Moshe Shaham
2004-Mar-31 18:04 UTC
[Samba] failing to browse unix shares with samba 3.0.2a
We upgraded our Solaris 9 samba server to version 3.0.2a and configured Kerberos MIT 1.3.2. I was able to run kinit and join samba to our windows 2003 domain as a domain member, but when I am trying to browse the samba shares from a windows XP machine it is failing. When I am looking at the samba logs this is what I am getting: [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(323) ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(330) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2004/03/30 11:15:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(94) error string = No such file or directory [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(118) error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE I was trying to run smbclient -k '\\machine\share' and it failed. After initiating the kinit command I was then able to run the smbclient -k command. Accessing the shares from a windows box is still failing. I am little confused, do I need to create a Kerberos database in the samba server and manage the users tickets? My understanding is that I am authenticating against windows 2003 Kerberos database. Thanks, Moshe
Jeremy Allison
2004-Mar-31 18:48 UTC
[Samba] failing to browse unix shares with samba 3.0.2a
On Wed, Mar 31, 2004 at 10:03:45AM -0800, Moshe Shaham wrote:> We upgraded our Solaris 9 samba server to version 3.0.2a and configured > Kerberos MIT 1.3.2. > I was able to run kinit and join samba to our windows 2003 domain as a > domain member, but when I am trying to browse the samba shares from a > windows XP machine it is failing. When I am looking at the samba logs this > is what I am getting: > [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(323) > ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt > integrity check failed > [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(330) > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) > [2004/03/30 11:15:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(94) > error string = No such file or directory > [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(118) > error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > > I was trying to run smbclient -k '\\machine\share' and it failed. After > initiating the kinit command I was then able to run the smbclient -k > command. Accessing the shares from a windows box is still failing.Your enctypes are incorrect. This is confirmed by the fact that smbclient -k works (the enctype requested by kinit is compatible with the enctypes checked for by smbd - they're using the same krb5.conf) and the Windows clients don't. The enctype the Windows client is getting is type 23 - rc4-hmac. Once you've got a ticket with kinit, use klist -e to display the enctypes you have. I'm guessing the enctype kinit is getting isn't the same. You can try setting : default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac in your krb5.conf file. And go buy the O'Reilly book on Kerberos and read it :-). Jeremy.
Moshe Shaham
2004-Mar-31 19:14 UTC
[Samba] failing to browse unix shares with samba 3.0.2a
Runing klist -e: Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 I modified krb5.conf as you suggested and run kdestroy and kinit again. When runing klist -e I still get: Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 When runing kinit as root after the krb.conf modification: kinit(v5): KDC has no support for encryption type while getting initial credentials Thanks again, Moshe -----Original Message----- From: Jeremy Allison [mailto:jra@samba.org] Sent: Wednesday, March 31, 2004 10:48 AM To: Moshe Shaham Cc: 'samba@lists.samba.org' Subject: Re: [Samba] failing to browse unix shares with samba 3.0.2a On Wed, Mar 31, 2004 at 10:03:45AM -0800, Moshe Shaham wrote:> We upgraded our Solaris 9 samba server to version 3.0.2a and configured > Kerberos MIT 1.3.2. > I was able to run kinit and join samba to our windows 2003 domain as a > domain member, but when I am trying to browse the samba shares from a > windows XP machine it is failing. When I am looking at the samba logs this > is what I am getting: > [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(323) > ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt > integrity check failed > [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(330) > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) > [2004/03/30 11:15:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(94) > error string = No such file or directory > [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(118) > error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > > I was trying to run smbclient -k '\\machine\share' and it failed. After > initiating the kinit command I was then able to run the smbclient -k > command. Accessing the shares from a windows box is still failing.Your enctypes are incorrect. This is confirmed by the fact that smbclient -k works (the enctype requested by kinit is compatible with the enctypes checked for by smbd - they're using the same krb5.conf) and the Windows clients don't. The enctype the Windows client is getting is type 23 - rc4-hmac. Once you've got a ticket with kinit, use klist -e to display the enctypes you have. I'm guessing the enctype kinit is getting isn't the same. You can try setting : default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac in your krb5.conf file. And go buy the O'Reilly book on Kerberos and read it :-). Jeremy.
