John Stile
2004-Dec-06 16:24 UTC
[Samba] errors from ads_krb5_mk_req errors and util_sock.c:send_smb
After 2 weeks of trying to configure samba as a member server in a
native AD domain, with winbind+nss+kerberose following the Samba
Collection and (Samba-3 By Exmaple) docuentation, with RedHat AS3,
samba 3.0.9, krb5 1.3.1, where 2 KDC's are Windows 2003 and one is
Windows 2000, and smb-signing has been turned off,...
when a user tries to access a share, they are prompted for a password,
and no passwords seem to work, and I see errors like:
client connection log
lib/util_sock.c:send_smb(647)
Error writing 4 bytes to client. -1. (Connection reset by peer)
winbindd log
ibsmb/clikrb5.c:ads_krb5_mk_req(390)
ads_krb5_mk_req: krb5_get_credentials failed for
actdir05$@MYFOREST.MYDOMAIN.COM (Cannot find KDC for requested realm)
Details and testing results listed below:
----------------------------------------------
SAMBA ON REDHAT Advance Server 3 saga,
as member server in native AD with winbind
----------------------------------------------
1st Problem: Bug in RedHat's smaba rpm when joining a samba 3.0.7-1.3E.1 in
a w2k domain
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139668
Solution: Upgrading to samba.org new version (3.0.9)
2nd Problem: Kerberose < 1.3 cannot use Microsoft AD Kerberose Tickets,
RedHat AS only goes up to 1.2.7
After a successful 'net ads join' I can communcate with
KDC,
but get ticket errors authenticating users:
From Windows XP client, I am prompted for a password and No
password works.
The samba log for the client session
'smbd/sesssetup.c:reply_spnego_kerberose(173) Failed to
verify incoming ticket!'
Solution: Upgrade krb5 from 1.2.7 to Fedora Core 1.3.1.
3rd Problem: System appeared to be working and then stopped.
Only change: samba was restarted.
Solution: No solution yet for smb.conf with 'security=ads'
-----------------------
Notes from 3rd Problem:
-----------------------
### BEGIN /etc/smaba/smb.conf ###
#======================= Global Settings
====================================[global]
server string = Samba Server
workgroup = MYREALM
realm = MYREALM.MY.MYDOMAIN.COM
security = ADS
map to guest = Bad User
password server = *
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = no
local master = no
domain master = no
os level = 33
wins server = 128.32.68.75 128.32.67.118
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = Yes
load printers = no
log file = /var/log/samba/%m.log
max log size = 0
username map = /etc/samba/smbusers
dns proxy = no
#============================ Share Definitions
=============================[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775
### END /etc/smaba/smb.conf ###
### BEGIN /etc/krb5.conf ###
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MYREALM.MY.MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MYREALM.MY.MYDOMAIN.COM = {
kdc = hcs-ad-a.myrealm.my.mydomain.com:88
admin_server = hcs-ad-a.myrealm.my.mydomain.com:749
default_domain = myrealm.my.mydomain.com
}
[domain_realm]
.myrealm.mydomain.com = MYREALM.MY.MYDOMAIN.COM
myrealm.mydomain.com = MYREALM.MY.MYDOMAIN.COM
.myrealm.my.mydomain.com = MYREALM.MY.MYDOMAIN.COM
myrealm.my.mydomain.com = MYREALM.MY.MYDOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
### END /etc/krb5.conf ###
------------------------------------------------
# Since hcs-ad-b is a widows 2000 server, change /etc/krb5.conf
changed: hcs-ad-a.myrealm.my.mydomain.com
to: hcs-ad-b.myrealm.my.mydomain.com
# remove cached settings
[root@myserver usr]# rm -rf /var/lib/samba/* /etc/samaba/secret.tdb
# start winbind
[root@myserver usr]# /etc/init.d/winbind start
# try to add to domain
[root@myserver usr]# net ads join -W MYREALM -S HCS-AD-B -Uadministrator
administrator's password:
Using short domain name -- MYREALM
Joined 'DEVAPACHE2' to realm 'MYREALM.MY.MYDOMAIN.COM'
# list what changed:
[root@myserver usr]# ls -ltr /etc/samba/secrets.tdb /var/lib/samba/
-rw------- 1 root root 8192 Dec 5 12:06
/etc/samba/secrets.tdb
wvar/lib/samba/:
total 68
drwxr-xr-x 2 root root 4096 Nov 30 04:14 printing
-rw-r--r-- 1 root root 4201 Dec 5 04:02 namelist.debug
-rw-r--r-- 1 root root 216 Dec 5 11:41 browse.dat
drwxr-x--- 2 root root 4096 Dec 5 12:06
winbindd_privileged
-rw-r--r-- 1 root root 8192 Dec 5 12:06
winbindd_idmap.tdb
-rw------- 1 root root 696 Dec 5 12:06
netsamlogon_cache.tdb
-rw------- 1 root root 696 Dec 5 12:06 messages.tdb
-rw-r--r-- 1 root root 8192 Dec 5 12:06 gencache.tdb
-rw------- 1 root root 24576 Dec 5 12:07
winbindd_cache.tdb
# Try kerb auth
[root@myserver usr]# net ads status -U administrator
administrator's password:
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: myserver
countryCode: 0
dNSHostName: myserver.myrealm.mydomain.com
instanceType: 4
isCriticalSystemObject: FALSE
lastLogoff: 0
lastLogon: 127467514903900008
