thr3ads.net - samba - SV: [Samba] Getting ads_connect: Strong authentication required w hendoing ne t ads join [Feb 2005]

If this information is useful, please help other people find it:
Share via:
jonas.back@ppm.nu
2005-Feb-24 22:12 UTC
SV: [Samba] Getting ads_connect: Strong authentication required w hendoing ne t ads join

Thanks for that interesting information. But how come it works in my lab
(where I'm running Fedora Core 3)? Could it be because I'm running a
newer
version of LDAP? You think this will be fixed in future releases without the
need to put certificated on the DC?

Are there any detailinformation where to put the certificate on our DC:s?
Unfourtunately  we're not running any CA in our Windows environment.

// Jonas



-----Ursprungligt meddelande-----
Fr?n: Kaplan, Marc [mailto:marc_kaplan@adaptec.com] 
Skickat: den 24 februari 2005 17:50
Till: jonas.back@ppm.nu; samba@samba.org
?mne: RE: [Samba] Getting ads_connect: Strong authentication required
whendoing ne t ads join

Yes, this is in fact caused by LDAP server signing requirements set to
"Require Siging". I put a bug in previously here:
https://bugzilla.samba.org/show_bug.cgi?id=765

And Jeremy Naylor created a patch to add TLS support in libads. The TLS
method is potentially more secure, but it requires a certificate be
installed on the KDC. 

You could try applying the patch and setting up the certificates to see if
it works for you. The patch is attached to the bugzilla bug.

