samba - May 2006 - SerNet.de Release and krb problems

Hello All,
        
        Im using a fresh install of CentOS 4.3 fully updated with the
        latest
        Samba packages from SerNet.de
        
        http://enterprisesamba.org/index.php?id=64
        
        While I have used Samba/Winbind for quite some time, Im have a
        peculiar
        problem with these RPM's. When I try to "net ads join -U
        <username>" to
        join of ADS realm, I get this error...
        
        [root@ctilinux3 sernet-samba]# net -V
        Version 3.0.22-SerNet-RedHat
        [root@ctilinux3 sernet-samba]# net ads join -U msellers
        msellers's password:
        [2006/05/08 23:02:12, 0] utils/net_ads.c:ads_startup(191)
          ads_connect: Program lacks support for encryption type
        [root@ctilinux3 sernet-samba]#
        
        While I do have the latest krb5 libs installed from the CentOS
        repo, its
        my understanding that Sernet statically compiles their own
        kerberos
        libraries for compatibility, at least what their site says....
        
        I have successfully compiled samba from source on CentOS, but
        have never
        gotten these SerNet binaries to work.  Can anybody point me in
        the
        direction to fix this, or explain?  
        
        Thanks all :-)
        
        --
        Matt Sellers
        matt@indigo.nu

Me too have the same problem and I and would like to know any solution.

Thanks

Rajeev


-----Original Message-----
From: Matt Sellers [mailto:matt@indigo.nu] 
Sent: Tuesday, May 09, 2006 7:37 AM
To: samba-list
Subject: [Samba] SerNet.de Release and krb problems

Hello All,
        
        Im using a fresh install of CentOS 4.3 fully updated with the
        latest
        Samba packages from SerNet.de
        
        http://enterprisesamba.org/index.php?id=64
        
        While I have used Samba/Winbind for quite some time, Im have a
        peculiar
        problem with these RPM's. When I try to "net ads join -U
        <username>" to
        join of ADS realm, I get this error...
        
        [root@ctilinux3 sernet-samba]# net -V
        Version 3.0.22-SerNet-RedHat
        [root@ctilinux3 sernet-samba]# net ads join -U msellers
        msellers's password:
        [2006/05/08 23:02:12, 0] utils/net_ads.c:ads_startup(191)
          ads_connect: Program lacks support for encryption type
        [root@ctilinux3 sernet-samba]#
        
        While I do have the latest krb5 libs installed from the CentOS
        repo, its
        my understanding that Sernet statically compiles their own
        kerberos
        libraries for compatibility, at least what their site says....
        
        I have successfully compiled samba from source on CentOS, but
        have never
        gotten these SerNet binaries to work.  Can anybody point me in
        the
        direction to fix this, or explain?  
        
        Thanks all :-)
        
        --
        Matt Sellers
        matt@indigo.nu

Hello,

the same problem happens to me with a RHEL4 system.

Another point is that using "net ads join" with existing kerberos
credentials is not working:

  [root@rhws tmp]# kinit Administrator
  Password for Administrator@W2K3.EXAMPLE.COM: 
  [root@rhws tmp]# klist -5
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: Administrator@W2K3.EXAMPLE.COM
  
  Valid starting     Expires            Service principal
  05/09/06 16:07:35  05/10/06 02:07:36  krbtgt/W2K3.EXAMPLE.COM@W2K3.EXAMPLE.COM
          renew until 05/10/06 16:07:35
  [root@rhws tmp]# /usr/bin/net ads join
  root's password: 
  ...

(It should not ask for root's password, but use the name
"Administrator" from the kerberos credential cache instead).

On Mon, May 08, 2006 at 10:37:18PM -0500, Matt Sellers
wrote:
> Hello All,
>         
>         Im using a fresh install of CentOS 4.3 fully updated with the
>         latest
>         Samba packages from SerNet.de
>         
>         http://enterprisesamba.org/index.php?id=64
>         
>         While I have used Samba/Winbind for quite some time, Im have a
>         peculiar
>         problem with these RPM's. When I try to "net ads join -U
>         <username>" to
>         join of ADS realm, I get this error...
>         
>         [root@ctilinux3 sernet-samba]# net -V
>         Version 3.0.22-SerNet-RedHat
>         [root@ctilinux3 sernet-samba]# net ads join -U msellers
>         msellers's password:
>         [2006/05/08 23:02:12, 0] utils/net_ads.c:ads_startup(191)
>           ads_connect: Program lacks support for encryption type
>         [root@ctilinux3 sernet-samba]#
>         
>         While I do have the latest krb5 libs installed from the CentOS
>         repo, its
>         my understanding that Sernet statically compiles their own
>         kerberos
>         libraries for compatibility, at least what their site says....
ldd /usr/bin/smbd looks like Sernet's package is linked against the
system kerberos library (MIT kerberos):

  [root@rhws tmp]# rpm -qf /usr/sbin/smbd 
  samba3-3.0.22-26
  [root@rhws tmp]# rpm -qi samba3
  Name        : samba3                       Relocations: (not relocatable)
  Version     : 3.0.22                            Vendor: Service Network GmbH,
Goettingen
  Release     : 26                            Build Date: Fri 31 Mar 2006
01:30:19 PM CEST
  Install Date: Mon 08 May 2006 12:56:45 PM CEST      Build Host: opi
  Group       : Productivity/Networking/Samba   Source RPM:
samba3-3.0.22-26.src.rpm
  Size        : 44867747                         License: GNU GPL
  Signature   : (none)
  Packager    : SerNet Samba Team <Samba@SerNet.DE>
  URL         : http://www.samba.org
  Summary     : An SMB/CIFS file server
  Description :
  Samba is a suite of programs which work together to allow clients to
  access Unix filespace and printers via the SMB/CIFS protocol.
  [root@rhws tmp]# ldd /usr/sbin/smbd | grep krb
          libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00319000)
          libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x002c7000)
  [root@rhws tmp]# 

but it also seems to have some parts of heimdal included:

  [root@rhws tmp]# strings /usr/sbin/smbd | grep -i heimd
  heimdal_long_version
  heimdal_version
  Heimdal 0.7.2
  @(#)$Version: Heimdal 0.7.2 by root on opi (i686-pc-linux-gnu) Fri Mar 31
05:23:15 EST 2006 $
  [root@rhws tmp]# 

I don't know if that is the reason for the problem, but linking
against two differnt kerberos libraries might cause trouble.

Mark
>         
>         I have successfully compiled samba from source on CentOS, but
>         have never
>         gotten these SerNet binaries to work.  Can anybody point me in
>         the
>         direction to fix this, or explain?  
>         
>         Thanks all :-)
>         
>         --
>         Matt Sellers
>         matt@indigo.nu   
>         
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

On 2006-05-08 at 22:37 -0500 Matt Sellers sent off:
>         Samba packages from SerNet.de
>         
>         http://enterprisesamba.org/index.php?id=64
this is a known problem and we are working on it. The problem is that 
the heimdal krb5 namespace is being overwritten by the system krb5 
libs which come into becuase of cross dependencies. I hope we will 
have fixed this soon. But you can use security=domain instead of 
security=ads also with AD domains. Our packages do not enforce 
the use of kerberos - we removed the "do-the-right-thing" 
feature, only if you set security=ads you use kerberos; 
security=domain will force ntlm.

Bjoern
-- 
Bj?rn Jacke,  SerNet Service Network GmbH
Phone: +49-(0)551-370000-0,  Fax: +49-(0)551-370000-9