samba - Aug 2004 - Windows 2003 Active Directory Compatibility issue in libads/sasl.c

Hi All,

I am new to the samba-technical list. I am currently adopting the way Samba does
for mutual authentication using Kerberos to MS Active Directory 2003.
Basically, I am using this "static ADS_STATUS  ads_sasl_gssapi_bind
(ADS_STRUCT *ads) " in my LDAP client implemented by Netscape Directory
SDK.
However, the code works fine with Windows 2000 but fails on 2003. By running the
code, I could sucessfully get the TGT and session ticket from
Windows Active Directory KDC with the right enctype. I verified both tickets by
checking client's local credential cache using "klist". After
tracing down the code,
the code fails on line 000374 (
http://samba.org/doxygen/appliance-head/sasl_8c-source.html) with an error
saying "invalid credential". I have tried serveral ways to
work it out but got no luck. I am at the end of the rope. Is there a known issue
for compatibility with Windows 2003 and Samba, or am I missing something here?
Any help and insighs are highly apprecited. Many thanks in advance. 
Sincerely,
Peter



TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and
may be subject to copyright or other intellectual property protection. If you
are not the intended recipient, you are not authorized to use or disclose this
information, and we request that you notify us by reply mail or telephone and
delete the original message from your mail system.

You can find references in the archives, but
I remember wasting quite a bit of time to find this.
MIT Kerberos and Heimdal have to be really pretty current versions.
If you cant upgrade to the new MS rc4-hmac encryption type
see the following MS hotfix

http://support.microsoft.com/default.aspx?scid=kb;en-us;833708

Hope it helps, Doug

peter_yen@trendmicro.com wrote:
>Hi All,
>
>I am new to the samba-technical list. I am currently adopting the way Samba
does for mutual authentication using Kerberos to MS Active Directory 2003.
>Basically, I am using this "static ADS_STATUS  ads_sasl_gssapi_bind
(ADS_STRUCT *ads) " in my LDAP client implemented by Netscape Directory
SDK.
>However, the code works fine with Windows 2000 but fails on 2003. By running
the code, I could sucessfully get the TGT and session ticket from
>Windows Active Directory KDC with the right enctype. I verified both tickets
by checking client's local credential cache using "klist". After
tracing down the code,
>the code fails on line 000374 (
http://samba.org/doxygen/appliance-head/sasl_8c-source.html) with an error
saying "invalid credential". I have tried serveral ways to
>work it out but got no luck. I am at the end of the rope. Is there a known
issue for compatibility with Windows 2003 and Samba, or am I missing something
here?
>Any help and insighs are highly apprecited. Many thanks in advance. 
>Sincerely,
>Peter
>
>
>
>TREND MICRO EMAIL NOTICE
>The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection. If
you are not the intended recipient, you are not authorized to use or disclose
this information, and we request that you notify us by reply mail or telephone
and delete the original message from your mail system.
>  
>