Hello samba experts !
I have a big problem with my samba 3.0.2a on debian. I use winbindd, which
seems to work (getent passwd/group and wbinfo -u works), and the net ads
join worked too, but the authentication with the AD controler, hosted on
Win2003 Server, fails.
Sample of the level 3 log file :
...
[2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685)
switch message SMBsesssetupX (pid 1210)
[2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
wct=12 flg2=0xc807
[2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
Doing spnego session setup
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
Got OID 1 2 840 48018 1 2 2
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
Got OID 1 2 840 113554 1 2 2
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
Got OID 1 3 6 1 4 1 311 2 2 10
[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430)
Got secblob of size 1263
[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
...
So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found a
technet article talking from a krb problem on win2003, and registry
modifications to apply. I did so, but nothing changed.
Another point : I did a tcpdump between the samba server and the 2003
server. When I do a kinit, there is communication between the servers. But
when I try to connect to the samba server from a W2K client, there is no
communication between the samba and the W2K server !
So, do you have an explanation ?
Here is my krb5.conf file :
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log
[libdefaults]
ticket_lifetime = 24000
default_realm = IRCADSTAGE.FR
[realms]
IRCADSTAGE.FR = {
kdc = stageadmin11.ircadstage.fr:88
default_domain = ircadstage.fr
}
[domain_realm]
.ircadstage.fr = IRCADSTAGE.FR
ircadstage.fr = IRCADSTAGE.FR
Thanks !
Christian Haessig
Software engineer/Administrator
IRCAD/EITS
Phone : +33. (0)3.88.11.90.76
Fax : +33. (0)3.88.11.90.99
mailto:christian.haessig@ircad.u-strasbg.fr
Oups, I made a mistake : the samba server communicates through kerberos with the W2K3 server. I attached the ethereal log which shows all the kerberos packages going to or from the W2K3 server. Thanks, Christian Haessig Software engineer/Administrator IRCAD/EITS Phone : +33. (0)3.88.11.90.76 Fax : +33. (0)3.88.11.90.99 mailto:christian.haessig@ircad.u-strasbg.fr> -----Message d'origine----- > De : samba-bounces+christian.haessig=ircad.u-strasbg.fr@lists.samba.org > [mailto:samba-bounces+christian.haessig=ircad.u-strasbg.fr@lists.samba.o > rg]De la part de Christian HAESSIG > Envoy? : mardi 4 mai 2004 09:08 > ? : samba@lists.samba.org > Objet : [Samba] samba 3.0.2a & Win2003 AD controler > > > Hello samba experts ! > > I have a big problem with my samba 3.0.2a on debian. I use winbindd, which > seems to work (getent passwd/group and wbinfo -u works), and the net ads > join worked too, but the authentication with the AD controler, hosted on > Win2003 Server, fails. > > Sample of the level 3 log file : > > ... > [2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685) > switch message SMBsesssetupX (pid 1210) > [2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638) > wct=12 flg2=0xc807 > [2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would > close all > old resources. > [2004/05/04 08:47:20, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518) > Doing spnego session setup > [2004/05/04 08:47:20, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549) > NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] > PrimaryDomain=[] > [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > Got OID 1 2 840 48018 1 2 2 > [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > Got OID 1 2 840 113554 1 2 2 > [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > Got OID 1 3 6 1 4 1 311 2 2 10 > [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430) > Got secblob of size 1263 > [2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(323) > ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt > integrity check failed > [2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(330) > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) > [2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > ... > > So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found