWED OBJECT
Permissions:
        [All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x30, object flags:
0x1)
access SID:  S-1-5-10
access type: ALLOWED OBJECT
Permissions:
        [Read All Properties]
        [Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
0x1)
access SID:  S-1-5-10
access type: ALLOWED OBJECT
Permissions:
        [All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-512
access type: ALLOWED OBJECT
Permissions:
        [All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-512ECT

.... etc etc etc...

access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
0x1)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [Write All Properties]
------- ACE (type: 0x00, flags: 0x12, size: 0x24, mask: 0x4)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED
Permissions:
        [List Contents]
------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
flags: 0x2)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [List Contents]
        [Read All Properties]
        [List Object]
        [Read Permissions]
------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
flags: 0x2)
access SID:  S-1-5-21-353111985-644491385-32730383-1173
access type: ALLOWED OBJECT
Permissions:
        [List Contents]
        [Read All Properties]
        [List Object]
        [Read Permissions]
-------------- End Of Security Descriptor
distinguishedName: CN=pan,CN=Computers,DC=zg,DC=corp,DC=fgmicrotec,DC=com
objectCategory:
CN=Computer,CN=Schema,CN=Configuration,DC=zg,DC=corp,DC=fgmicrotec,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
objectGUID: BCB686FB03DF4448A060FEB4F2AF844C
objectSid: S-1-5-21-353111985-644491385-32730383-1175
operatingSystem: Samba
operatingSystemVersion: 3.0alpha20
primaryGroupID: 515
pwdLastSet: 126792633499442796
name: pan
sAMAccountName: pan$
sAMAccountType: 805306369
servicePrincipalName: HOST/pan
userAccountControl: 2691072
userPrincipalName: HOST/pan@ZG.CORP.FGMICROTEC.COM
uSNChanged: 518176
uSNCreated: 518173
whenChanged: 20021016173549.0Z
whenCreated: 20021016173549.0Z

So it looks like I have joined the domain and zeus which is both Kerberos
server and PDC Win2K for the domain.

Am I correct ?
What is wrong ?
Is it smb.conf file ?


Thank you for your time. And send me an address if you want a postcard :-)

Igor


---smb.conf---------------------------------------
[global]
        path = /home2/ftp/pub/
        dns proxy = no
        encrypt passwords = yes
        ads server = zeus
        realm = ZG.CORP.FGMICROTEC.COM
        workgroup = UNIX
        server string = Linux File/Application Server
        socket options = TCP_NODELAY
        log file = /var/log/samba/log.%m
        netbios name = PAN
        load printers = yes
        max log size = 50
        preferred master = no
        hosts allow = 192.168.0. 10.1.2. 127.

[PublicExportedPath]
        writable = yes
        comment = Home Directories

[printers]
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

# This one is useful for people to share files
[Export]
        path = /export
        writable = yes
        browseable = yes
        comment = Temporary file space
        public = yes
----------------------------------------------------------
--krb5.conf------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = ZG.CORP.FGMICROTEC.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 ZG.CORP.FGMICROTEC.COM = {
  kdc = zeus
 }

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
--------------------------------------

Igor- 

I have tried this type of setup and it does not work. 

If the user logs in to the "REALMNAME (Kerberos Realm)" on the Windows
2000 workstation, the kerberos tickets he has are slightly different
from the ones he gets when he logs into the Windows 2000 domain. These
tickets aren't authenticated by the Samba server and the user gets
prompted for a password (which would then be compared against the one in
the Windows 2000 domain and unless it matches the one in your UNIX
kerberos, it'll fail.). Apparently this isn't a popular architecture yet
and so it's not being worked on currently.

I haven't had time to get more information to the developers that would
help in solving the problem.

