Hi.
I have installed samba 3.0.2 in my redhat 7.3, and Kerberos 1.2.4
I can make my Linux act as ADS Domain Membership whit out any problem,
When I made this command:
/usr/local/samba/bin/net ads join "Computers"
-U<usuario>%<clave>
I get this message that tell me that everything is ok.
Using short domain name -- DOMAIN2003
Joined 'PROTON' to realm 'DOMAIN2003.COM'
I also have another PC with windows 2000, which is joined too, to my
Windows 2003 Server. From my Linux I can connect with out any problem to
this machine using "smbclient" and with no password. But when I try to
connect form Windows 2000 to my Linux using this command: "net use *
\\server\share <file:///\\server\share> ", it asks me for a password,
and in the samba log I see this:
[2004/01/26 17:41:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
What is missing?? What am I doing wrong???
In the HOW-to say that to probe this kind of configuration I have to use
the "net" command form Windows, and if it doesn't work I have to
use
"klist tickets", when I run that command I get this:
[root@proton root]# klist tickets
klist: No credentials cache found (ticket cache FILE:tickets)
Wich ticket is missing?? Or how do I have to add a ticket???
My krb5.com looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN2003.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
[realms]
DOMAIN2003.COM = {
kdc = server2003.domain2003.com:88
admin_server = server2003.domain2003.com:749
default_domain = domain2003.com
}
[domain_realm]
.domain2003.com = DOMAIN2003.COM
comain2003.com = DOMAIN2003.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
And my smb.conf like this:
[global]
workgroup = domain2003
netbios name = proton
server string = Inetserver
domain master = no
local master = yes
preferred master = yes
max connections = 0
interfaces = 192.168.1.0/255.255.255.0
name resolve order = bcast wins hosts
socket options = TCP_NODELAY
security = ADS
realm = domain2003.com
encrypt passwords = yes
update encrypted = yes
unix password sync = yes
printing = lprng
printcap name = /etc/printcap
load printers = yes
dns proxy = yes
allow trusted domains = yes
wins support = no
password server = server2003
winbind cache time = 10
[homes]
comment = Home Directories
writable = yes
browseable = no
valid users = %U
[netlogon]
comment = Logon scripts
path = /home/netlogon
read only = yes
write list = @users
[Profiles]
comment = Profiles directory
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
[install]
public = yes
writeable = yes
comment = Instaladores
path = /home/samba/install
force directory mode = 0777
Thanks in advance..
Same problem on my network: PDC win2000 ADS . I use mandrake 9.1, kerberos 1.2.7 (by mandrake cdrom) and samba 3.0.0. I too can use smbclient -k with no password, but from windows clients i must input password. net ads testjoin is ok. I have read: Using Samba, Samba HOWTO (domain membership), archive of mailing list, kerberos documentation and some italian review. I have seen many question on this problem but no reply. I wonder if a Samba host can join to win2k domain, with my disappoint. Giuseppe On Monday 26 January 2004 11:57 pm, Christian Arguello wrote:> Hi. > > I have installed samba 3.0.2 in my redhat 7.3, and Kerberos 1.2.4 > > I can make my Linux act as ADS Domain Membership whit out any problem, > > When I made this command: > > /usr/local/samba/bin/net ads join "Computers" -U<usuario>%<clave> > > I get this message that tell me that everything is ok. > > Using short domain name -- DOMAIN2003 > Joined 'PROTON' to realm 'DOMAIN2003.COM' > > I also have another PC with windows 2000, which is joined too, to my > Windows 2003 Server. From my Linux I can connect with out any problem to > this machine using "smbclient" and with no password. But when I try to > connect form Windows 2000 to my Linux using this command: "net use * > \\server\share <file:///\\server\share> ", it asks me for a password, > and in the samba log I see this: > > [2004/01/26 17:41:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > > What is missing?? What am I doing wrong??? > > In the HOW-to say that to probe this kind of configuration I have to use > the "net" command form Windows, and if it doesn't work I have to use > "klist tickets", when I run that command I get this: > > [root@proton root]# klist tickets > klist: No credentials cache found (ticket cache FILE:tickets) > > Wich ticket is missing?? Or how do I have to add a ticket??? > > My krb5.com looks like this: > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > ticket_lifetime = 24000 > default_realm = DOMAIN2003.COM > dns_lookup_realm = false > dns_lookup_kdc = false > default_tkt_enctypes = DES-CBC-MD5 > default_tgs_enctypes = DES-CBC-MD5 > > [realms] > DOMAIN2003.COM = { > kdc = server2003.domain2003.com:88 > admin_server = server2003.domain2003.com:749 > default_domain = domain2003.com > } > [domain_realm] > .domain2003.com = DOMAIN2003.COM > comain2003.com = DOMAIN2003.COM > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > > > And my smb.conf like this: > > [global] > workgroup = domain2003 > netbios name = proton > server string = Inetserver > domain master = no > local master = yes > preferred master = yes > max connections = 0 > interfaces = 192.168.1.0/255.255.255.0 > name resolve order = bcast wins hosts > socket options = TCP_NODELAY > security = ADS > realm = domain2003.com > encrypt passwords = yes > update encrypted = yes > unix password sync = yes > printing = lprng > printcap name = /etc/printcap > load printers = yes > dns proxy = yes > allow trusted domains = yes > wins support = no > password server = server2003 > winbind cache time = 10 > > [homes] > comment = Home Directories > writable = yes > browseable = no > valid users = %U > > [netlogon] > comment = Logon scripts > path = /home/netlogon > read only = yes > write list = @users > > [Profiles] > comment = Profiles directory > path = /home/profiles > read only = no > create mask = 0600 > directory mask = 0700 > > [install] > public = yes > writeable = yes > comment = Instaladores > path = /home/samba/install > force directory mode = 0777 > > Thanks in advance..
Christian Do you know this document ? http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp It contains instructions to create krb5.keytab and copy it in unix host . Regards Giuseppe On Monday 26 January 2004 11:57 pm, Christian Arguello wrote:> Hi. > > I have installed samba 3.0.2 in my redhat 7.3, and Kerberos 1.2.4 > > I can make my Linux act as ADS Domain Membership whit out any problem, >
Hi. Giuseppe Ok, when i login in Windows 2000 as Administrador of the machine (not as a member of the Windows 2k domain) everything works fine, if i use the command "net use * \\server\share", this command works ok, and also if I use "smbclient //windows2000/share" command to see my shared folders in windows 2000 it works fine. But if I login in the PC as a user of the Windows 2k domain, I can not use that command, but I still can see the Windows2000 and its shared folders from my Linux using the command smbclient //windows2000/share -k, and I also notice that in this case if I use the IP address of the Windows 2000 PC instead of its Netbios name, it works fine, I mean that if i use this command "net use * \\<IP_Address>\share" instead of \\<Netbios_name>\share" it works. What is the problem?? It seems that is a problem of protocols or something like that... Regards -----Original Message----- From: giuseppe panei [mailto:giuseppe.panei@sgai.com] Sent: Tuesday, January 27, 2004 8:01 AM To: Christian Arguello; samba@lists.samba.org Subject: Re: [Samba] Samba 3.0.2 and Windows 2003 ADS. Christian Do you know this document ? http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep s.asp It contains instructions to create krb5.keytab and copy it in unix host . Regards Giuseppe On Monday 26 January 2004 11:57 pm, Christian Arguello wrote:> Hi. > > I have installed samba 3.0.2 in my redhat 7.3, and Kerberos 1.2.4 > > I can make my Linux act as ADS Domain Membership whit out any problem, >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christian Arguello wrote: | [root@proton root]# klist tickets | klist: No credentials cache found | (ticket cache FILE:tickets) smbd doesn't use a keytab yet. Its all done in memory. | [libdefaults] | ticket_lifetime = 24000 | default_realm = DOMAIN2003.COM | dns_lookup_realm = false | dns_lookup_kdc = false | default_tkt_enctypes = DES-CBC-MD5 | default_tgs_enctypes = DES-CBC-MD5 Looks ok. Do you have other kerberized services on the box that require the default realm? | And my smb.conf like this: | | [global] | workgroup = domain2003 | security = ADS | realm = domain2003.com There was a time when the realm had to be defined in the correct case (usually upper). I can't remember if we work around that now or not. cheers, jerry ~ ---------------------------------------------------------------------- ~ Hewlett-Packard ------------------------- http://www.hp.com ~ SAMBA Team ---------------------- http://www.samba.org ~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ~ "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAGnU9IR7qMdg1EfYRAmCUAKDP/xWj6e7FQbvlMkV30S4MckCQ6QCgjn2j ZsIxJboIim8hhx5Kv0C4j24=qrhF -----END PGP SIGNATURE-----
TBrown@neurology.ahsc.arizona.edu
2004-Feb-09 20:06 UTC
[Samba] Samba 3.0.2 and Windows 2003 ADS.
I'm having similar problems as Christian. However, I'm using Heimdal
Kerberos (heimdal-0.6-67) and Windows 2000 Advanced Server. I've spent a
bit of time working on the krb5.conf file to determine encryption settings
that essentially work. I can only get the Samba 3.0.2 server talking to the
Windows 2000 ADS when the default_etypes are set to: des-cbc-crc. If I omit
default etype settings, they fail to talk. I should also note that Heimdal
kerb5.conf doesn't use the default_t/gxx_enctypes used in the MIT
distrobution in case folks are trying these settings.
Basically I can join the ADS domain without trouble:
% s-gowers:/usr/local/samba/bin # ./net ads join
% [2004/02/09 12:54:31, 0] libads/ldap.c:ads_add_machine_acct(1006)
% Host account for s-gowers already exists - modifying old account
% Using short domain name -- NEUROLOGY
% Joined 'S-GOWERS' to realm 'NEUROLOGY.AHSC.ARIZONA.EDU'
And from here I can surf my shares on my windows 2000 server using the
smbclient //server/share -k command. Likewise, I can list the shares
available using the smbclient -k -L server. Also, I can send messages using
the smbclient -k -M host without a glitch.
But when I attempt to connect to the Samba 3.0.2 server via \\NetBIOS name,
I get a usernam/password dialogue box and a bunch of entries in the smb.log
saying that:
% [2004/02/09 12:52:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
% Failed to verify incoming ticket!
I cannot access these shares using the IP address instead of the NetBIOS
name. I've been working on this for a couple days now and really can't
figure it out. I've used versions 3.0.0, 3.0.1, and now 3.0.2 with
identical results with all three. I've tried this with and withoth a keytab
file generated using Windows 2000 Server (ktpass).
I compiled the source using: --enable-cups --with-ads --with-winbind
Here's my krb5.conf:
==============[libdefaults]
default_realm = NEUROLOGY.AHSC.ARIZONA.EDU
ticket_lifetime = 2400
clockskew = 300
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
default_keytab_name = 'FILE:/etc/krb5.keytab'
forwardable = true
extra_addresses = 150.135.29.201
dns_lookup_realm = false
kdc_timesync = true
scan_interfaces = true
[realms]
NEUROLOGY.AHSC.ARIZONA.EDU = {
kdc = jackson.neurology.ahsc.arizona.edu
admin_server = jackson.neurology.ahsc.arizona.edu
kpasswd_server = jackson.neurology.ahsc.arizona.edu
default_domain = neurology.ahsc.arizona.edu
}
[domain_realm]
.neurology.ahsc.arizona.edu = NEUROLOGY.AHSC.ARIZONA.EDU
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
===========
And, the smb.conf:
===========[global]
workgroup = NEUROLOGY
realm = NEUROLOGY.AHSC.ARIZONA.EDU
server string security = ADS
password server = 150.135.28.105
log file = /var/log/smb.log
unix extensions = No
server signing = auto
socket options = SO_KEEPALIVE TCP_NODELAY
printcap name = cups
add machine script = /usr/sbin/useradd -c Machine -g machines -d
/dev/null -s /bin/false %u
logon path = /srv/users/%U
logon home os level = 0
preferred master = No
local master = No
domain master = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /srv/users/%U
winbind separator = +
winbind use default domain = Yes
create mask = 0777
directory mask = 0777
printing = cups
case sensitive = Yes
oplocks = No
level2 oplocks = No
dos filemode = Yes
dos filetimes = Yes
============
Thanks for your help.
Tracy Steven Brown
University of Arizona
Dept. Neurology
(520) 626-4660