jonas.back@ppm.nu
2005-Feb-24 22:12 UTC
SV: [Samba] Getting ads_connect: Strong authentication required w hendoing ne t ads join
Thanks for that interesting information. But how come it works in my lab (where I'm running Fedora Core 3)? Could it be because I'm running a newer version of LDAP? You think this will be fixed in future releases without the need to put certificated on the DC? Are there any detailinformation where to put the certificate on our DC:s? Unfourtunately we're not running any CA in our Windows environment. // Jonas -----Ursprungligt meddelande----- Fr?n: Kaplan, Marc [mailto:marc_kaplan@adaptec.com] Skickat: den 24 februari 2005 17:50 Till: jonas.back@ppm.nu; samba@samba.org ?mne: RE: [Samba] Getting ads_connect: Strong authentication required whendoing ne t ads join Yes, this is in fact caused by LDAP server signing requirements set to "Require Siging". I put a bug in previously here: https://bugzilla.samba.org/show_bug.cgi?id=765 And Jeremy Naylor created a patch to add TLS support in libads. The TLS method is potentially more secure, but it requires a certificate be installed on the KDC. You could try applying the patch and setting up the certificates to see if it works for you. The patch is attached to the bugzilla bug. -Marc> -----Original Message----- > From: samba-bounces+marc_kaplan=adaptec.com@lists.samba.org[mailto:samba-> bounces+marc_kaplan=adaptec.com@lists.samba.org] On Behalf Of > jonas.back@ppm.nu > Sent: Thursday, February 24, 2005 8:41 AM > To: samba@samba.org > Subject: [Samba] Getting ads_connect: Strong authentication required > whendoing ne t ads join > > In my lab I successfully got everything working running our securedActive> Directory and Fedora Core 3. In our AD we have secured settings like > refusing NTLMv2, require LDAP signing, SMB signing and more. In thelab we> have the following rpm's: > krb5-workstation-1.3.4.7 > samba-3.0.8.0.pre1.3 > openldap-2.2.13-2 > > But now we're implementing this in production and there we're runningRed> Hat ES3 and have the following rpm's (newest so far): > krb5-workstation-1.2.7-38 > samba-3.0.9-1.3E.2 > openldap-2.0.27-11 > > Kinit and smbclient works fine but when I run net ads join it failswith> "ads_connect: Strong authentication required". I've read somewherethat> the > security policy setting: "Domain Controller: LDAP server signing > requirements" set to "Require signing" is the reason for this but our > security team will not let me disable this setting. Is there any otherway> to get around this? > > I've made sure all configuration files (krb5.conf, smb.conf andldap.conf)> have the same options. > > Also found an earlier posts, but they don't really give me a solution: >http://lists.samba.org/archive/samba-technical/2003-October/032422.html><http://lists.samba.org/archive/samba-technical/2003-October/032422.html> > and here http://lists.samba.org/archive/samba/2003-October/000806.html > <http://lists.samba.org/archive/samba/2003-October/000806.html> > > [root@xtmplin1 /]# kinit domainuser > Password for domainuser@PPM.NU: > [root@xtmplin1 /]# klist > Ticket cache: FILE:/tmp/krb5cc_0 <FILE:/tmp/krb5cc_0> Default > principal: domainuser@PPM.NU > > Valid starting Expires Service principal > 02/24/05 17:00:27 02/25/05 03:00:27 krbtgt/PPM.NU@PPM.NU > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [root@xtmplin1 /]# net ads join "ServrarSamba" -U domainuser > domainuser's password: > [2005/02/24 17:00:45, 0] utils/net_ads.c:ads_startup(186) > ads_connect: Strong authentication required > [root@xtmplin1 /]# > > > > Here's the complete debug for net ads join: > > [root@xtmplin1 samba]# net ads join "ServrarSamba" -U domainuser -d 10 > [2005/02/24 16:15:22, 5] lib/debug.c:debug_dump_status(366) > INFO: Current debug levels: > all: True/10 > tdb: False/0 > printdrivers: False/0 > lanman: False/0 > smb: False/0 > rpc_parse: False/0 > rpc_srv: False/0 > rpc_cli: False/0 > passdb: False/0 > sam: False/0 > auth: False/0 > winbind: False/0 > vfs: False/0 > idmap: False/0 > quota: False/0 > acls: False/0 > [2005/02/24 16:15:22, 3] param/loadparm.c:lp_load(3911) > lp_load: refreshing parameters > [2005/02/24 16:15:22, 3] param/loadparm.c:init_globals(1312) > Initialising global parameters > [2005/02/24 16:15:22, 3] param/params.c:pm_process(566) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2005/02/24 16:15:22, 3] param/loadparm.c:do_section(3404) > Processing section "[global]" > doing parameter workgroup = EXAMPLE > doing parameter realm = EXAMPLE.NU > doing parameter use spnego = yes > doing parameter client signing = yes > doing parameter client use spnego = yes > doing parameter server string = Samba Server > doing parameter printcap name = /etc/printcap > doing parameter load printers = yes > doing parameter cups options = raw > doing parameter log file = /var/log/samba/%m.log > doing parameter max log size = 50 > doing parameter security = ads > doing parameter encrypt passwords = yes > doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 > doing parameter dns proxy = no > [2005/02/24 16:15:22, 4] param/loadparm.c:lp_load(3942) > pm_process() returned Yes > [2005/02/24 16:15:22, 7] param/loadparm.c:lp_servicenumber(4052) > lp_servicenumber: couldn't find homes > [2005/02/24 16:15:22, 10] param/loadparm.c:set_server_role(3851) > set_server_role: role = ROLE_DOMAIN_MEMBER > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103) > Attempting to register new