		-Marc
> -----Original Message-----
> From: samba-bounces+marc_kaplan=adaptec.com@lists.samba.org
[mailto:samba-> bounces+marc_kaplan=adaptec.com@lists.samba.org] On Behalf Of
> jonas.back@ppm.nu
> Sent: Thursday, February 24, 2005 8:41 AM
> To: samba@samba.org
> Subject: [Samba] Getting ads_connect: Strong authentication required 
> whendoing ne t ads join
> 
> In my lab I successfully got everything working running our secured
Active> Directory and Fedora Core 3. In our AD we have secured settings like 
> refusing NTLMv2, require LDAP signing, SMB signing and more. In the
lab we> have the following rpm's:
> krb5-workstation-1.3.4.7
> samba-3.0.8.0.pre1.3
> openldap-2.2.13-2
> 
> But now we're implementing this in production and there we're
running
Red> Hat ES3 and have the following rpm's (newest so far):
> krb5-workstation-1.2.7-38
> samba-3.0.9-1.3E.2
> openldap-2.0.27-11
> 
> Kinit and smbclient works fine but when I run net ads join it fails
with> "ads_connect: Strong authentication required". I've read
somewhere
that> the
> security policy setting: "Domain Controller: LDAP server signing 
> requirements" set to "Require signing" is the reason for
this but our
> security team will not let me disable this setting. Is there any other
way> to get around this?
> 
> I've made sure all configuration files (krb5.conf, smb.conf and
ldap.conf)> have the same options.
> 
> Also found an earlier posts, but they don't really give me a solution:
>
http://lists.samba.org/archive/samba-technical/2003-October/032422.html>
<http://lists.samba.org/archive/samba-technical/2003-October/032422.html>
> and here http://lists.samba.org/archive/samba/2003-October/000806.html
> <http://lists.samba.org/archive/samba/2003-October/000806.html>
> 
> [root@xtmplin1 /]# kinit domainuser
> Password for domainuser@PPM.NU:
> [root@xtmplin1 /]# klist
> Ticket cache: FILE:/tmp/krb5cc_0 <FILE:/tmp/krb5cc_0> Default 
> principal: domainuser@PPM.NU
> 
> Valid starting     Expires            Service principal
> 02/24/05 17:00:27  02/25/05 03:00:27  krbtgt/PPM.NU@PPM.NU
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root@xtmplin1 /]# net ads join "ServrarSamba" -U domainuser 
> domainuser's password:
> [2005/02/24 17:00:45, 0] utils/net_ads.c:ads_startup(186)
>   ads_connect: Strong authentication required
> [root@xtmplin1 /]#
> 
> 
> 
> Here's the complete debug for net ads join:
> 
> [root@xtmplin1 samba]# net ads join "ServrarSamba" -U domainuser
-d 10
> [2005/02/24 16:15:22, 5] lib/debug.c:debug_dump_status(366)
>   INFO: Current debug levels:
>     all: True/10
>     tdb: False/0
>     printdrivers: False/0
>     lanman: False/0
>     smb: False/0
>     rpc_parse: False/0
>     rpc_srv: False/0
>     rpc_cli: False/0
>     passdb: False/0
>     sam: False/0
>     auth: False/0
>     winbind: False/0
>     vfs: False/0
>     idmap: False/0
>     quota: False/0
>     acls: False/0
> [2005/02/24 16:15:22, 3] param/loadparm.c:lp_load(3911)
>   lp_load: refreshing parameters
> [2005/02/24 16:15:22, 3] param/loadparm.c:init_globals(1312)
>   Initialising global parameters
> [2005/02/24 16:15:22, 3] param/params.c:pm_process(566)
>   params.c:pm_process() - Processing configuration file 
> "/etc/samba/smb.conf"
> [2005/02/24 16:15:22, 3] param/loadparm.c:do_section(3404)
>   Processing section "[global]"
>   doing parameter workgroup = EXAMPLE
>   doing parameter realm = EXAMPLE.NU
>   doing parameter use spnego = yes
>   doing parameter client signing = yes
>   doing parameter client use spnego = yes
>   doing parameter server string = Samba Server
>   doing parameter printcap name = /etc/printcap
>   doing parameter load printers = yes
>   doing parameter cups options = raw
>   doing parameter log file = /var/log/samba/%m.log
>   doing parameter max log size = 50
>   doing parameter security = ads
>   doing parameter encrypt passwords = yes
>   doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
>   doing parameter dns proxy = no
> [2005/02/24 16:15:22, 4] param/loadparm.c:lp_load(3942)
>   pm_process() returned Yes
> [2005/02/24 16:15:22, 7] param/loadparm.c:lp_servicenumber(4052)
>   lp_servicenumber: couldn't find homes
> [2005/02/24 16:15:22, 10] param/loadparm.c:set_server_role(3851)
>   set_server_role: role = ROLE_DOMAIN_MEMBER
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
>   Attempting to register new charset UCS-2LE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
>   Registered charset UCS-2LE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
>   Attempting to register new charset UTF-16LE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
>   Registered charset UTF-16LE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
>   Attempting to register new charset UCS-2BE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
>   Registered charset UCS-2BE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
>   Attempting to register new charset UTF-16BE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
