Daniel Kvitko
2005-Jun-13 13:35 UTC
[Samba] Can't maintain a connection to the Server 2003 ADS on a subdomain
Hello to every Samba expert out there, We've been having a hard time figuring out a particular problem with Samba. After joining the Server 2003 ADS, which is on a different subnet - just going through a router, the membership would drop all of a sudden. Everything works great when the Samba server is on the same subnet as the Server 2003 ADS. I have posted some details on forums, here is a link if you need to see the configuration: http://www.learninglinux.com/modules.php?name=Forums&file=viewtopic&t=474 I have been struggling for weeks and really need some insight from some experts. The purpose of the Samba servers is just for file sharing and we really do not want to install Microsoft Servers. If there is no one here that can offer any assistance, then I guess there isn't anyone out there that can. Thank you, Daniel ____________________________________________ Daniel Kvitko - Rockingham Heritage Bank IT Dept
Doug VanLeuven
2005-Jun-13 16:23 UTC
[Samba] Can't maintain a connection to the Server 2003 ADS on a subdomain
Daniel Kvitko wrote:>Hello to every Samba expert out there, > >We've been having a hard time figuring out a particular problem with Samba. >After joining the Server 2003 ADS, which is on a different subnet - just >going through a router, the membership would drop all of a sudden. >Everything works great when the Samba server is on the same subnet as the >Server 2003 ADS. I have posted some details on forums, here is a link if you >need to see the configuration: >http://www.learninglinux.com/modules.php?name=Forums&file=viewtopic&t=474 > >I have been struggling for weeks and really need some insight from some >experts. The purpose of the Samba servers is just for file sharing and we >really do not want to install Microsoft Servers. If there is no one here >that can offer any assistance, then I guess there isn't anyone out there >that can. > >Hi Dan, While processing a TGS request for the target server host/uni-samba.rhb.local, the account UNI-SAMBA$@RHB.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 16. The accounts available etypes were 23 -133 -128 3 1. The requested enctype of 16 corresponds to DES3_CBC_SHA1. The encryption types the 2003 server knows how to decode are 23 ARCFOUR_HMAC 3 DES_CBC_MD5 1 DES_CBC_CRC I don't know what encryption types -133 & -128 are. If you do a klist -ke on the samba machine, it will list the keys in /etc/krb5.keytab and what encryption types they are. With your version of kerberos and samba, you should be joined normally without the flag for DES_CBC_MD5 encryption required. As fas as I know, this implies the samba server will be using ARCFOUR_HMAC which is the native encryption type of windows 2003. Would you mind verifying your keytab on the samba host still has a host/ops-server2003.rhb.local@RHB.LOCAL (ArcFour with HMAC/md5) entry and that you ran the ktpass.exe on the windows 2003 server to generate the host entry for the samba machine? Regards, Doug
Doug VanLeuven
2005-Jun-13 19:41 UTC
[Samba] Can't maintain a connection to the Server 2003 ADS on a subdomain
Daniel Kvitko wrote:>Doug, > >Thank you for responding. This might be a dumb statement/question: I can't >find the krb5.keytab file on any of my samba boxes, where should it be? Even >the working Samba server does not have the file. Therefore klist -ke says: >no such file or directory while starting keytab scan. > >In all my research, I have not used ktpass.exe. Is it possible for me to >just write a new krb5.keytab file? > >Thank you for your help. >DK > >___________________________________________________ >Daniel Kvitko - Rockingham Heritage Bank IT Dept > > >-----Original Message----- >From: Doug VanLeuven [mailto:roamdad@sonic.net] >Sent: Monday, June 13, 2005 12:23 PM >To: Daniel Kvitko >Cc: samba@lists.samba.org >Subject: Re: [Samba] Can't maintain a connection to the Server 2003 ADS >on a subdomain > > >Daniel Kvitko wrote: > > > >>Hello to every Samba expert out there, >> >>We've been having a hard time figuring out a particular problem with Samba. >>After joining