charset UCS-2LE > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111) > Registered charset UCS-2LE > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103) > Attempting to register new charset UTF-16LE > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111) > Registered charset UTF-16LE > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103) > Attempting to register new charset UCS-2BE > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111) > Registered charset UCS-2BE > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103) > Attempting to register new charset UTF-16BE > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111) > Registered charset UTF-16BE > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103) > Attempting to register new charset UTF8 > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111) > Registered charset UTF8 > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103) > Attempting to register new charset UTF-8 > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111) > Registered charset UTF-8 > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103) > Attempting to register new charset ASCII > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111) > Registered charset ASCII > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103) > Attempting to register new charset 646 > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111) > Registered charset 646 > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103) > Attempting to register new charset ISO-8859-1 > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111) > Registered charset ISO-8859-1 > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(103) > Attempting to register new charset UCS2-HEX > [2005/02/24 16:15:22, 5] lib/iconv.c:smb_register_charset(111) > Registered charset UCS2-HEX > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/charcnv.c:charset_name(81) > Substituting charset 'ISO-8859-15' for LOCALE > [2005/02/24 16:15:22, 5] lib/util.c:init_names(278) > Netbios name list:- > my_netbios_names[0]="XTMPLIN1" > [2005/02/24 16:15:22, 2] lib/interface.c:add_interface(79) > added interface ip=192.168.25.231 bcast=192.168.25.255 > nmask=255.255.255.0 domainuser's password: > [2005/02/24 16:15:35, 6] libads/ldap.c:ads_find_dc(176) > ads_find_dc: looking for realm 'EXAMPLE.NU' > [2005/02/24 16:15:35, 8] libsmb/namequery.c:get_sorted_dc_list(1433) > get_sorted_dc_list: attempting lookup using [ads] > [2005/02/24 16:15:35, 10]libsmb/namequery.c:internal_resolve_name(1028)> internal_resolve_name: looking up EXAMPLE.NU#1c > [2005/02/24 16:15:35, 5] lib/gencache.c:gencache_init(59) > Opening cache file at /var/cache/samba/gencache.tdb > [2005/02/24 16:15:35, 10] lib/gencache.c:gencache_get(263) > Returning valid cache entry: key = NBT/EXAMPLE.NU#1C, value = > 192.168.40.100:389,192.168.129.100:389,192.168.115.100:389, timeout Thu > Feb 24 16:16:40 2005 > > [2005/02/24 16:15:35, 5] libsmb/namecache.c:namecache_fetch(201) > name EXAMPLE.NU#1C found. > [2005/02/24 16:15:35, 8] libsmb/namequery.c:get_dc_list(1316) > Adding 3 DC's from auto lookup > [2005/02/24 16:15:35, 10]libsmb/namequery.c:remove_duplicate_addrs2(320)> remove_duplicate_addrs2: looking for duplicate address/port pairs > [2005/02/24 16:15:35, 4] libsmb/namequery.c:get_dc_list(1406) > get_dc_list: returning 3 ip addresses in an unordered list > [2005/02/24 16:15:35, 4] libsmb/namequery.c:get_dc_list(1407) > get_dc_list: 192.168.40.100:389 192.168.129.100:389192.168.115.100:389> [2005/02/24 16:15:35, 5] libads/ldap.c:ads_try_connect(85) > ads_try_connect: trying ldap server '192.168.40.100' port 389 > [2005/02/24 16:15:35, 3] libads/ldap.c:ads_connect(247) > Connected to LDAP server 192.168.40.100 > [2005/02/24 16:15:35, 3] libads/ldap.c:ads_server_info(2432) > got ldap server name server1@EXAMPLE.NU, using bind path: > dc=EXAMPLE,dc=NU > [2005/02/24 16:15:35, 4] libads/ldap.c:ads_server_info(2438) > time offset is 0 seconds > [2005/02/24 16:15:35, 4] libads/sasl.c:ads_sasl_bind(447) > Found SASL mechanism GSS-SPNEGO > [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204) > ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 > [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 > [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204) > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 > [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(204) > ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 > [2005/02/24 16:15:35, 3] libads/sasl.c:ads_sasl_spnego_bind(211) > ads_sasl_spnego_bind: got server principal name =server1$@EXAMPLE.NU > [2005/02/24 16:15:35, 3] libsmb/clikrb5.c:ads_krb5_mk_req(382) > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache > found) > [2005/02/24 16:15:36, 3]libsmb/clikrb5.c:ads_cleanup_expired_creds(319)> Ticket in ccache[MEMORY:net_ads] expiration Fri, 25 Feb 200502:15:35> GMT > [2005/02/24 16:15:36, 10] libsmb/clikrb5.c:ads_krb5_mk_req(409) > ads_krb5_mk_req: Ticket (server1$@EXAMPLE.NU) in ccache(MEMORY:net_ads)> is valid until: (Fri, 25 Feb 2005 02:15:35 GMT - 1109294135) > [2005/02/24 16:15:36, 10]libsmb/clikrb5.c:get_krb5_smb_session_key(510)> Got KRB5 session key of length 16 > [2005/02/24 16:15:36, 0] utils/net_ads.c:ads_startup(186) > ads_connect: Strong authentication required > [2005/02/24 16:15:36, 2] utils/net.c:main(859) > return code = -1 > [root@xtmplin1 samba]# > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba