Juan Miguel Corral
2008-Oct-04 11:24 UTC
[Samba] Kerberos working on samba 3.2.3 PDC, but failing when joining the domain
Hello. I have a 3.2.3 Samba-LDAP PDC which shares the database with heimdal (so
samba passwords are also kerberos passwords). I am able to use kerberos
credentials to connect to the PDC shares with "smbclient -k", both on
the server and linux workstations.
The problem is that, as soon as I try to join the PDC to its own domain (with
"net join"), so I can use winbind on the PDC, then I cannot use
kerberos tickets anymore to connect to the shares, nor from the PDC nor from the
workstations.
Is it a bug, or is it normal?
This is the relevant section of my smb.conf:
workgroup = CFS
realm = CFS.ISST
netbios name = sanmiguel
server string = Servidor principal
use kerberos keytab = yes
use spnego = yes
client ntlmv2 auth = yes
username map = /etc/samba/usermap
security = user
encrypt passwords = yes
os level = 255
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldapsam:trusted = yes
ldap admin dn =
krb5PrincipalName=ldapmaster/admin@CFS.ISST,ou=KerberosPrincipals,dc=cfs,dc=isst
ldap suffix = dc=cfs,dc=isst
ldap group suffix = ou=Grupos
ldap user suffix = ou=KerberosPrincipals
ldap machine suffix = ou=Computadores
ldap idmap suffix = ou=Idmap
ldap ssl = On
ldap delete dn = Yes
idmap backend = ldap:ldap://127.0.0.1/
idmap uid = 10000-15000
idmap gid = 10000-15000
Here are the relevant logs for a succesful kerberos connect (i.e., without
joining the domain) from the server itself:
[2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 528
[2008/10/04 12:44:33, 1]
libads/kerberos_verify.c:ads_secrets_verify_ticket(240)
ads_secrets_verify_ticket: failed to fetch machine password
[2008/10/04 12:44:33, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(143)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab succeeded
for principal cifs/sanmiguel.cfs.isst@CFS.ISST
[2008/10/04 12:44:33, 3] libads/kerberos_verify.c:ads_verify_ticket(500)
ads_verify_ticket: did not retrieve auth data. continuing without PAC
[2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_kerberos(356)
Ticket name is [root@CFS.ISST]
[2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_kerberos(430)
Could not find short name: WBC_ERR_WINBIND_NOT_AVAILABLE
[2008/10/04 12:44:33, 2] lib/smbldap.c:smbldap_open_connection(796)
smbldap_open_connection: connection opened
[2008/10/04 12:44:33, 3] lib/smbldap.c:smbldap_connect_system(1007)
ldap_connect_system: successful connection to the LDAP server
And, for last, here is the log of a failed connect attempt (i.e., once joined
the domain):
[2008/10/04 12:45:43, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 527
[2008/10/04 12:45:43, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt
integrity check failed
[2008/10/04 12:45:43, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab
principals
[2008/10/04 12:45:43, 3] libads/kerberos_verify.c:ads_verify_ticket(458)
ads_verify_ticket: krb5_rd_req with auth failed (Conseguido)
[2008/10/04 12:45:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/10/04 12:45:43, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2008/10/04 12:45:43, 3] smbd/process.c:smbd_process(2035)
receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2008/10/04 12:45:43, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/10/04 12:45:43, 3] smbd/connection.c:yield_connection(31)
Yielding connection to
[2008/10/04 12:45:43, 3] smbd/server.c:exit_server_common(949)
Server exit (normal exit)
Thank you very much