Moshe Shaham schrieb:> We upgraded our Solaris 9 samba server to version 3.0.2a and configured > Kerberos MIT 1.3.2. > I was able to run kinit and join samba to our windows 2003 domain as a > domain member, but when I am trying to browse the samba shares from a > windows XP machine it is failing. When I am looking at the samba logs this > is what I am getting: > [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(323) > ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt > integrity check failed > [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(330) > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) > [2004/03/30 11:15:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(94) > error string = No such file or directory > [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(118) > error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > > I was trying to run smbclient -k '\\machine\share' and it failed. After > initiating the kinit command I was then able to run the smbclient -k > command. Accessing the shares from a windows box is still failing. > > I am little confused, do I need to create a Kerberos database in the samba > server and manage the users tickets? My understanding is that I am > authenticating against windows 2003 Kerberos database. > > Thanks, > Moshe >where is your smb.conf, this looks like that you dont set security = user
Moshe Shaham
2004-Mar-31 22:50 UTC
[Samba] failing to browse unix shares with samba 3.0.2a
It set up as security=ads
This is my smb.conf:
netbios name = shark
workgroup = MYDOMAINNAME
realm = MYDOMAINNAME
server string = Samba Server
log file = /opt/samba3.0/var/log.%m
log level = 5
max log size = 50
security = ads
local master = no
os level = 0
domain master = no
preferred master = no
wins support = no
wins server = 10.70.130.2, 10.80.20.4
dns proxy = no
password server = mywindows2003kdc
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind separator = +
Thanks,
Moshe
-----Original Message-----
From: RRuegner [mailto:robert@ruegner.org]
Sent: Wednesday, March 31, 2004 1:05 PM
To: Moshe Shaham
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] failing to browse unix shares with samba 3.0.2a
Moshe Shaham schrieb:
> We upgraded our Solaris 9 samba server to version 3.0.2a and configured
> Kerberos MIT 1.3.2.
> I was able to run kinit and join samba to our windows 2003 domain as a
> domain member, but when I am trying to browse the samba shares from a
> windows XP machine it is failing. When I am looking at the samba logs this
> is what I am getting:
> [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
> ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
> integrity check failed
> [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2004/03/30 11:15:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> Failed to verify incoming ticket!
> [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(94)
> error string = No such file or directory
> [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(118)
> error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
>
> I was trying to run smbclient -k '\\machine\share' and it failed.
After
> initiating the kinit command I was then able to run the smbclient -k
> command. Accessing the shares from a windows box is still failing.
>
> I am little confused, do I need to create a Kerberos database in the
samba> server and manage the users tickets? My understanding is that I am
> authenticating against windows 2003 Kerberos database.
>
> Thanks,
> Moshe
>
where is your smb.conf, this looks like that you dont set security = user
Moshe Shaham
2004-Apr-01 01:01 UTC
[Samba] failing to browse unix shares with samba 3.0.2a
I was runing a sniffer on the Solaris host and on the windows kdc server and
I found out the samba server doesn't initiate any connection to the windows
kdc server when the windows client is trying to browse the samba shares. I
would expect that it will consult the windows kdc server. Am I wrong in my
assumption?
Thanks,
Moshe
-----Original Message-----
From: Moshe Shaham [mailto:Moshe@netscreen.com]
Sent: Wednesday, March 31, 2004 2:50 PM
To: 'RRuegner'; Moshe Shaham
Cc: 'samba@lists.samba.org'
Subject: RE: [Samba] failing to browse unix shares with samba 3.0.2a
It set up as security=ads
This is my smb.conf:
netbios name = shark
workgroup = MYDOMAINNAME
realm = MYDOMAINNAME
server string = Samba Server
log file = /opt/samba3.0/var/log.%m
log level = 5
max log size = 50
security = ads
local master = no
os level = 0
domain master = no
preferred master = no
wins support = no
wins server = 10.70.130.2, 10.80.20.4
dns proxy = no
password server = mywindows2003kdc
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind separator = +
Thanks,
Moshe
-----Original Message-----
From: RRuegner [mailto:robert@ruegner.org]
Sent: Wednesday, March 31, 2004 1:05 PM
To: Moshe Shaham
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] failing to browse unix shares with samba 3.0.2a
Moshe Shaham schrieb:
> We upgraded our Solaris 9 samba server to version 3.0.2a and configured
> Kerberos MIT 1.3.2.
> I was able to run kinit and join samba to our windows 2003 domain as a
> domain member, but when I am trying to browse the samba shares from a
> windows XP machine it is failing. When I am looking at the samba logs this
> is what I am getting:
> [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
> ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
> integrity check failed
> [2004/03/30 11:15:26, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> [2004/03/30 11:15:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> Failed to verify incoming ticket!
> [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(94)
> error string = No such file or directory
> [2004/03/30 11:15:26, 3] smbd/error.c:error_packet(118)
> error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
>
> I was trying to run smbclient -k '\\machine\share' and it failed.
After
> initiating the kinit command I was then able to run the smbclient -k
> command. Accessing the shares from a windows box is still failing.
>
> I am little confused, do I need to create a Kerberos database in the
samba> server and manage the users tickets? My understanding is that I am
> authenticating against windows 2003 Kerberos database.