a > technet article talking from a krb problem on win2003, and registry > modifications to apply. I did so, but nothing changed. > > Another point : I did a tcpdump between the samba server and the 2003 > server. When I do a kinit, there is communication between the servers. But > when I try to connect to the samba server from a W2K client, there is no > communication between the samba and the W2K server ! > > So, do you have an explanation ? > > Here is my krb5.conf file : > > [logging] > default = FILE:/var/log/krb5/libs.log > kdc = FILE:/var/log/krb5/kdc.log > admin_server = FILE:/var/log/krb5/admin.log > > [libdefaults] > ticket_lifetime = 24000 > default_realm = IRCADSTAGE.FR > > [realms] > IRCADSTAGE.FR = { > kdc = stageadmin11.ircadstage.fr:88 > default_domain = ircadstage.fr > } > > [domain_realm] > .ircadstage.fr = IRCADSTAGE.FR > ircadstage.fr = IRCADSTAGE.FR > > Thanks ! > > Christian Haessig > Software engineer/Administrator > IRCAD/EITS > Phone : +33. (0)3.88.11.90.76 > Fax : +33. (0)3.88.11.90.99 > mailto:christian.haessig@ircad.u-strasbg.fr > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
Hi Bertram, hi the list, I added the samba list, so that they all get our mails :) No, I don't use the nss_ldap.so library. What does it do ? You told about a tool set to install on the W2K3 server. What is this tool ? I found on the Microsoft knowledge base a registry modification concerning kerberos. I applied it, without any result. By the way, I sent an ethereal log showing the communication between the W2K client (192.168.2.33), the samba server (192.168.0.31) and the W2K3 server (192.168.9.211). Did you get it ? This log indicates the problem : - there are first some krb5 exchanges between the W2K client and the W2K3 server - then, the samba server sends a krb5 request using the encryptions 0x12 (unknown), 0x11 (unknown), des3-cbc-sha1, rc4-hmac, des-cbc-crc, des-cbc-md5 and des-cbc-md4 - the W2K3 server responds : error_code: KRB5KDC_ERR_PREAUTH_REQUIRED Are there any krb5 experts in this list who could help us ? We would surely appreciate ! Christian Haessig Software engineer/Administrator IRCAD/EITS Phone : +33. (0)3.88.11.90.76 Fax : +33. (0)3.88.11.90.99 mailto:christian.haessig@ircad.u-strasbg.fr> -----Message d'origine----- > De : Yohann Ferreira [mailto:bertram25@hotmail.com] > Envoy? : mardi 4 mai 2004 10:06 > ? : christian.haessig@ircad.u-strasbg.fr > Objet : RE: [Samba] samba 3.0.2a & Win2003 AD controler > > > I've got EXACTLY the same problem ! Exactly ! > > Do you use the nss_ldap.so tool from PADL ? > > Cause I've that you have install a tool set on the w2k AD server... > > Is that right samba Team ? > > Thanks for reading ! > > Bertram > > > >From: "Christian HAESSIG" <christian.haessig@ircad.u-strasbg.fr> > >To: <samba@lists.samba.org> > >Subject: [Samba] samba 3.0.2a & Win2003 AD controler > >Date: Tue, 4 May 2004 09:07:35 +0200 > > > >Hello samba experts ! > > > >I have a big problem with my samba 3.0.2a on debian. I use > winbindd, which > >seems to work (getent passwd/group and wbinfo -u works), and the net ads > >join worked too, but the authentication with the AD controler, hosted on > >Win2003 Server, fails. > > > >Sample of the level 3 log file : > > > >... > >[2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685) > > switch message SMBsesssetupX (pid 1210) > >[2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638) > > wct=12 flg2=0xc807 > >[2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591) > > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > >all > >old resources. > >[2004/05/04 08:47:20, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518) > > Doing spnego session setup > >[2004/05/04 08:47:20, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549) > > NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] > >PrimaryDomain=[] > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > Got OID 1 2 840 48018 1 2 2 > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > Got OID 1 2 840 113554 1 2 2 > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > Got OID 1 3 6 1 4 1 311 2 2 10 > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430) > > Got secblob of size 1263 > >[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(323) > > ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt > >integrity check failed > >[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(330) > > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) > >[2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > > Failed to verify incoming ticket! > >... > > > >So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found a > >technet article talking from a krb problem on win2003, and registry > >modifications to apply. I did so, but nothing changed. > > > >Another point : I did a tcpdump between the samba server and the 2003 > >server. When I do a kinit, there is communication between the > servers. But > >when I try to connect to the samba server from a W2K client, there is no > >communication between the samba and the W2K server ! > > > >So, do you have an explanation ? > > > >Here is my krb5.conf file : > > > >[logging] > > default = FILE:/var/log/krb5/libs.log > > kdc = FILE:/var/log/krb5/kdc.log > > admin_server = FILE:/var/log/krb5/admin.log > > > >[libdefaults] > > ticket_lifetime = 24000 > > default_realm = IRCADSTAGE.FR > > > >[realms] > > IRCADSTAGE.FR = { > > kdc = stageadmin11.ircadstage.fr:88 > > default_domain = ircadstage.fr > > } > > > >[domain_realm] > > .ircadstage.fr = IRCADSTAGE.FR > > ircadstage.fr = IRCADSTAGE.FR > > > >Thanks ! > > > >Christian Haessig > >Software engineer/Administrator > >IRCAD/EITS > >Phone : +33. (0)3.88.11.90.76 > >Fax : +33. (0)3.88.11.90.99 > >mailto:christian.haessig@ircad.u-strasbg.fr > > > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: http://lists.samba.org/mailman/listinfo/samba > > _________________________________________________________________ > Bloquez les fen?tres pop-up, c'est gratuit ! http://toolbar.msn.fr >
Sorry Christian ! I explain : nss_ldap.so is a lib used by the nss switch (winbind) to look where to use authentification. In order to have some response from the 2k AD domain, I think, and it's purely theorical because I'm right now doing tests about it, you'll need then to install the 'Microsoft Windows Services For Unix' wich provides the LDAP and NIS communication protocol to your windows 2k AD controler. As for the others, if someone knows something about all of this, such as a configuration which works (!), please tell us ! Thanks for reading Bertram>From: "Christian HAESSIG" <christian.haessig@ircad.u-strasbg.fr> >To: "Yohann Ferreira" <bertram25@hotmail.com>, <samba@lists.samba.org> >Subject: RE: [Samba] samba 3.0.2a & Win2003 AD controler >Date: Tue, 4 May 2004 10:21:18 +0200 > >Hi Bertram, hi the list, > >I added the samba list, so that they all get our mails :) > >No, I don't use the nss_ldap.so library. What does it do ? >You told about a tool set to install on the W2K3 server. What is this tool >? >I found on the Microsoft knowledge base a registry modification concerning >kerberos. I applied it, without any result. > >By the way, I sent an ethereal log showing the communication between the >W2K >client (192.168.2.33), the samba server (192.168.0.31) and the W2K3 server >(192.168.9.211). Did you get it ? >This log indicates the problem : >- there are first some krb5 exchanges between the W2K client and the W2K3 >server >- then, the samba server sends a krb5 request using the encryptions 0x12 >(unknown), 0x11 (unknown), des3-cbc-sha1, rc4-hmac, des-cbc-crc, >des-cbc-md5 >and des-cbc-md4 >- the W2K3 server responds : error_code: KRB5KDC_ERR_PREAUTH_REQUIRED > >Are there any krb5 experts in this list who could help us ? We would surely >appreciate ! > >Christian Haessig >Software engineer/Administrator >IRCAD/EITS >Phone : +33. (0)3.88.11.90.76 >Fax : +33. (0)3.88.11.90.99 >mailto:christian.haessig@ircad.u-strasbg.fr > > > -----Message d'origine----- > > De : Yohann Ferreira [mailto:bertram25@hotmail.com] > > Envoy? : mardi 4 mai 2004 10:06 > > ? : christian.haessig@ircad.u-strasbg.fr > > Objet : RE: [Samba] samba 3.0.2a & Win2003 AD controler > > > > > > I've got EXACTLY the same problem ! Exactly ! > > > > Do you use the nss_ldap.so tool from PADL ? > > > > Cause I've that you have install a tool set on the w2k AD server... > > > > Is that right samba Team ? > > > > Thanks for reading ! > > > > Bertram > > > > > > >From: "Christian HAESSIG" <christian.haessig@ircad.u-strasbg.fr> > > >To: <samba@lists.samba.org> > > >Subject: [Samba] samba 3.0.2a & Win2003 AD controler > > >Date: Tue, 4 May 2004 09:07:35 +0200 > > > > > >Hello samba experts ! > > > > > >I have a big problem with my samba 3.0.2a on debian. I use > > winbindd, which > > >seems to work (getent passwd/group and wbinfo -u works), and the net >ads > > >join worked too, but the authentication with the AD controler, hosted >on > > >Win2003 Server, fails. > > > > > >Sample of the level 3 log file : > > > > > >... > > >[2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685) > > > switch message SMBsesssetupX (pid 1210) > > >[2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288) > > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638) > > > wct=12 flg2=0xc807 > > >[2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591) > > > setup_new_vc_session: New VC == 0, if NT4.x compatible we would >close > > >all > > >old resources. > > >[2004/05/04 08:47:20, 3] > > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518) > > > Doing spnego session setup > > >[2004/05/04 08:47:20, 3] > > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549) > > > NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] > > >PrimaryDomain=[] > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > > Got OID 1 2 840 48018 1 2 2 > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > > Got OID 1 2 840 113554 1 2 2 > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > > Got OID 1 3 6 1 4 1 311 2 2 10 > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430) > > > Got secblob of size 1263 > > >[2004/05/04 08:47:20, 3] >libads/kerberos_verify.c:ads_verify_ticket(323) > > > ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt > > >integrity check failed > > >[2004/05/04 08:47:20, 3] >libads/kerberos_verify.c:ads_verify_ticket(330) > > > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption >type) > > >[2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > > > Failed to verify incoming ticket! > > >... > > > > > >So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found >a > > >technet article talking from a krb problem on win2003, and registry > > >modifications to apply. I did so, but nothing changed. > > > > > >Another point : I did a tcpdump between the samba server and the 2003 > > >server. When I do a kinit, there is communication between the > > servers. But > > >when I try to connect to the samba server from a W2K client, there is >no > > >communication between the samba and the W2K server ! > > > > > >So, do you have an explanation ? > > > > > >Here is my krb5.conf file : > > > > > >[logging] > > > default = FILE:/var/log/krb5/libs.log > > > kdc = FILE:/var/log/krb5/kdc.log > > > admin_server = FILE:/var/log/krb5/admin.log > > > > > >[libdefaults] > > > ticket_lifetime = 24000 > > > default_realm = IRCADSTAGE.FR > > > > > >[realms] > > > IRCADSTAGE.FR = { > > > kdc = stageadmin11.ircadstage.fr:88 > > > default_domain = ircadstage.fr > > > } > > > > > >[domain_realm] > > > .ircadstage.fr = IRCADSTAGE.FR > > > ircadstage.fr = IRCADSTAGE.FR > > > > > >Thanks ! > > > > > >Christian Haessig > > >Software engineer/Administrator > > >IRCAD/EITS > > >Phone : +33. (0)3.88.11.90.76 > > >Fax : +33. (0)3.88.11.90.99 > > >mailto:christian.haessig@ircad.u-strasbg.fr > > > > > >-- > > >To unsubscribe from this list go to the following URL and read the > > >instructions: http://lists.samba.org/mailman/listinfo/samba > > > > _________________________________________________________________ > > Bloquez les fen?tres pop-up, c'est gratuit ! http://toolbar.msn.fr > > >_________________________________________________________________ Hotmail : un compte GRATUIT qui vous suit partout et tout le temps ! http://g.msn.fr/FR1000/9493