Donald

On Thu, 2002-10-17 at 02:00, Igor Korzinek wrote:
> Hi,
> I've posted this one also to comp.protocols.smb, but the list seems to
be
> more hacky :-)
> 
> I have M$ Win2K PDC with Kerberos authentication system.
> 
> PDC
> Win2K--------------SAMBA-3.020-------------LINUX
> Kerberos5
> 
> It was somewhere told (Samba 3.0 prealpha guide to Kerberos
> authentication)that this should work.
> I'm using RedHat 7.2 with latest patches (obtained via net from redhat
> site).
> Kerberos is 1.2.2-14
> klist showes after kinit:
> -------------------------------
> [root@pan log]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ADMINISTRATOR@ZG.CORP.FGMICROTEC.COM
> 
> Valid starting     Expires            Service principal
> 10/16/02 17:58:48  10/17/02 03:58:48
> krbtgt/ZG.CORP.FGMICROTEC.COM@ZG.CORP.FGMI
> CROTEC.COM
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> --------------------------------
> So I assume that kerberos client is running fine. I've tryed with wrong
> passwd, and it complains, so this should be fine.
> 
> I did change execution path so that the Samba 3.0.20 is started and log
> files said that everything is fine.
> 
> When I did net ads join, then I've got Segmentation fault....
> Any hint ? (oh, yes, gcc is 2.96)
> 
> If someone has succeeded with such a connection, please let me know.
> 
> Yes, there is an additional info...
> instead of  net ads join,
> I've used should use
> 
> net ads join -Uadministrator
> 
> because, default is a logged user, which is allmost never administrator on
> UNIXes, but can be root or some local user... (I've discovered that
with
> kdbg and 1 hour session :-)).
> 
> And when I execute:
> 
> [root@pan root]# net ads status -Uadministrator
> 
> I've got the following:
> 
> administrator password:
> accountExpires: 9223372036854775807
> badPasswordTime: 0
> badPwdCount: 0
> codePage: 0
> cn: pan
> countryCode: 0
> dNSHostName: pan
> instanceType: 4
> isCriticalSystemObject: FALSE
> lastLogoff: 0
> lastLogon: 0
> logonCount: 0
> -------------- Security Descriptor (revision: 1, type: 0x8c14)
> owner SID: S-1-5-21-353111985-644491385-32730383-512
> group SID: S-1-5-21-353111985-644491385-32730383-513
> ------- (system) ACL (revision: 2, size: 28, number of ACEs: 1)
> ------- ACE (type: 0x02, flags: 0xd2, size: 0x14, mask: 0xd016b)
> access SID:  S-1-1-0
> access type: SYSTEM AUDIT
> Permissions:
>         [Create All Child Objects]
>         [Delete All Child Objects]
>         [All validate writes]
>         [Write All Properties]
>         [Delete Subtree]
>         [Change Password]
>         [Reset Password]
>         [Delete]
>         [Modify Permissions]
>         [Modify Owner]
> ------- (user) ACL (revision: 4, size: 1284, number of ACEs: 30)
> ------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
> access SID:  S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED
> Permissions: [Full Control]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
> access SID:  S-1-5-32-548
> access type: ALLOWED
> Permissions: [Full Control]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff)
> access SID:  S-1-5-18
> access type: ALLOWED
> Permissions: [Full Control]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4)
> access SID:  S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED
> Permissions:
>         [List Contents]
>         [Read All Properties]
>         [Delete Subtree]
>         [List Object]
>         [Change Password]
>         [Reset Password]
>         [Delete]
>         [Read Permissions]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID:  S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED OBJECT
> Permissions:
>         [Write All Properties]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094)
> access SID:  S-1-5-11
> access type: ALLOWED
> Permissions:
>         [List Contents]
>         [Read All Properties]
>         [List Object]
>         [Read Permissions]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object
flags:
> 0x1)
> access SID:  S-1-1-0
> access type: ALLOWED OBJECT
> Permissions:
>         [Change Password]
>         [Reset Password]
> ------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3)
> access SID:  S-1-5-10
> access type: ALLOWED
> Permissions:
>         [Create All Child Objects]
>         [Delete All Child Objects]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x3, object flags:
> 0x1)
> access SID:  S-1-5-32-550
> access type: ALLOWED OBJPermissions:
>         [Create All Child Objects]
>         [Delete All Child Objects]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x30, object flags:
> 0x1)
> access SID:  S-1-5-21-353111985-644491385-32730383-517
> access type: ALLOWED OBJECT
> Permissions:
>         [Read All Properties]
