samba - Feb 2005 - RedHat+Samba+Winbind to ADS

Hi,

I 've a gateway and I want to use squid authenticated with Windows 2000
Active Directory users.

I've a development platform with Debian/Sarge as gateway, and it works.
(samba 3.0.10-1 and Kerberos 1.3.6-1)

On the other side the production platform uses RedHat Enterprise AS3,
initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not able to use
Active directory groups without get smb panic errors in winbindd, so I
update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 (last available
updates).

Now I've following troubles with kerberos-winbind.
If I not set encryption types in krb5.conf (As in debian working
platform), windbind fails with following errors:

|ads_krb5_mk_req: krb5_get_credentials failed for PDC$@TEST.COM (No
credentials found with supported encryption types)
|spnego_gen_negTokenTarg failed: No credentials found with supported
encryption types
|failed kerberos session setup with No credentials found with supported
encryption types

but kinit and klist works, wbinfo -t also works, but wbinfo -u and
wbinfo -g gives an error.
getent passwd -s winbind and getent group -s winbind doesn't work
Also, net ads join gives an error (but computer was previously joined
ok)
wbinfo --sequence shows:
GATEWAY : 1
BUILTIN : 1
TEST : DISCONNECTED


Configuration files are:

-------------krb5.conf-------------------------------
[libdefaults]
 default_realm = TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 kdc_timesync = 1
 forwardable = true
 proxiable = true

[realms]
 CIKAUTXO.ES ={
  kdc = PDC
  admin_server = PDC
  default_domain = TEST
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM
-------------krb5.conf-------------------------------

PDC address is included in /etc/hosts

-------------nsswitch.conf---------------------------
???
passwd:     files winbind
shadow:     files
group:      files winbind
???
-------------nsswitch.conf---------------------------
-------------smb.conf--------------------------------
???
   workgroup = TEST
   netbios name = GATEWAY
   realm = TEST.COM
   security = ads
   encrypt passwords = yes
   password server = PDC
   interfaces = 192.168.254.1/16
   winbind separator = /
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = true
   time server = Yes
   ######winbind nested groups = true

   client NTLMv2 auth = No
   client lanman auth = Yes
   client plaintext auth = Yes
   obey pam restrictions = Yes
   passdb backend = tdbsam, guest

   log level = 2 winbind:10 ads:10 auth:10

???
-------------smb.conf--------------------------------
Last options was included to replicate testparm -v obtained
in debian development installation.

After some test, I was able to avoid encryption type error, using the
following configuration in krb5.conf
-------------krb5.conf-------------------------------
[libdefaults]
 default_realm = TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 kdc_timesync = 1
 forwardable = true
 proxiable = true
 default_tgs_enctypes = des-cbc-crc
 default_tkt_enctypes = des-cbc-crc
 permitted_enctypes = des-cbc-crc


[realms]
 CIKAUTXO.ES ={
  master_key_type = des-cbc-crc
  supported_enctypes = des-cbc-crc
  kdc = PDC
  admin_server = PDC
  default_domain = TEST
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM
-------------krb5.conf-------------------------------
Choosing other enctypes in some params (default_tkt_enctypes
default_tgs_enctypes ) give me the same error as above 

But this configuration also doesn't work fine. I get the following error
with winbindd

|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED

kinit and klist works.
wbinfo -t returns following error:
|checking the trust secret via RPC calls failed
|error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
|Could not check secret
but wbinfo -u and wbinfo -t works fine
getent passwd -s winbind and getent group -s winbind also work
wbinfo --sequence shows:
GATEWAY : 1
BUILTIN : 1
TEST : 2951992

It seems that troubles with one configuration are solved with the other
one and reverse, but I cannot get ALL working simultaneously...

Anybody has some lights on this?

Thanks
Ant?n

On Wed, 2005-02-16 at 11:49 +0100, Ant?n wrote:
> Hi,
> 
> I 've a gateway and I want to use squid authenticated with Windows 2000
> Active Directory users.
> 
> I've a development platform with Debian/Sarge as gateway, and it works.
> (samba 3.0.10-1 and Kerberos 1.3.6-1)
> 
> On the other side the production platform uses RedHat Enterprise AS3,
> initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not able to use
> Active directory groups without get smb panic errors in winbindd, so I
> update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 (last available
> updates).
You *ABSOLUTELY MUST USE* a version of MIT Kerberos5 v1.3.1 or newer.

