samba - Jun 2005 - Can't maintain a connection to the Server 2003 ADS on a subdomain

Hello to every Samba expert out there,

We've been having a hard time figuring out a particular problem with Samba.
After joining the Server 2003 ADS, which is on a different subnet - just
going through a router, the membership would drop all of a sudden.
Everything works great when the Samba server is on the same subnet as the
Server 2003 ADS. I have posted some details on forums, here is a link if you
need to see the configuration:
http://www.learninglinux.com/modules.php?name=Forums&file=viewtopic&t=474

I have been struggling for weeks and really need some insight from some
experts. The purpose of the Samba servers is just for file sharing and we
really do not want to install Microsoft Servers. If there is no one here
that can offer any assistance, then I guess there isn't anyone out there
that can.

Thank you,
Daniel
____________________________________________
Daniel Kvitko - Rockingham Heritage Bank IT Dept

Daniel Kvitko wrote:
>Hello to every Samba expert out there,
>
>We've been having a hard time figuring out a particular problem with
Samba.
>After joining the Server 2003 ADS, which is on a different subnet - just
>going through a router, the membership would drop all of a sudden.
>Everything works great when the Samba server is on the same subnet as the
>Server 2003 ADS. I have posted some details on forums, here is a link if you
>need to see the configuration:
>http://www.learninglinux.com/modules.php?name=Forums&file=viewtopic&t=474
>
>I have been struggling for weeks and really need some insight from some
>experts. The purpose of the Samba servers is just for file sharing and we
>really do not want to install Microsoft Servers. If there is no one here
>that can offer any assistance, then I guess there isn't anyone out there
>that can.
>  
>
Hi Dan,
While processing a TGS request for the target server 
host/uni-samba.rhb.local, the account UNI-SAMBA$@RHB.LOCAL did not have 
a suitable key for generating a Kerberos ticket (the missing key has an 
ID of 8). The requested etypes were 16.  The accounts available etypes 
were 23  -133  -128  3  1.

The requested enctype of 16 corresponds to DES3_CBC_SHA1.
The encryption types the 2003 server knows how to decode are
23 ARCFOUR_HMAC
3   DES_CBC_MD5
1   DES_CBC_CRC
I don't know what encryption types -133 & -128 are.
If you do a
    klist -ke
on the samba machine, it will list the keys in /etc/krb5.keytab and what 
encryption types they are.
With your version of kerberos and samba, you should be joined normally 
without the flag for DES_CBC_MD5 encryption required.  As fas as I know, 
this implies the samba server will be using ARCFOUR_HMAC which is the 
native encryption type of windows 2003.
Would you mind verifying your keytab on the samba host still has a
    host/ops-server2003.rhb.local@RHB.LOCAL (ArcFour with HMAC/md5)
entry and that you ran the ktpass.exe on the windows 2003 server to 
generate the host entry for the samba machine?

