peter_yen@trendmicro.com
2004-Aug-18 22:14 UTC
[Samba] Windows 2003 Active Directory Compatibility issue in libads/sasl.c
Hi All, I am new to the samba-technical list. I am currently adopting the way Samba does for mutual authentication using Kerberos to MS Active Directory 2003. Basically, I am using this "static ADS_STATUS ads_sasl_gssapi_bind (ADS_STRUCT *ads) " in my LDAP client implemented by Netscape Directory SDK. However, the code works fine with Windows 2000 but fails on 2003. By running the code, I could sucessfully get the TGT and session ticket from Windows Active Directory KDC with the right enctype. I verified both tickets by checking client's local credential cache using "klist". After tracing down the code, the code fails on line 000374 ( http://samba.org/doxygen/appliance-head/sasl_8c-source.html) with an error saying "invalid credential". I have tried serveral ways to work it out but got no luck. I am at the end of the rope. Is there a known issue for compatibility with Windows 2003 and Samba, or am I missing something here? Any help and insighs are highly apprecited. Many thanks in advance. Sincerely, Peter TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Doug VanLeuven
2004-Aug-19 09:00 UTC
[Samba] Windows 2003 Active Directory Compatibility issue in libads/sasl.c
You can find references in the archives, but I remember wasting quite a bit of time to find this. MIT Kerberos and Heimdal have to be really pretty current versions. If you cant upgrade to the new MS rc4-hmac encryption type see the following MS hotfix http://support.microsoft.com/default.aspx?scid=kb;en-us;833708 Hope it helps, Doug peter_yen@trendmicro.com wrote:>Hi All, > >I am new to the samba-technical list. I am currently adopting the way Samba does for mutual authentication using Kerberos to MS Active Directory 2003. >Basically, I am using this "static ADS_STATUS ads_sasl_gssapi_bind (ADS_STRUCT *ads) " in my LDAP client implemented by Netscape Directory SDK. >However, the code works fine with Windows 2000 but fails on 2003. By running the code, I could sucessfully get the TGT and session ticket from >Windows Active Directory KDC with the right enctype. I verified both tickets by checking client's local credential cache using "klist". After tracing down the code, >the code fails on line 000374 ( http://samba.org/doxygen/appliance-head/sasl_8c-source.html) with an error saying "invalid credential". I have tried serveral ways to >work it out but got no luck. I am at the end of the rope. Is there a known issue for compatibility with Windows 2003 and Samba, or am I missing something here? >Any help and insighs are highly apprecited. Many thanks in advance. >Sincerely, >Peter > > > >TREND MICRO EMAIL NOTICE >The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. > >
Maybe Matching Threads
- Error compiling Samba 3.5.5 on HP-UX 11.11
- Kerberos Keytab Code Update in 3.0.23
- Autogenerating of operatingSystem and operatingSystemVersion attributes in AD
- Compile failure samba3.0alpha20
- winbind's libads/ldap_utils.c repeatedly says 'failed to reconnect (Timed out)'