Fantastic! On Monday I'll give it a try! -----Original Message----- From: Tim Jordan [mailto:timothy_jordan@labor.state.ak.us] Sent: Fri 12/12/2003 20:56 To: Tom Dickson; m.c.hudson@open.ac.uk; admina@labor.ak.us Cc: fernandor@sescam.jccm.es; jerry@samba.org; samba@samba.org Subject: Re: [Samba] Windows 2000 and krb5 tickets...SOLVED Browsing is working from my W2K and XP clients to the samba server using kerberos. Samba Server is joined to Active Directory as a Domain Member server. I commented out the following line of my krb5.conf: #permitted_enctypes = des-cbc-crc des-cbc-md5 Make sure these lines are correct: default_tgs_enctypes = des-cbc-crc des-cbc-md5 efault_tkt_enctypes = des-cbc-crc des-cbc-md5 *Make sure to stop and restart smbd, nmbd, and winbindd. These changes did nothing for me until I restarted at least winbindd. I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586 rpm's from: http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/ I'm working on a final write up of my configuration if anyone is interested in creating an Active Directory member server running Samba 3. Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for lending his Windows expertise! Tim On Fri, 2003-12-12 at 08:07, Tom Dickson wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can try running the strings /usr/lib/libkrb5.so.3.2 | grep BRAND command and looking at what you get. 1-3-1 or something is MIT. Also, I'm wondering if the fact that you can connect by IP and not by name indicates that the 2000 server is looking up the name in, say, DNS only and ignoring WINS. Perhaps my WINS server is misconfigured. Well, I have to run Netbench tests, so I just dropped back to NT4 style auth, which works fine for me. - -Tom Tim Jordan wrote: | Perhaps we can work together. Jerry mentioned in previous posts about | the encryption options if the krb5.conf. | The Official Samba How To states: " On a Windows 2000 client, try /net | use * \\server\share/. You should be logged in with Kerberos without | needing to know a password. If this fails then run /klist tickets./ | Did you get a tecket for the server? Does it have an encryption type of | DES-CBC-MD5?" | | "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 | encoding." | | I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as | Jerry sugested: | | /etc/krb5.conf: | |>[root@ANC-MDK-SMB3 samba3]# cat /etc/krb5.conf |>[logging] |> default = FILE:/var/log/kerberos/krb5libs.log |> kdc = FILE:/var/log/kerberos/krb5kdc.log |> admin_server = FILE:/var/log/kerberos/kadmind.log |> |>[libdefaults] |> ticket_lifetime = 24000 |> default_realm = LABOR.AK |> default_tgs_enctypes = des-cbc-md5 des-cbc-crc |> default_tkt_enctypes = des-cbc-md5 des-cbc-crc |> permitted_enctypes = des-cbc-md5 des-cbc-crc |> dns_lookup_realm = false |> dns_lookup_kdc = false |> kdc_req_checksum_type = 2 |> checksum_type = 2 |> ccache_type = 1 |> forwardable = true |> proxiable = true |> |>[realms] |> LABOR.AK = { |> kdc = MY-KDC.LABOR.AK:88 |> admin_server = MY-KDC.LABOR.AK:749 |> default_domain = LABOR.AK |> } |> |>[domain_realm] |> .LABOR.AK = LABOR.AK |> |>[kdc] |> profile = /etc/kerberos/krb5kdc/kdc.conf |> |>[pam] |> debug = false |> ticket_lifetime = 36000 |> renew_lifetime = 36000 |> forwardable = true |> krb4_convert = false |> |> [login] |> krb4_convert = false |> krb4_get_tickets = fals |> | It did change the encryption ticket I'm getting when /kinit/ as my username. | |>Valid starting Expires Service principal |>12/11/03 16:00:49 12/12/03 02:01:00 krbtgt/LABOR.AK@LABOR.AK |> renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5 |> |> |>Kerberos 4 ticket cache: /tmp/tkt0 |> | Notice I'm getting "DES cbc mode with RSA-MD5". | | This did not solve the underlying problem of being able to view the samba shares from a w2k or xp client. | | How would I be able to tell if I'm using MIT or Hemidal kerberos? | | I did get this working on a Gentoo system, so I know it works. | | Who knows encryption on the list that can advise....anyone? | | Tim | | On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote: | |>/Same problem. I have been with it for weeks. I can connect using IP |>address from the Win2k clients however with the netbios name I get the |>error. |> |>Someone has told me today that this was solved in the new release |>samba-3.0.1rc2-1 , however I've already tested it and I still have the |>same problem. |> |>Please any more clues. |> |>Thanks, |> |>Fernando. |> |> |>On Fri, 2003-12-12 at 00:26, Tim Jordan wrote: |>> I'm getting same error about encryption ... |>> |>> I have taken Tom's lead and have provided the output below. Is there a |>> certain version of krb5 that we should be running? |>> |>> |>> root@ANC-MDK-SMB3 tim]# smbd3 --version |>> Version 3.0.1pre3 |>> |>> [root@ANC-MDK-SMB3 tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND |>> KRB5_BRAND: krb5-1-3-final 1.3 20030708 |>> |>> I'm running Mandrake 9.2 |>> |>> Thank You Samba Team! |>> Tim |>> |>> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote: |>> |>> > -----BEGIN PGP SIGNED MESSAGE----- |>> > Hash: SHA1 |>> > |>> > OK. I've done some more research, and here's what I get. |>> > |>> > smbd --version |>> > Version 3.0.0 |>> > |>> > strings libkrb5.so.3.2 | grep BRAND |>> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730 |>> > |>> > Everything seems to work, but trying to access the Samba server results in: |>> > |>> > [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(308) |>> > ~ ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt |>> > integrity check failed |>> > [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(316) |>> > ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) |>> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) |>> > ~ Failed to verify incoming ticket! |>> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109) |>> > ~ error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) |>> > NT_STATUS_LOGON_FAILURE |>> > |>> > This is the same error you get if you're running the wrong KRB5 libs, |>> > but I've the right ones. The windows 2000 machine is 5.00.2195 |>> > |>> > Windows 2000 clients connect to the ADS server fine, and will connect to |>> > the Samba server if you enter Username/Password. The 2000 server cannot |>> > connect to the Samba machine at all, even with the right username/pass. |>> > |>> > Is there a magic registry setting I'm missing? I've changed the |>> > Administrator password at least once. |>> > |>> > - -Tom |>> > -----BEGIN PGP SIGNATURE----- |>> > Version: GnuPG v1.2.2-nr2 (Windows 2000) |>> > Comment: Using GnuPG with Mozilla - //_http://enigmail.mozdev.org <http://enigmail.mozdev.org> _ |>> > |>> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO |>> > F9F+8BTOPIyoybZBYIlCouU |>> > =94FA |>> > -----END PGP SIGNATURE----- |>/ |> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org <http://enigmail.mozdev.org> iD8DBQE/2fXg2dxAfYNwANIRAlFEAJ9uSUkNH5u/O2PBb8eY8PExrsq2rACdE6r/ xbPZjNjGNK2FYhHQZnqmgYs =2f/q -----END PGP SIGNATURE-----