>   Registered charset UTF-16BE
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
>   Attempting to register new charset UTF8
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
>   Registered charset UTF8
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
>   Attempting to register new charset UTF-8
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
>   Registered charset UTF-8
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
>   Attempting to register new charset ASCII
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
>   Registered charset ASCII
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
>   Attempting to register new charset 646
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
>   Registered charset 646
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
>   Attempting to register new charset ISO-8859-1
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
>   Registered charset ISO-8859-1
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103)
>   Attempting to register new charset UCS2-HEX
> [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111)
>   Registered charset UCS2-HEX
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81)
>   Substituting charset 'ISO-8859-15' for LOCALE
> [2005/02/24 16:15:22, 5] lib/util.c:init_names(278)
>   Netbios name list:-
>   my_netbios_names[0]="XTMPLIN1"
> [2005/02/24 16:15:22, 2] lib/interface.c:add_interface(79)
>   added interface ip=192.168.25.231 bcast=192.168.25.255 
> nmask=255.255.255.0 domainuser's password:
> [2005/02/24 16:15:35, 6] libads/ldap.c:ads_find_dc(176)
>   ads_find_dc: looking for realm 'EXAMPLE.NU'
> [2005/02/24 16:15:35, 8] libsmb/namequery.c:get_sorted_dc_list(1433)
>   get_sorted_dc_list: attempting lookup using [ads]
> [2005/02/24 16:15:35, 10]
libsmb/namequery.c:internal_resolve_name(1028)>   internal_resolve_name: looking up EXAMPLE.NU#1c
> [2005/02/24 16:15:35, 5] lib/gencache.c:gencache_init(59)
>   Opening cache file at /var/cache/samba/gencache.tdb
> [2005/02/24 16:15:35, 10] lib/gencache.c:gencache_get(263)
>   Returning valid cache entry: key = NBT/EXAMPLE.NU#1C, value = 
> 192.168.40.100:389,192.168.129.100:389,192.168.115.100:389, timeout Thu
> Feb 24 16:16:40 2005
> 
> [2005/02/24 16:15:35, 5] libsmb/namecache.c:namecache_fetch(201)
>   name EXAMPLE.NU#1C found.
> [2005/02/24 16:15:35, 8] libsmb/namequery.c:get_dc_list(1316)
>   Adding 3 DC's from auto lookup
> [2005/02/24 16:15:35, 10]
libsmb/namequery.c:remove_duplicate_addrs2(320)>   remove_duplicate_addrs2: looking for duplicate address/port pairs
> [2005/02/24 16:15:35, 4] libsmb/namequery.c:get_dc_list(1406)
>   get_dc_list: returning 3 ip addresses in an unordered list
> [2005/02/24 16:15:35, 4] libsmb/namequery.c:get_dc_list(1407)
>   get_dc_list: 192.168.40.100:389 192.168.129.100:389
192.168.115.100:389> [2005/02/24 16:15:35, 5] libads/ldap.c:ads_try_connect(85)
>   ads_try_connect: trying ldap server '192.168.40.100' port 389
> [2005/02/24 16:15:35, 3] libads/ldap.c:ads_connect(247)
>   Connected to LDAP server 192.168.40.100
> [2005/02/24 16:15:35, 3] libads/ldap.c:ads_server_info(2432)
>   got ldap server name server1@EXAMPLE.NU, using bind path:
> dc=EXAMPLE,dc=NU
> [2005/02/24 16:15:35, 4] libads/ldap.c:ads_server_info(2438)
>   time offset is 0 seconds
> [2005/02/24 16:15:35, 4] libads/sasl.c:ads_sasl_bind(447)
>   Found SASL mechanism GSS-SPNEGO
> [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
>   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
>   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
>   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
>   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
>   ads_sasl_spnego_bind: got server principal name =server1$@EXAMPLE.NU
> [2005/02/24 16:15:35, 3] libsmb/clikrb5.c:ads_krb5_mk_req(382)
>   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found)
> [2005/02/24 16:15:36, 3]
libsmb/clikrb5.c:ads_cleanup_expired_creds(319)>   Ticket in ccache[MEMORY:net_ads] expiration Fri, 25 Feb 2005
02:15:35> GMT
> [2005/02/24 16:15:36, 10] libsmb/clikrb5.c:ads_krb5_mk_req(409)
>   ads_krb5_mk_req: Ticket (server1$@EXAMPLE.NU) in ccache
(MEMORY:net_ads)> is valid until: (Fri, 25 Feb 2005 02:15:35 GMT - 1109294135)
> [2005/02/24 16:15:36, 10]
libsmb/clikrb5.c:get_krb5_smb_session_key(510)>   Got KRB5 session key of length 16
> [2005/02/24 16:15:36, 0] utils/net_ads.c:ads_startup(186)
>   ads_connect: Strong authentication required
> [2005/02/24 16:15:36, 2] utils/net.c:main(859)
>   return code = -1
> [root@xtmplin1 samba]#
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
Reasonably Related Threads

Search for more possibly parallel threads
samba - Feb 2005 - SV: Getting ads_connect: Strong authentication required w hendoing ne t ads join

SV: [Samba] Getting ads_connect: Strong authentication required w hendoing ne t ads join

Reasonably Related Threads

Wisdom of the Ancients