the Server 2003 ADS, which is on a different subnet - just >>going through a router, the membership would drop all of a sudden. >>Everything works great when the Samba server is on the same subnet as the >>Server 2003 ADS. I have posted some details on forums, here is a link if >> >> >you > > >>need to see the configuration: >>http://www.learninglinux.com/modules.php?name=Forums&file=viewtopic&t=474 >> >>I have been struggling for weeks and really need some insight from some >>experts. The purpose of the Samba servers is just for file sharing and we >>really do not want to install Microsoft Servers. If there is no one here >>that can offer any assistance, then I guess there isn't anyone out there >>that can. >> >> >> >> >Hi Dan, >While processing a TGS request for the target server >host/uni-samba.rhb.local, the account UNI-SAMBA$@RHB.LOCAL did not have >a suitable key for generating a Kerberos ticket (the missing key has an >ID of 8). The requested etypes were 16. The accounts available etypes >were 23 -133 -128 3 1. > >The requested enctype of 16 corresponds to DES3_CBC_SHA1. >The encryption types the 2003 server knows how to decode are >23 ARCFOUR_HMAC >3 DES_CBC_MD5 >1 DES_CBC_CRC >I don't know what encryption types -133 & -128 are. >If you do a > klist -ke >on the samba machine, it will list the keys in /etc/krb5.keytab and what >encryption types they are. >With your version of kerberos and samba, you should be joined normally >without the flag for DES_CBC_MD5 encryption required. As fas as I know, >this implies the samba server will be using ARCFOUR_HMAC which is the >native encryption type of windows 2003. >Would you mind verifying your keytab on the samba host still has a > host/ops-server2003.rhb.local@RHB.LOCAL (ArcFour with HMAC/md5) >entry and that you ran the ktpass.exe on the windows 2003 server to >generate the host entry for the samba machine? > >Hi Dan, ktpass.exe is on the windows 2003 machine. You can follow this guide for creating a /etc/krb5.keytab file for unix machines. http://support.microsoft.com/default.aspx?scid=kb;en-us;324144 This has nothing to do with samba, but everything to do with Kerberos authentication. Ktpass.exe generates the 2 part encryption key. The KDC (windows 2003) holds one half in it's files and the other half is transported to the unix machine. When a message is encrypted with one of the halfs, only the other half can decrypt the message. The unix host authenticates to the KDC by encrypting with it's half and if the KDC (win2003) can decrypt it, it trusts the unix box as genuine. (It's more complicated than that, I know, but it's the gist of it) If you're inexperienced with Kerberos and have no other uses for it, you might find it much easier to allow samba to manage the keytab file on your behalf. The samba team has done a remarkable job of coding samba to do all the housekeeping for you. I call it PFM. From samba.conf doco: use kerberos keytab (G) Specifies whether Samba should attempt to maintain service principals in the systems keytab file for host/FQDN and cifs/FQDN. When you are using the heimdal Kerberos libraries, you must also specify the following in /etc/krb5.conf: [libdefaults] default_keytab_name = FILE:/etc/krb5.keytab Default: //use kerberos keytab/ = False / You should be able to add that line to your configuration file (use kerberos keytab = true), restart samba to be sure it uses the new configuration file (shouldn't have to, but I've been burned) and run net ads changetrustpw on the linux box and samba will automagically create the keytab file and generate the correct entries in it for you to be able to successfully authenticate across the router using Kerberos. If you expire your NT40 style machine$ passwords, you'll have to set up a cron job to run that command at a more frequent interval than the machine password expires. In the event private.tdb has become polluted by 6 weeks of testing, worst case is you go for a clean start. You unjoin the domain, delete your samba *.tdb files in the lock directory, private.tdb, any existing krb5.keytab, then rejoin the domain. But I wouldn't think you'd have to do that. Regards, Doug