Have been running samba successfully authenticating to a windows 2003 domain since 3.0.1. Starting in 3.0.23 and 3.0.23b I can't do a "net ads join" on a HPUX itanium server running 11.23 ia64. I can kinit just fine w/ this userid. Samba was built with gcc 4.1.1. See below: root@serv00 # kinit jjurich_wa Password for jjurich_wa@DIVMS.UIOWA.EDU: root@serv00 # /fs/exec/samba/3.0.23/bin/net ads join -U jjurich_wa jjurich_wa's password: [2006/08/22 13:15:34, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine serv09.divms.uiowa.edu pipe \lsarpc fnum 0x400dreturned critical error. Error was NT_STATUS_OK [2006/08/22 13:15:34, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2265) cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_UNSUCCESSFUL [2006/08/22 13:15:34, 0] utils/net_domain.c:netdom_get_domain_sid(169) Error connecting to LSA pipe. Error was NT_STATUS_UNSUCCESSFUL Failed to join domain! /fs/exec/samba/3.0.23/bin/net ads user -U jjurich_wa works fine as well. root@serv00 # /fs/exec/samba/3.0.23/bin/net -V Version 3.0.23b Any one else run into this? It is odd that the Error message is NT_STATUS_OK me thinks. Regards, JJ -- -------------------------------------------------- JJ Urich CSG Director The University of Iowa Phone 319-335-0750 Email: jjurich at divms dot uiowa dot edu --------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 J J Urich wrote:> Have been running samba successfully authenticating to a windows 2003 > domain since 3.0.1. Starting in 3.0.23 and 3.0.23b I can't do a "net > ads join" on a HPUX itanium server running 11.23 ia64. I can kinit just > fine w/ this userid. Samba was built with gcc 4.1.1. See below:What version of the Krb5 libs are you running? There's an open issue with MIT Krb 1.2 (or any krb5 client lacking RC4-HMAC support). cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE62pUIR7qMdg1EfYRAjymAKCRpgpCzJF0k8J02zHdsxUBF5eE5wCfUtBS rnXwz4dXwtxbfGLBEhkZIfU=fF5P -----END PGP SIGNATURE-----
Jerry,
Checked http://www.software.hp.com and did a search for kerberos, and
turns out HP has a new client and server version available for 11.23.
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRB5CLIENT
what is new in this release:
Kerberos Client version C.1.3.5.03 includes the following features new
from Kerberos Client version 1.0:
* SASL/GSS-API bind to Netscape Directory Server used to fail when
SSL was enabled. This problem has been fixed in this release.
*Support for powerful cryptographic algorithms like 3DES, RC4, and AES
*Support for TCP Kerberos Client libraries can now use TCP to
connect to KDC. This may be necessary for the libraries to communicate
with Microsoft KDCs (domain controllers) if they issue tickets with
excessive PAC data.
*Security fixes up to version 1.3.5 made by MIT in the open source
version of Kerberos Client
Installed it, rebuild samba and now net ads join works on a test hpux
system. I'll schedule a down time and try it in production shortly.
Cheers,
JJ
Gerald (Jerry) Carter wrote:> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> JJ Urich wrote:
>
>> So why is it broken just in 3.0.23 and not in the
>> ther versions? I know the net ads stuff got re-written
>> in 3.0.23, is that the problem?
>
> Yeah. That exposed the problem. We never had the DES
> session key crypto right for password changes. 3.0.23
> uses the same RPC calls that XP uses to join a domain where
> as previous version used raw LDAP modify calls to create
> the machine account (but this required domain admins privileges).
>
>
>
>
>
>
>
> cheers, jerry
> ====================================================================>
Samba ------- http://www.samba.org
> Centeris ----------- http://www.centeris.com
> "What man is a man who does not make the world better?"
--Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFE7ESVIR7qMdg1EfYRAufrAKDpwCgmNs47R/viodmELRddiTWKtgCeIAql
> fGp2/WxrwI610sRPpIhJoDw> =5ck2
> -----END PGP SIGNATURE-----
--
--------------------------------------------------
JJ Urich
CSG Director
The University of Iowa
Phone 319-335-0750
Email: jjurich at divms dot uiowa dot edu
--------------------------------------------------