Regards, Doug

Daniel Kvitko wrote:
>Doug,
>
>Thank you for responding. This might be a dumb statement/question: I
can't
>find the krb5.keytab file on any of my samba boxes, where should it be? Even
>the working Samba server does not have the file. Therefore klist -ke says:
>no such file or directory while starting keytab scan.
>
>In all my research, I have not used ktpass.exe. Is it possible for me to
>just write a new krb5.keytab file?
>
>Thank you for your help.
>DK
>
>___________________________________________________
>Daniel Kvitko - Rockingham Heritage Bank IT Dept
>
>
>-----Original Message-----
>From: Doug VanLeuven [mailto:roamdad@sonic.net]
>Sent: Monday, June 13, 2005 12:23 PM
>To: Daniel Kvitko
>Cc: samba@lists.samba.org
>Subject: Re: [Samba] Can't maintain a connection to the Server 2003 ADS
>on a subdomain
>
>
>Daniel Kvitko wrote:
>
>  
>
>>Hello to every Samba expert out there,
>>
>>We've been having a hard time figuring out a particular problem with
Samba.
>>After joining the Server 2003 ADS, which is on a different subnet - just
>>going through a router, the membership would drop all of a sudden.
>>Everything works great when the Samba server is on the same subnet as
the
>>Server 2003 ADS. I have posted some details on forums, here is a link if
>>    
>>
>you
>  
>
>>need to see the configuration:
>>http://www.learninglinux.com/modules.php?name=Forums&file=viewtopic&t=474
>>
>>I have been struggling for weeks and really need some insight from some
>>experts. The purpose of the Samba servers is just for file sharing and
we
>>really do not want to install Microsoft Servers. If there is no one here
>>that can offer any assistance, then I guess there isn't anyone out
there
>>that can.
>>
>>
>>    
>>
>Hi Dan,
>While processing a TGS request for the target server
>host/uni-samba.rhb.local, the account UNI-SAMBA$@RHB.LOCAL did not have
>a suitable key for generating a Kerberos ticket (the missing key has an
>ID of 8). The requested etypes were 16.  The accounts available etypes
>were 23  -133  -128  3  1.
>
>The requested enctype of 16 corresponds to DES3_CBC_SHA1.
>The encryption types the 2003 server knows how to decode are
>23 ARCFOUR_HMAC
>3   DES_CBC_MD5
>1   DES_CBC_CRC
>I don't know what encryption types -133 & -128 are.
>If you do a
>    klist -ke
>on the samba machine, it will list the keys in /etc/krb5.keytab and what
>encryption types they are.
>With your version of kerberos and samba, you should be joined normally
>without the flag for DES_CBC_MD5 encryption required.  As fas as I know,
>this implies the samba server will be using ARCFOUR_HMAC which is the
>native encryption type of windows 2003.
>Would you mind verifying your keytab on the samba host still has a
>    host/ops-server2003.rhb.local@RHB.LOCAL (ArcFour with HMAC/md5)
>entry and that you ran the ktpass.exe on the windows 2003 server to
>generate the host entry for the samba machine?
>  
>
Hi Dan,
ktpass.exe is on the windows 2003 machine.
You can follow this guide for creating a /etc/krb5.keytab file for unix 
machines.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;324144
This has nothing to do with samba, but everything to do with Kerberos 
authentication.  Ktpass.exe generates the 2 part encryption key.  The 
KDC (windows 2003) holds one half in it's files and the other half is 
transported to the unix machine.  When a message is encrypted with one 
of the halfs, only the other half can decrypt the message.  The unix 
host authenticates to the KDC by encrypting with it's half and if the 
KDC (win2003) can decrypt it, it trusts the unix box as genuine. (It's 
more complicated than that, I know, but it's the gist of it)

If you're inexperienced with Kerberos and have no other uses for it, you 
might find it much easier to allow samba to manage the keytab file on 
your behalf.  The samba team has done a remarkable job of coding samba 
to do all the housekeeping for you.  I call it PFM.

 From samba.conf doco:

use kerberos keytab (G)

    Specifies whether Samba should attempt to maintain service
    principals in the systems keytab file for host/FQDN and cifs/FQDN.

    When you are using the heimdal Kerberos libraries, you must also
    specify the following in /etc/krb5.conf:

[libdefaults]

  default_keytab_name = FILE:/etc/krb5.keytab
    

    Default: //use kerberos keytab/ = False /

You should be able to add that line to your configuration file (use 
kerberos keytab = true), restart samba to be sure it uses the new 
configuration file (shouldn't have to, but I've been burned) and run
    net ads changetrustpw
on the linux box and samba will automagically create the keytab file and 
generate the correct entries in it for you to be able to successfully 
authenticate across the router using Kerberos.

If you expire your NT40 style machine$ passwords, you'll have to set up 
a cron job to run that command at a more frequent interval than the 
machine password expires.

In the event private.tdb has become polluted by 6 weeks of testing, 
worst case is you go for a clean start.  You unjoin the domain, delete 
your samba *.tdb files in the lock directory, private.tdb, any existing 
krb5.keytab, then rejoin the domain.  But I wouldn't think you'd have to
do that.

Regards, Doug