>
> Thanks,
> Moshe
>
where is your smb.conf, this looks like that you dont set security = user
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Moshe Shaham
2004-Apr-01 01:08 UTC
[Samba] failing to browse unix shares with samba 3.0.2a
Do I also need to manage a Kerberos database in the Samba server? I didn't setup any kdc.conf file and didn't created a Kerberos database. Thanks, Moshe -----Original Message----- From: Jeremy Allison [mailto:jra@samba.org] Sent: Wednesday, March 31, 2004 5:03 PM To: Moshe Shaham Cc: 'RRuegner'; 'samba@lists.samba.org' Subject: Re: [Samba] failing to browse unix shares with samba 3.0.2a On Wed, Mar 31, 2004 at 05:00:53PM -0800, Moshe Shaham wrote:> I was runing a sniffer on the Solaris host and on the windows kdc serverand> I found out the samba server doesn't initiate any connection to thewindows> kdc server when the windows client is trying to browse the samba shares. I > would expect that it will consult the windows kdc server. Am I wrong in my > assumption?Completely - that's not how kerberos works. Please buy and read the O'Reilly Kerberos book :-). Jeremy.
Moshe Shaham
2004-Apr-01 01:56 UTC
[Samba] failing to browse unix shares with samba 3.0.2a
This is exactly what I am doing but it is still not working. I have two questions: 1. Is it possible that the problem is caused by the fact that the domain suffix for the samba server is different from the windows domain?. One is corp.mydomain.com and one is just mydomain.com. 2. Is it possible that there is a compatibility problem between MIT 1.3.2 and windows 2003 domain?. Thanks for your kind support, Moshe -----Original Message----- From: Jeremy Allison [mailto:jra@samba.org] Sent: Wednesday, March 31, 2004 5:48 PM To: Moshe Shaham Cc: 'Jeremy Allison'; 'RRuegner'; 'samba@lists.samba.org' Subject: Re: [Samba] failing to browse unix shares with samba 3.0.2a On Wed, Mar 31, 2004 at 05:07:43PM -0800, Moshe Shaham wrote:> Do I also need to manage a Kerberos database in the Samba server? I didn't > setup any kdc.conf file and didn't created a Kerberos database.No you don't. You get the kerberos tickets from the krb5 database stored on the AD server. You join the smbd server to the domain and the equivalent of the keytab is stored in the secrets.tdb, when the client connects no traffic is needed to the kdc. Jeremy.
Moshe Shaham
2004-Apr-01 16:01 UTC
[Samba] failing to browse unix shares with samba 3.0.2a
o.k. I answer my own question and I change my samba server domain suffix to be the same as the windows domain. I also generated a new key from windows using ktpass that reflect the new mapping and everything is working flawlessly now. Thanks, Moshe -----Original Message----- From: Moshe Shaham [mailto:Moshe@netscreen.com] Sent: Wednesday, March 31, 2004 5:56 PM To: 'Jeremy Allison'; Moshe Shaham Cc: 'samba@lists.samba.org' Subject: RE: [Samba] failing to browse unix shares with samba 3.0.2a This is exactly what I am doing but it is still not working. I have two questions: 1. Is it possible that the problem is caused by the fact that the domain suffix for the samba server is different from the windows domain?. One is corp.mydomain.com and one is just mydomain.com. 2. Is it possible that there is a compatibility problem between MIT 1.3.2 and windows 2003 domain?. Thanks for your kind support, Moshe -----Original Message----- From: Jeremy Allison [mailto:jra@samba.org] Sent: Wednesday, March 31, 2004 5:48 PM To: Moshe Shaham Cc: 'Jeremy Allison'; 'RRuegner'; 'samba@lists.samba.org' Subject: Re: [Samba] failing to browse unix shares with samba 3.0.2a On Wed, Mar 31, 2004 at 05:07:43PM -0800, Moshe Shaham wrote:> Do I also need to manage a Kerberos database in the Samba server? I didn't > setup any kdc.conf file and didn't created a Kerberos database.No you don't. You get the kerberos tickets from the krb5 database stored on the AD server. You join the smbd server to the domain and the equivalent of the keytab is stored in the secrets.tdb, when the client connects no traffic is needed to the kdc. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Moshe Shaham
2004-Apr-01 19:01 UTC
[Samba] failing to browse unix shares with samba 3.0.2a
Thanks. -----Original Message----- From: Jeremy Allison [mailto:jra@samba.org] Sent: Thursday, April 01, 2004 8:32 AM To: Moshe Shaham Cc: 'Jeremy Allison'; 'samba@lists.samba.org' Subject: Re: [Samba] failing to browse unix shares with samba 3.0.2a On Thu, Apr 01, 2004 at 08:00:43AM -0800, Moshe Shaham wrote:> o.k. I answer my own question and I change my samba server domain suffixto> be the same as the windows domain. I also generated a new key from windows > using ktpass that reflect the new mapping and everything is working > flawlessly now.I'm really glad you fixed this - I had run out of ideas as to what was wrong. I still think you should buy the O'Reilly kerberos book though :-). Glad it's working, Jeremy.