For a good example of getting a newer version of mit krb5 (v1.4) see
bug:

https://bugzilla.samba.org/show_bug.cgi?id=2309

You can use the configure line as is for mit krb5 v1.3.3 and above
currently. It will work with RHAS, by installing overtop the RPM.

a recommendation, don't use v1.4 unless you want to add patches to
3.0.11 version of samba. You can just install over-top the RHAS samba
version as well.

Make sure you use the configure for samba as I did.

Both configure commands are for "RHAS" compatibility for existing
installs via RPM.

The patch(es) for 3.0.11 used for v1.4 of mit krb5 and other things are:

http://samba.org/~jerry/patches/post-3.0.11/
> Now I've following troubles with kerberos-winbind.
> If I not set encryption types in krb5.conf (As in debian working
> platform), windbind fails with following errors:
> 
> |ads_krb5_mk_req: krb5_get_credentials failed for PDC$@TEST.COM (No
> credentials found with supported encryption types)
> |spnego_gen_negTokenTarg failed: No credentials found with supported
> encryption types
> |failed kerberos session setup with No credentials found with supported
> encryption types
> 
> but kinit and klist works, wbinfo -t also works, but wbinfo -u and
> wbinfo -g gives an error.
> getent passwd -s winbind and getent group -s winbind doesn't work
> Also, net ads join gives an error (but computer was previously joined
> ok)
> wbinfo --sequence shows:
> GATEWAY : 1
> BUILTIN : 1
> TEST : DISCONNECTED
> 
> 
> Configuration files are:
> 
> -------------krb5.conf-------------------------------
> [libdefaults]
>  default_realm = TEST.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  kdc_timesync = 1
>  forwardable = true
>  proxiable = true
> 
> [realms]
>  CIKAUTXO.ES ={
>   kdc = PDC
>   admin_server = PDC
>   default_domain = TEST
>  }
> 
> [domain_realm]
>  .test.com = TEST.COM
>  test.com = TEST.COM
> -------------krb5.conf-------------------------------
> 
> PDC address is included in /etc/hosts
> 
> -------------nsswitch.conf---------------------------
> ???
> passwd:     files winbind
> shadow:     files
> group:      files winbind
> ???
> -------------nsswitch.conf---------------------------
> -------------smb.conf--------------------------------
> ???
>    workgroup = TEST
>    netbios name = GATEWAY
>    realm = TEST.COM
>    security = ads
>    encrypt passwords = yes
>    password server = PDC
>    interfaces = 192.168.254.1/16
>    winbind separator = /
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind use default domain = true
>    time server = Yes
>    ######winbind nested groups = true
> 
>    client NTLMv2 auth = No
>    client lanman auth = Yes
>    client plaintext auth = Yes
>    obey pam restrictions = Yes
>    passdb backend = tdbsam, guest
> 
>    log level = 2 winbind:10 ads:10 auth:10
> 
> ???
> -------------smb.conf--------------------------------
> Last options was included to replicate testparm -v obtained
> in debian development installation.
> 
> After some test, I was able to avoid encryption type error, using the
> following configuration in krb5.conf
> -------------krb5.conf-------------------------------
> [libdefaults]
>  default_realm = TEST.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  kdc_timesync = 1
>  forwardable = true
>  proxiable = true
>  default_tgs_enctypes = des-cbc-crc
>  default_tkt_enctypes = des-cbc-crc
>  permitted_enctypes = des-cbc-crc
> 
> 
> [realms]
>  CIKAUTXO.ES ={
>   master_key_type = des-cbc-crc
>   supported_enctypes = des-cbc-crc
>   kdc = PDC
>   admin_server = PDC
>   default_domain = TEST
>  }
> 
> [domain_realm]
>  .test.com = TEST.COM
>  test.com = TEST.COM
> -------------krb5.conf-------------------------------
> Choosing other enctypes in some params (default_tkt_enctypes
> default_tgs_enctypes ) give me the same error as above 
> 
> But this configuration also doesn't work fine. I get the following
error
> with winbindd
> 
> |Doing kerberos session setup
> |failed tcon_X with NT_STATUS_ACCESS_DENIED
> 
> kinit and klist works.
> wbinfo -t returns following error:
> |checking the trust secret via RPC calls failed
> |error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> |Could not check secret
> but wbinfo -u and wbinfo -t works fine
> getent passwd -s winbind and getent group -s winbind also work
> wbinfo --sequence shows:
> GATEWAY : 1
> BUILTIN : 1
> TEST : 2951992
> 
> It seems that troubles with one configuration are solved with the other
> one and reverse, but I cannot get ALL working simultaneously...
> 
> Anybody has some lights on this?
-- 
greg, greg@gregfolkert.net

The technology that is
Stronger, better, faster:  Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20050216/382289e3/attachment.bin