G.W. Haywood
2012-Oct-17 14:06 UTC
[Samba] Win2k auth on named share fails on mixed Windows network.
Hi there, Background: Samba 3.6.6 compiled from source on Debian Squeeze using the Debian- installed Kerberos (1.8.3) libraries. Running in an Active directory domain with mixed Win2k Server and Win2k3 Server DCs. Yes, I've been trying to persuade them. Both WINS and DNS name resolution work on the system. Samba uses the DCs for WINS, and the DCs are also name servers with an additional forwarder (dnsmasq) running on a firewall. Under normal circumstances, Windows 7 Pro and XP Pro clients have no problems (although a power failure does generally throw a spanner in the works for several hours - may be the subject of another thread). With the appropriate credentials, 'smbclient' running on the Linux server can connect to shares, but using the same credentials Windows 2000 Pro client workstations can access shares only by IP, not name. Searching the archives, this seems to be a very common problem which has sometimes been solved and sometimes not. I've tried setting "kerberos method = secrets and keytab" in smb.conf and KB833708, both to no avail. 8<---------------------------------------------------------------------- c:\>net view palatine System error 5 has occurred. Access is denied. c:\>net view 192.168.0.250 Shared resources at 192.168.0.250 Samba server Share name ... 8<---------------------------------------------------------------------- Samba logs show in this case: [2012/10/17 12:07:02.607012, 3] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Encryption type not permitted which indicates that the Kerberos libraries are not permitting the encryption type, either because it is not available in the libraries or because it's restricted by the config. I believe the encryption type to be available in these libraries, so my guess is that it is not being permitted for some reason. I postulate that it's considered a weak type, so I propose to permit weak encryption types. Questions: 1. If for example I were to make a change in /etc/krb5.conf to permit less secure encryption types by setting [libdefaults] allow_weak_crypto = 1 do I have to restart Samba for the change to take effect? The reason for the question is that restarting Samba in this situation causes a good deal of grief for the users, so I'd rather not have to do it. 2. Is there a way to ask Samba what encryption types will be allowed and what types will not be allowed? 3. Is there a definitive list of the encryption types and the integers used to refer to them in the Samba logs? 4. Is there some kind of 'graceful' Samba restart which users wouldn't dislike so much? :) I've been R-ing the FM and searching archives for a couple of weeks solid now and it's starting to hurt, so any pointers to bits of the FM to R will be more than welcome. -- 73, Ged.
Dale Schroeder
2012-Oct-17 19:28 UTC
[Samba] Win2k auth on named share fails on mixed Windows network.
There was a problem with Debian Squeeze in early 2010 while still in testing, but it was fixed before being released as stable, so may not be the exact same problem. The problem was related to libkrb5-3. For me, it affected both w2k and xp systems - there were no Vista/Win7 systems here at that time. Check to see if this is relevant to you: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977 'smbcontrol [all/smbd/nmbd/winbindd] reload-config' might be the graceful restart for which you are looking. Dale On 10/17/2012 9:06 AM, G.W. Haywood wrote:> Hi there, > > Background: > > Samba 3.6.6 compiled from source on Debian Squeeze using the Debian- > installed Kerberos (1.8.3) libraries. Running in an Active directory > domain with mixed Win2k Server and Win2k3 Server DCs. Yes, I've been > trying to persuade them. Both WINS and DNS name resolution work on > the system. Samba uses the DCs for WINS, and the DCs are also name > servers with an additional forwarder (dnsmasq) running on a firewall. > Under normal circumstances, Windows 7 Pro and XP Pro clients have no > problems (although a power failure does generally throw a spanner in > the works for several hours - may be the subject of another thread). > > With the appropriate credentials, 'smbclient' running on the Linux > server can connect to shares, but using the same credentials Windows > 2000 Pro client workstations can access shares only by IP, not name. > Searching the archives, this seems to be a very common problem which > has sometimes been solved and sometimes not. > > I've tried setting "kerberos method = secrets and keytab" in smb.conf > and KB833708, both to no avail. > > 8<---------------------------------------------------------------------- > c:\>net view palatine > System error 5 has occurred. > > Access is denied. > > c:\>net view 192.168.0.250 > Shared resources at 192.168.0.250 > > Samba server > > Share name ... > 8<---------------------------------------------------------------------- > > Samba logs show in this case: > > [2012/10/17 12:07:02.607012, 3] > libads/kerberos_verify.c:429(ads_secrets_verify_ticket) > libads/kerberos_verify.c:429: enc type [23] failed to decrypt with > error Encryption type not permitted > > which indicates that the Kerberos libraries are not permitting the > encryption type, either because it is not available in the libraries > or because it's restricted by the config. I believe the encryption > type to be available in these libraries, so my guess is that it is not > being permitted for some reason. I postulate that it's considered a > weak type, so I propose to permit weak encryption types. > > Questions: > > 1. If for example I were to make a change in /etc/krb5.conf to permit > less secure encryption types by setting > > [libdefaults] > allow_weak_crypto = 1 > > do I have to restart Samba for the change to take effect? The reason > for the question is that restarting Samba in this situation causes a > good deal of grief for the users, so I'd rather not have to do it. > > 2. Is there a way to ask Samba what encryption types will be allowed > and what types will not be allowed? > > 3. Is there a definitive list of the encryption types and the integers > used to refer to them in the Samba logs? > > 4. Is there some kind of 'graceful' Samba restart which users wouldn't > dislike so much? :) > > I've been R-ing the FM and searching archives for a couple of weeks > solid now and it's starting to hurt, so any pointers to bits of the FM > to R will be more than welcome. > > -- > > 73, > Ged.