thr3ads.net - samba - [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though) [Oct 2003]

If this information is useful, please help other people find it:
Share via:

christoph.beyer@desy.de

2003-Oct-29 14:41 UTC

[Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)

Hi everyone,

I'm using the production release of 3.0.0 and can not join a W2003 domain:

[printsrv4] /spool/samba-3.0.0/bin $ ./net -d 10 ads join -Uhumpty_dumpty
[2003/10/29 15:35:39, 3] libads/sasl.c:ads_sasl_spnego_bind(191)
  got principal=adc1$@WIN.DESY.DE
[2003/10/29 15:35:39, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
[2003/10/29 15:35:40, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385)
  Got KRB5 session key of length 16
[2003/10/29 15:35:40, 1] utils/net_ads.c:ads_startup(181)
  ads_connect: Strong authentication required
[2003/10/29 15:35:40, 2] utils/net.c:main(758)
  return code = -1

The krb5 token looks OK:

[printsrv4] /spool/samba-3.0.0/bin $ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: humpty_dumpty@WIN.DESY.DE

Valid starting     Expires            Service principal
10/29/03 13:48:09  10/29/03 23:48:18  krbtgt/WIN.DESY.DE@WIN.DESY.DE
        renew until 10/30/03 13:48:09


Kerberos 4 ticket cache: /tmp/tkt0
Principal: humpty_dumpty@DESY.DE

  Issued              Expires             Principal
10/21/03 15:42:14  10/22/03 17:08:35  krbtgt.DESY.DE@DESY.DE
10/21/03 15:42:14  10/22/03 17:08:35  afs@DESY.DE
10/22/03 15:18:13  10/22/03 17:13:13  rcmd.host@DESY.DE



any hints anyone ???
	~christoph


-- 
/*   Christoph Beyer     |   Office: Building 2b / 23     *\
 *   DESY                |    Phone: 040-8998-2317        *
 *   - IT -              |      Fax: 040-8998-4060        *
\*   22603 Hamburg       |     http://www.desy.de         */

Jochen Schmidt

2003-Oct-30 09:34 UTC

head link

[Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)

Hi Christoph,

On Wed, 29 Oct 2003 christoph.beyer@desy.de wrote:> I'm using the production release of 3.0.0 and can not join a W2003
domain:
>
> [printsrv4] /spool/samba-3.0.0/bin $ ./net -d 10 ads join -Uhumpty_dumpty
> [2003/10/29 15:35:39, 3] libads/sasl.c:ads_sasl_spnego_bind(191)
>   got principal=adc1$@WIN.DESY.DE
> [2003/10/29 15:35:39, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
>   krb5_cc_get_principal failed (No credentials cache found)
> [2003/10/29 15:35:40, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385)
>   Got KRB5 session key of length 16
> [2003/10/29 15:35:40, 1] utils/net_ads.c:ads_startup(181)
>   ads_connect: Strong authentication required
Maybe your Domain only allows NTLMv2. See smb.conf Manpage about "client
ntlmv2 auth" (and maybe also about "client schannel",
"client signing",
"client use spnego")


Greetings

Jochen

> [2003/10/29 15:35:40, 2] utils/net.c:main(758)
>   return code = -1
>
> The krb5 token looks OK:
>
> [printsrv4] /spool/samba-3.0.0/bin $ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: humpty_dumpty@WIN.DESY.DE
>
> Valid starting     Expires            Service principal
> 10/29/03 13:48:09  10/29/03 23:48:18  krbtgt/WIN.DESY.DE@WIN.DESY.DE
>         renew until 10/30/03 13:48:09
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> Principal: humpty_dumpty@DESY.DE
>
>   Issued              Expires             Principal
> 10/21/03 15:42:14  10/22/03 17:08:35  krbtgt.DESY.DE@DESY.DE
> 10/21/03 15:42:14  10/22/03 17:08:35  afs@DESY.DE
> 10/22/03 15:18:13  10/22/03 17:13:13  rcmd.host@DESY.DE
-- 
--------------------------------------------------------------------
Jochen Schmidt                           jochen.schmidt@millenux.com
Mi||enux GmbH                                mobile: +49.175.5752483
Lilienthalstra?e 2                          phone: +49.711.88770.300
70825 Stuttgart-Korntal                       fax: +49.711.88770.349
      -= linux without limits -=- http://linux.zSeries.org/ =-
PGP Fingerprint:  6F9A 85CE 78EA 7EF1 B2BA  3559 8FA1 2B13 098D 20B5

ww m-pubsyssamba

2003-Oct-31 13:41 UTC

head link

[Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)

Hi Jochen,

	on another security issue, how do your samba servers authenticate to your idmap
ldap backend server? Do you have to allow anonymous write access? I certinly
would feel this was poor if that's the case.
And you have listed only one LDAP server as your backend, will this not cause a
big problem if it falls over? Can you specify more than one LDAP backend server?

	thanks Andy Smith.

-----Original Message-----
From: samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org
[mailto:samba-bounces+pubsyssamba=bbc.co.uk@lists.samba.org]On Behalf Of
Jochen Schmidt
Posted At: 31 October 2003 11:59
Posted To: Samba
Conversation: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is
OK though)
Subject: Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is
OK though)


Hi Christoph

On 31 Oct 2003, Andrew Bartlett wrote:> On Fri, 2003-10-31 at 21:41, christoph.beyer@desy.de wrote:
> > Hi Jochen et al,
> >
> > that worked fine, though if I get it right everyone can now read the
> > active directory structure (?)
>
> No, you still need to authenticate, but nothing stops an attacker from
> 'stealing' the TCP/IP connection, if they control the network.
If you want see what *everybody* can see try an "ldapsearch -x -b
"dc=MYDOMAIN,dc=DE" -h adscontroller -p 389" on a UNIX-Box.
> > Connecting to the samba machine results still in errors, but that may
be
> > something stupid on my behalf too...
> >
> > thanks for helping
> > 	~christoph
> >
> >
> >  connect_to_domain_password_server: unable to setup the NETLOGON
> > credentials to machine ADC1. Error was : NT_STATUS_UNSUCCESSFUL.
>
> You will need to turn up the debug level - it will probably be something
> simple...
I've attcht my own configuration I use on an ADS Domain Member. The
Winbind-Stuff comes from an other LDAP-Server and has no relation to the
ADS-LDAP. If you don't use winbind you won't need the winbind section.
You should first do the "kinit Administrator@REALM" and then a
"net ads
join".

Greetings

Jochen

-- 
--------------------------------------------------------------------
Jochen Schmidt                           jochen.schmidt@millenux.com
Mi||enux GmbH                                mobile: +49.175.5752483
Lilienthalstra?e 2                          phone: +49.711.88770.300
70825 Stuttgart-Korntal                       fax: +49.711.88770.349
      -= linux without limits -=- http://linux.zSeries.org/ =-
PGP Fingerprint:  6F9A 85CE 78EA 7EF1 B2BA  3559 8FA1 2B13 098D 20B5

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.

Possibly Parallel Threads

Search for more maybe matching threads

samba - Oct 2003 - can't join W2003 domain with 3.0.0 (krb ticket is OK though)

[Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)

[Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)

[Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)

Possibly Parallel Threads