>         [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
> 0x1)
> access SID:  S-1-5-10
> access type: ALLOWED OBJECT
> Permissions:
>         [All validate writes]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x30, object flags:
> 0x1)
> access SID:  S-1-5-10
> access type: ALLOWED OBJECT
> Permissions:
>         [Read All Properties]
>         [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags:
> 0x1)
> access SID:  S-1-5-10
> access type: ALLOWED OBJECT
> Permissions:
>         [All validate writes]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
> 0x1)
> access SID:  S-1-5-21-353111985-644491385-32730383-512
> access type: ALLOWED OBJECT
> Permissions:
>         [All validate writes]
> ------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags:
> 0x1)
> access SID:  S-1-5-21-353111985-644491385-32730383-512ECT
> 
> .... etc etc etc...
> 
> access SID:  S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
>         [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID:  S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
>         [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID:  S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
>         [Write All Properties]
> ------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags:
> 0x1)
> access SID:  S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
>         [Write All Properties]
> ------- ACE (type: 0x00, flags: 0x12, size: 0x24, mask: 0x4)
> access SID:  S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED
> Permissions:
>         [List Contents]
> ------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
> flags: 0x2)
> access SID:  S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
>         [List Contents]
>         [Read All Properties]
>         [List Object]
>         [Read Permissions]
> ------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object
> flags: 0x2)
> access SID:  S-1-5-21-353111985-644491385-32730383-1173
> access type: ALLOWED OBJECT
> Permissions:
>         [List Contents]
>         [Read All Properties]
>         [List Object]
>         [Read Permissions]
> -------------- End Of Security Descriptor
> distinguishedName: CN=pan,CN=Computers,DC=zg,DC=corp,DC=fgmicrotec,DC=com
> objectCategory:
> CN=Computer,CN=Schema,CN=Configuration,DC=zg,DC=corp,DC=fgmicrotec,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> objectGUID: BCB686FB03DF4448A060FEB4F2AF844C
> objectSid: S-1-5-21-353111985-644491385-32730383-1175
> operatingSystem: Samba
> operatingSystemVersion: 3.0alpha20
> primaryGroupID: 515
> pwdLastSet: 126792633499442796
> name: pan
> sAMAccountName: pan$
> sAMAccountType: 805306369
> servicePrincipalName: HOST/pan
> userAccountControl: 2691072
> userPrincipalName: HOST/pan@ZG.CORP.FGMICROTEC.COM
> uSNChanged: 518176
> uSNCreated: 518173
> whenChanged: 20021016173549.0Z
> whenCreated: 20021016173549.0Z
> 
> So it looks like I have joined the domain and zeus which is both Kerberos
> server and PDC Win2K for the domain.
> 
> Am I correct ?
> What is wrong ?
> Is it smb.conf file ?
> 
> 
> Thank you for your time. And send me an address if you want a postcard :-)
> 
> Igor
> 
> 
> ---smb.conf---------------------------------------
> [global]
>         path = /home2/ftp/pub/
>         dns proxy = no
>         encrypt passwords = yes
>         ads server = zeus
>         realm = ZG.CORP.FGMICROTEC.COM
>         workgroup = UNIX
>         server string = Linux File/Application Server
>         socket options = TCP_NODELAY
>         log file = /var/log/samba/log.%m
>         netbios name = PAN
>         load printers = yes
>         max log size = 50
>         preferred master = no
>         hosts allow = 192.168.0. 10.1.2. 127.
> 
> [PublicExportedPath]
>         writable = yes
>         comment = Home Directories
> 
> [printers]
>    comment = All Printers
>    path = /usr/spool/samba
>    browseable = no
> # Set public = yes to allow user 'guest account' to print
>    guest ok = no
>    writable = no
>    printable = yes
> 
> # This one is useful for people to share files
> [Export]
>         path = /export
>         writable = yes
>         browseable = yes
>         comment = Temporary file space
>         public = yes
> ----------------------------------------------------------
> --krb5.conf------------------------------------
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = ZG.CORP.FGMICROTEC.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
> 
> [realms]
>  ZG.CORP.FGMICROTEC.COM = {
>   kdc = zeus
>  }
> 
> [pam]
>  debug = false
>  ticket_lifetime = 36000
>  renew_lifetime = 36000
>  forwardable = true
>  krb4_convert = false
> --------------------------------------
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>