logonCount: 347
distinguishedName:
CN=myserver,CN=Computers,DC=myrealm,DC=uc,DC=berkeley,DC=edu
objectCategory:
CN=Computer,CN=Schema,CN=Configuration,DC=uc,DC=berkeley,DC=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
objectGUID: 07dafdf3-73ce-4318-8abb-4d64595199e7
objectSid: S-1-5-21-31201350-910771829-425154211-27690
operatingSystem: Samba
operatingSystemVersion: 3.0.9
primaryGroupID: 515
pwdLastSet: 127467508115781250
name: myserver
sAMAccountName: myserver$
sAMAccountType: 805306369
servicePrincipalName: CIFS/myserver.myrealm.mydomain.com
servicePrincipalName: CIFS/myserver.myrealm.my.mydomain.com
servicePrincipalName: CIFS/myserver
servicePrincipalName: HOST/myserver.myrealm.my.mydomain.com
servicePrincipalName: HOST/myserver
userAccountControl: 69632
userPrincipalName: HOST/myserver@MYREALM.MY.MYDOMAIN.COM
uSNChanged: 4946810
uSNCreated: 4906606
whenChanged: 20041205200719.0Z
whenCreated: 20041203004915.0Z
# Check validity of /etc/krb5.conf
[root@myserver usr]# kinit -Uadministrator
Password for -Uadministrator@MYREALM.MY.MYDOMAIN.COM:
Exception: krb_error 6 Client not found in Kerberos database (6) Client
not found in Kerberos database
KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:64)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:345)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:303)
at
sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:252)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:106)
Caused by: KrbException: Identifier doesn't match expected value
(906)
at sun.security.krb5.internal.ah.a(DashoA12275:133)
at sun.security.krb5.internal.av.a(DashoA12275:58)
at sun.security.krb5.internal.av.<init>(DashoA12275:53)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:50)
... 4 more
# Trying kerb tickets?
[root@myserver usr]# kinit administrator
Password for administrator@MYREALM.MY.MYDOMAIN.COM:
New ticket is stored in cache file /tmp/krb5cc_0
[root@myserver usr]# kinit administrator@MYREALM
Password for administrator@MYREALM:
Exception: krb_error 0 Cannot get kdc for realm MYREALM No error
KrbException: Cannot get kdc for realm MYREALM
at sun.security.krb5.KrbKdcReq.send(DashoA12275:133)
at sun.security.krb5.KrbKdcReq.send(DashoA12275:106)
at
sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:241)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:106)
# look at my kerberose kickets
klist
Credentials cache: /tmp/krb5cc_0
Default principal: administrator@MYREALM.MY.MYDOMAIN.COM, 3 entries
found.
[1] Service Principal:
krbtgt/MYREALM.MY.MYDOMAIN.COM@MYREALM.MY.MYDOMAIN.COM
Valid starting: Dec 05, 2004 13:10
Expires: Dec 05, 2004 23:10
[2] Service Principal: myserver$@MYREALM.MY.MYDOMAIN.COM
Valid starting: Dec 05, 2004 13:10
Expires: Dec 05, 2004 23:10
[3] Service Principal: hcs-ad-b$@MYREALM.MY.MYDOMAIN.COM
Valid starting: Dec 05, 2004 13:10
Expires: Dec 05, 2004 23:10
# Start samba and try to connect to localhost
[root@myserver usr]# smbclient //localhost/www -k -Uadministrator
OS=[Unix] Server=[Samba 3.0.9]
tree connect failed: NT_STATUS_ACCESS_DENIED
# Trying to connect to the server, I get a 'tree connect failed'
[root@myserver usr]# smbclient //localhost/www -k -WMYREALM -Uadministrator
OS=[Unix] Server=[Samba 3.0.9]
tree connect failed: NT_STATUS_ACCESS_DENIED
# while connecting, to the share
/var/log/samba/devcontractor1.log
[2004/12/05 15:37:16, 0] lib/util_sock.c:send_smb(647)
Error writing 4 bytes to client. -1. (Connection reset by peer)
[2004/12/05 15:37:44, 0] lib/util_sock.c:get_peer_addr(1000)
getpeername failed. Error was Transport endpoint is not connected
[2004/12/05 15:37:44, 0] lib/util_sock.c:write_socket_data(430)
write_socket_data: write failure. Error = Connection reset by peer
[2004/12/05 15:37:44, 0] lib/util_sock.c:write_socket(455)
write_socket: Error writing 4 bytes to socket 23: ERRNO = Connection
reset by peer
[2004/12/05 15:37:44, 0] lib/util_sock.c:send_smb(647)
Error writing 4 bytes to client. -1. (Connection reset by peer)
/var/log/samba/winbindd.log
[2004/12/05 15:45:16, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
ads_krb5_mk_req: krb5_get_credentials failed for
actdir05$@MYFOREST.MYDOMAIN.COM (Cannot find KDC for requested realm)
[2004/12/05 15:45:17, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390)
ads_krb5_mk_req: krb5_get_credentials failed for
actdir05$@MYFOREST.MYDOMAIN.COM (Cannot find KDC for requested realm)
[2004/12/05 15:45:17, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain MYFOREST failed: Cannot find KDC for requested
realm
--
._____________________.
| \0/ John Stile |
| UniX Administration |
| / \ 510-305-3800 |
| john@stilen.com |
.---------------------.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20041206/4309174e/attachment.bin
Seemingly Similar Threads
Wisdom of the Ancients
