Cedric Puddy
2004-Jan-05 02:09 UTC
[Samba] Samba 3.0.1 ADS/Kerberos problems relating to Win2k/xp browsing to samba server
Hello All, I've been discovering the joys of Samba/ADS integration here (the environment is a chip design concern that has chip simulation tools, many of which run in Linux, but some of which only run in Windows. Winbind, and a Linux based NAS server are the cornerstone through which Windows and Linux elements of the toolchain will be able to seamlessly communicate, once we get all the little wrinkles worked out :) First, THE PROBLEM: When I upgrade from 3.0.0 to 3.0.1, or install 3.0.1 from scratch, something in 3.0.1 "libads" seems to be broken, which absolutely prevents win2k/xp clients from doing kerberos authentication with my 3.0.1 server. This doesn't seem to be a problem with 3.0.0. I can't figure out what's been broken, and I would *really* like a fix. If someone knows about a pending patch, I would really like to know about it. Failing a fix for 3.0.1, I would really like to know if there's any simple way that I can pre-map ADS users to particular Unix UIDs in the TDB database, or any way of manually fixing them up after the fact. (My unix user lists are primarily in NIS, but we have some NIS-hostile boxes, and the long and short of it is that changing unix UID's is a big pain that's worth going some lengths to avoid). Now, here's all the background info for those who are interested: I set up a Samba 3.0.0 Server, enabled ADS integration with our local domain (I found the FAQ was unclear on a few key points, though ultimately correct -- fates willing, I will endevour to submit proposals for improving the FAQs :) I was able to go to the Samba server from Win2k/XP clients, no problem, fully authenticated by the ADS infrastructure. Then I realized that the "winbind trusted domains only" function didn't actually seem to be working -- my understanding is that if I have it enabled, and two users such as "ADSDOMAIN.COM+joeuser" and a Unix user "joeuser (@uid: 513)", then as soon as "joeuser" trys to connect from his XP desktop to the Samba server, it should say "aha! - we already have a Unix joeuser @ uid 513, so I'll automap ADSDOMAIN.COM+joeuser to uid 513 (not some random ID like 20005)". Let me know if this understanding is wrong, please! What 3.0.0 was doing was mapping everyone to random ID's (starting from 20000, regardless of existing Unix usernames).>From the 3.0.1 changelog, I got the idea that 3.0.1 fixes thingssuch that the feature works per my understanding, so I tried to upgrade. After upgrading, I started getting errors in my /var/log/samba/log.workstation file, wherein libads/kerberos_verify.c:setup_keytab was throwing "unable to create MEMORY: keytab (Unknown Key table type)", which resulted in the more general error "Failed to verify incoming ticket!", and the connection attempt from the win2k/xp client then failing to authenticate, which pretty much prevented anything further from happening. My first attempts to downgrade back to 3.0.0 failed (for reasons I don't know). I just retried downgrading (twice) and it's worked both times. Rolling forward to 3.0.1 definately reinstates the error. I tried examining diffs between the 3.0.0 and 3.0.1 trees, in particular the libads directory, but between being tired, low code-fu and low experience with both Samba internals and coding with Kerberos, I basicly have no idea what actual change might be needed to fix the matter. On a lark (doomed, I know) I even tried compiling 3.0.1 with the 3.0.0 libads directory (it failed, naturally, but it would have like winning the lottery if it worked :P ). Incidentally, this is all on Redhat 9.0, on i386, with the current stock RH kernel, using the Samba.org i386 RH9 RPMS and SRPMS (for what playing with source I did do). The network layer is ordinary Ethernet & IPV4. If anyone here would benefit from detailed debugging information, a willing beta tester for a proposed fix, etc, then I am very, very interested providing whatever I can to assist the process! Thanks for your time everyone, Best Regards, -Cedric - | CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services | 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157 \____________________________________________________________________ Cedric Puddy, IS Director cedric@thinkers.org PGP Key Available at: http://www.thinkers.org/cedric>From cedric@cadence.thinkers.org Sun Jan 4 20:51:26 2004Date: Sun, 4 Jan 2004 18:09:40 -0500 (EST) From: Cedric Puddy <cedric@cadence.thinkers.org> To: Russell McOrmond <russell@flora.ca> Subject: SAMBA integration issue Hi Russell, I know of you through the CLIC SCO list, and have a matter which you may be able to be of professsional assistance in. Essentially, I have an engineering client which runs a variety of IC design tools, many of which run on Linux and some of which run on Windows. The Windows side of the network has an Active Directory, and the Linux workstations and servers primarily use NIS/NFS. In order to bring greater harmony to the network, we're testing (and have actually had working) Samba 3.0 with AD integration for a new NAS server. Down the road, we'll possibly run winbind on the servers (on the principal that we'll work around the least flexable part of the puzzle), so as to allow more seamless interaction between the pieces of the chip simulation tool chain. The problem is that having upgraded to Samba 3.0.1 (we needed a bug fix in the Windows<->Linux automatic user ID mapping feature), we now get Kerberos errors from the Samba daemon (even if we downgrade to the previous version, which I currently can't explain). The actual error is libads/kerberos_verify.c:setup_keytab throwing "unable to create MEMORY: keytab (Unknown Key table type)", which results in the more general error "Failed to verify incoming ticket!", and the connection attempt from the win2k/xp client then failing to authenticate, which pretty much prevents anything further from happening.