Hi, I did what you advise. I still have the same problem. Can see the shares from Win2k and XP but cannot browse the share that need authentication (valid users). I can map them with IP address but not with netbios name. I don't get any ticket from win2k and XP clients.
All of the following works right: net ads leave, net ads join, wbinfo -u, wbinfo -g, getent passwd, getent group, smbclient //win2k_server/share -k Could you see something wrong in my conf files?? Any more things to try ?? My krb5.conf file is the following: ======================= krb5.conf ========================== [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = HGUV.LOCAL default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 # permitted_enctypes = des-cbc-md5 des-cbc-crc kdc_req_checksum_type = 2 clockskew = 600 dns_lookup_realm = false dns_lookup_kdc = true forwardable = true proxiable = true checksum_type = 2 ccache_type = 1 [realms] HGUV.LOCAL = { kdc = 10.36.192.24:88 admin_server = 10.36.192.24:749 default_domain = hguv.local } [domain_realm] .hguv.local = HGUV.LOCAL hguv.local = HGUV.LOCAL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [login] krb4_convert = false krb4_get_tickets = false ================================================================ The tickets I get are: [EMAIL PROTECTED] etc]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 12/15/03 09:34:53 12/15/03 19:34:54 krbtgt/[EMAIL PROTECTED] renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 12/15/03 09:35:09 12/15/03 19:34:54 [EMAIL PROTECTED] renew until 12/16/03 09:34:53, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 12/15/03 09:35:09 12/15/03 19:34:54 kadmin/[EMAIL PROTECTED] renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ================================================================= I don't get a ticket for Win2k and XP clients. More interested info: ================ libs used by winbindd and smbd ================ [EMAIL PROTECTED] sbin]# ldd winbindd libcrypt.so.1 => /lib/libcrypt.so.1 (0x4002c000) libresolv.so.2 => /lib/libresolv.so.2 (0x4005a000) libnsl.so.1 => /lib/libnsl.so.1 (0x4006c000) libdl.so.2 => /lib/libdl.so.2 (0x40081000) libpopt.so.0 => /usr/lib/libpopt.so.0 (0x40084000) libcrypto.so.2 => /lib/libcrypto.so.2 (0x4008c000) libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x40160000) libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40172000) libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x401d0000) libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x401f0000) libldap.so.2 => /usr/lib/libldap.so.2 (0x401f2000) liblber.so.2 => /usr/lib/liblber.so.2 (0x4021c000) libc.so.6 => /lib/i686/libc.so.6 (0x42000000) libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40228000) libssl.so.2 => /lib/libssl.so.2 (0x40233000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40263000) libpam.so.0 => /lib/libpam.so.0 (0x4026a000) [EMAIL PROTECTED] sbin]# ldd smbd libldap.so.2 => /usr/lib/libldap.so.2 (0x4002c000) liblber.so.2 => /usr/lib/liblber.so.2 (0x40057000) libcrypto.so.2 => /lib/libcrypto.so.2 (0x40062000) libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x40136000) libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40147000) libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x401a5000) libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x401c5000) libresolv.so.2 => /lib/libresolv.so.2 (0x401c8000) libcups.so.2 => /usr/lib/libcups.so.2 (0x401da000) libssl.so.2 => /lib/libssl.so.2 (0x401f4000) libnsl.so.1 => /lib/libnsl.so.1 (0x40224000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40239000) libpam.so.0 => /lib/libpam.so.0 (0x40266000) libattr.so.1 => /lib/libattr.so.1 (0x4026f000) libacl.so.1 => /lib/libacl.so.1 (0x40273000) libdl.so.2 => /lib/libdl.so.2 (0x4027b000) libpopt.so.0 => /usr/lib/libpopt.so.0 (0x4027e000) libc.so.6 => /lib/i686/libc.so.6 (0x42000000) libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40286000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40292000) ======================== kerberos version =============== [EMAIL PROTECTED] sbin]# strings /usr/local/lib/libkrb5.so.3.2 | grep BRAND KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730 ======================== ld.so.conf ===================== /usr/local/lib /usr/X11R6/lib /usr/lib/mysql /usr/lib/qt-3.0.5/lib /usr/lib/sane /usr/lib/qt2/lib /usr/lib/wine ================= smb.conf ======================== [global] workgroup = HGUV realm = HGUV.LOCAL server string = %h server (Samba %v) security = ADS password server = 10.36.192.24 log level = 2 winbind:5 log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash winbind separator = + printing = lprng [homes] comment = Home Directories path = /home/%U valid users = %D+%U read only = No create mask = 0664 directory mask = 0775 browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [tmp] comment = Temporary file space path = /tmp force user = inform force group = inform read only = No guest ok = Yes [Intranet] comment = DocumentRoot del servidor web de la intranet del HGUV path = /var/www valid users = root, HGUV+Administrador, HGUV+fruza, HGUV+bperez force user = inform force group = inform read only = No create mask = 0777 directory mask = 0777 [mysql] comment = Base de datos mysql path = /var/lib/mysql force user = inform force group = inform read only = No guest ok = Yes ========================================================= Thanks in advanced for any reply, Fernando. On Fri, 2003-12-12 at 21:56, Tim Jordan wrote: > Browsing is working from my W2K and XP clients to the samba server > using kerberos. > Samba Server is joined to Active Directory as a Domain Member server. > > I commented out the following line of my krb5.conf: > > #permitted_enctypes = des-cbc-crc des-cbc-md5 > > Make sure these lines are correct: > default_tgs_enctypes = des-cbc-crc des-cbc-md5 > efault_tkt_enctypes = des-cbc-crc des-cbc-md5 > > *Make sure to stop and restart smbd, nmbd, and winbindd. These > changes did nothing for me until I restarted at least winbindd. > > > I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586 > rpm's from: > http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/ > > > I'm working on a final write up of my configuration if anyone is > interested in creating an Active Directory member server running Samba > 3. > > Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for > lending his Windows expertise! > > Tim > > > > > On Fri, 2003-12-12 at 08:07, Tom Dickson wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > You can try running the > > > > strings /usr/lib/libkrb5.so.3.2 | grep BRAND > > > > command and looking at what you get. 1-3-1 or something is MIT. > > > > Also, I'm wondering if the fact that you can connect by IP and not by > > name indicates that the 2000 server is looking up the name in, say, DNS > > only and ignoring WINS. Perhaps my WINS server is misconfigured. > > > > Well, I have to run Netbench tests, so I just dropped back to NT4 style > > auth, which works fine for me. > > > > - -Tom > > > > Tim Jordan wrote: > > > > | Perhaps we can work together. Jerry mentioned in previous posts about > > | the encryption options if the krb5.conf. > > | The Official Samba How To states: " On a Windows 2000 client, try /net > > | use * \\server\share/. You should be logged in with Kerberos without > > | needing to know a password. If this fails then run /klist tickets./ > > | Did you get a tecket for the server? Does it have an encryption type of > > | DES-CBC-MD5?" > > | > > | "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 > > | encoding." > > | > > | I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as > > | Jerry sugested: > > | > > | /etc/krb5.conf: > > | > > |>[EMAIL PROTECTED] samba3]# cat /etc/krb5.conf > > |>[logging] > > |> default = FILE:/var/log/kerberos/krb5libs.log > > |> kdc = FILE:/var/log/kerberos/krb5kdc.log > > |> admin_server = FILE:/var/log/kerberos/kadmind.log > > |> > > |>[libdefaults] > > |> ticket_lifetime = 24000 > > |> default_realm = LABOR.AK > > |> default_tgs_enctypes = des-cbc-md5 des-cbc-crc > > |> default_tkt_enctypes = des-cbc-md5 des-cbc-crc > > |> permitted_enctypes = des-cbc-md5 des-cbc-crc > > |> dns_lookup_realm = false > > |> dns_lookup_kdc = false > > |> kdc_req_checksum_type = 2 > > |> checksum_type = 2 > > |> ccache_type = 1 > > |> forwardable = true > > |> proxiable = true > > |> > > |>[realms] > > |> LABOR.AK = { > > |> kdc = MY-KDC.LABOR.AK:88 > > |> admin_server = MY-KDC.LABOR.AK:749 > > |> default_domain = LABOR.AK > > |> } > > |> > > |>[domain_realm] > > |> .LABOR.AK = LABOR.AK > > |> > > |>[kdc] > > |> profile = /etc/kerberos/krb5kdc/kdc.conf > > |> > > |>[pam] > > |> debug = false > > |> ticket_lifetime = 36000 > > |> renew_lifetime = 36000 > > |> forwardable = true > > |> krb4_convert = false > > |> > > |> [login] > > |> krb4_convert = false > > |> krb4_get_tickets = fals > > |> > > | It did change the encryption ticket I'm getting when /kinit/ as my > > username. > > | > > |>Valid starting Expires Service principal > > |>12/11/03 16:00:49 12/12/03 02:01:00 krbtgt/[EMAIL PROTECTED] > > |> renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode > > with RSA-MD5, DES cbc mode with RSA-MD5 > > |> > > |> > > |>Kerberos 4 ticket cache: /tmp/tkt0 > > |> > > | Notice I'm getting "DES cbc mode with RSA-MD5". > > | > > | This did not solve the underlying problem of being able to view the > > samba shares from a w2k or xp client. > > | > > | How would I be able to tell if I'm using MIT or Hemidal kerberos? > > | > > | I did get this working on a Gentoo system, so I know it works. > > | > > | Who knows encryption on the list that can advise....anyone? > > | > > | Tim > > | > > | On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote: > > | > > |>/Same problem. I have been with it for weeks. I can connect using IP > > |>address from the Win2k clients however with the netbios name I get the > > |>error. > > |> > > |>Someone has told me today that this was solved in the new release > > |>samba-3.0.1rc2-1 , however I've already tested it and I still have the > > |>same problem. > > |> > > |>Please any more clues. > > |> > > |>Thanks, > > |> > > |>Fernando. > > |> > > |> > > |>On Fri, 2003-12-12 at 00:26, Tim Jordan wrote: > > |>> I'm getting same error about encryption ... > > |>> > > |>> I have taken Tom's lead and have provided the output below. Is there a > > |>> certain version of krb5 that we should be running? > > |>> > > |>> > > |>> [EMAIL PROTECTED] tim]# smbd3 --version > > |>> Version 3.0.1pre3 > > |>> > > |>> [EMAIL PROTECTED] tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND > > |>> KRB5_BRAND: krb5-1-3-final 1.3 20030708 > > |>> > > |>> I'm running Mandrake 9.2 > > |>> > > |>> Thank You Samba Team! > > |>> Tim > > |>> > > |>> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote: > > |>> > > |>> > -----BEGIN PGP SIGNED MESSAGE----- > > |>> > Hash: SHA1 > > |>> > > > |>> > OK. I've done some more research, and here's what I get. > > |>> > > > |>> > smbd --version > > |>> > Version 3.0.0 > > |>> > > > |>> > strings libkrb5.so.3.2 | grep BRAND > > |>> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730 > > |>> > > > |>> > Everything seems to work, but trying to access the Samba server > > results in: > > |>> > > > |>> > [2003/12/11 14:54:19, 3] > > libads/kerberos_verify.c:ads_verify_ticket(308) > > |>> > ~ ads_verify_ticket: enc type [23] failed to decrypt with error > > Decrypt > > |>> > integrity check failed > > |>> > [2003/12/11 14:54:19, 3] > > libads/kerberos_verify.c:ads_verify_ticket(316) > > |>> > ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption > > type) > > |>> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) > > |>> > ~ Failed to verify incoming ticket! > > |>> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109) > > |>> > ~ error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) > > |>> > NT_STATUS_LOGON_FAILURE > > |>> > > > |>> > This is the same error you get if you're running the wrong KRB5 libs, > > |>> > but I've the right ones. The windows 2000 machine is 5.00.2195 > > |>> > > > |>> > Windows 2000 clients connect to the ADS server fine, and will > > connect to > > |>> > the Samba server if you enter Username/Password. The 2000 server > > cannot > > |>> > connect to the Samba machine at all, even with the right > > username/pass. > > |>> > > > |>> > Is there a magic registry setting I'm missing? I've changed the > > |>> > Administrator password at least once. > > |>> > > > |>> > - -Tom > > |>> > -----BEGIN PGP SIGNATURE----- > > |>> > Version: GnuPG v1.2.2-nr2 (Windows 2000) > > |>> > Comment: Using GnuPG with Mozilla - //_http://enigmail.mozdev.org_ > > |>> > > > |>> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO > > |>> > F9F+8BTOPIyoybZBYIlCouU= > > |>> > =94FA > > |>> > -----END PGP SIGNATURE----- > > |>/ > > |> > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.2-nr2 (Windows 2000) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > iD8DBQE/2fXg2dxAfYNwANIRAlFEAJ9uSUkNH5u/O2PBb8eY8PExrsq2rACdE6r/ > > xbPZjNjGNK2FYhHQZnqmgYs= > > =2f/q > > -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba