Well, I think I have already solved my problem. I've changed the Administrator password (as it says in the samba howto page 84, 7.4.6. Notes) and now it works great :-D
However, I have a doubt. After mapping from win2k client using: net use * \\MySambaServer\share The share is mapped properly but in my samba server I don't have a ticket for this win2k client: [EMAIL PROTECTED] samba]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 12/15/03 10:57:13 12/15/03 20:57:14 krbtgt/[EMAIL PROTECTED] renew until 12/16/03 10:57:13, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 12/15/03 10:57:49 12/15/03 20:57:14 [EMAIL PROTECTED] renew until 12/16/03 10:57:13, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 12/15/03 10:57:49 12/15/03 20:57:14 kadmin/[EMAIL PROTECTED] renew until 12/16/03 10:57:13, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Should I have got one ticket for each Win2k or XP client connected ?? Is this correct ?? Thanks in advanced, Fernando. On Mon, 2003-12-15 at 10:57, Fernando Ruza wrote: > Hi, > > I did what you advise. I still have the same problem. Can see the shares > from Win2k and XP but cannot browse the share that need authentication > (valid users). I can map them with IP address but not with netbios name. > I don't get any ticket from win2k and XP clients. > > All of the following works right: net ads leave, net ads join, wbinfo > -u, wbinfo -g, getent passwd, getent group, smbclient > //win2k_server/share -k > > Could you see something wrong in my conf files?? Any more things to try > ?? > > My krb5.conf file is the following: > > ======================= krb5.conf ========================== > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > ticket_lifetime = 24000 > default_realm = HGUV.LOCAL > default_etypes = des-cbc-crc des-cbc-md5 > default_etypes_des = des-cbc-crc des-cbc-md5 > default_tgs_enctypes = des-cbc-crc des-cbc-md5 > default_tkt_enctypes = des-cbc-crc des-cbc-md5 > # permitted_enctypes = des-cbc-md5 des-cbc-crc > kdc_req_checksum_type = 2 > clockskew = 600 > dns_lookup_realm = false > dns_lookup_kdc = true > forwardable = true > proxiable = true > checksum_type = 2 > ccache_type = 1 > > [realms] > HGUV.LOCAL = { > kdc = 10.36.192.24:88 > admin_server = 10.36.192.24:749 > default_domain = hguv.local > } > > [domain_realm] > .hguv.local = HGUV.LOCAL > hguv.local = HGUV.LOCAL > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > [login] > krb4_convert = false > krb4_get_tickets = false > > ================================================================ > > The tickets I get are: > > [EMAIL PROTECTED] etc]# klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 12/15/03 09:34:53 12/15/03 19:34:54 krbtgt/[EMAIL PROTECTED] > renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with > CRC-32, DES cbc mode with CRC-32 > 12/15/03 09:35:09 12/15/03 19:34:54 [EMAIL PROTECTED] > renew until 12/16/03 09:34:53, Etype (skey, tkt): ArcFour with > HMAC/md5, ArcFour with HMAC/md5 > 12/15/03 09:35:09 12/15/03 19:34:54 kadmin/[EMAIL PROTECTED] > renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with > CRC-32, DES cbc mode with CRC-32 > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > ================================================================= > > I don't get a ticket for Win2k and XP clients. > More interested info: > > ================ libs used by winbindd and smbd ================ > [EMAIL PROTECTED] sbin]# ldd winbindd > libcrypt.so.1 => /lib/libcrypt.so.1 (0x4002c000) > libresolv.so.2 => /lib/libresolv.so.2 (0x4005a000) > libnsl.so.1 => /lib/libnsl.so.1 (0x4006c000) > libdl.so.2 => /lib/libdl.so.2 (0x40081000) > libpopt.so.0 => /usr/lib/libpopt.so.0 (0x40084000) > libcrypto.so.2 => /lib/libcrypto.so.2 (0x4008c000) > libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x40160000) > libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40172000) > libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x401d0000) > libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x401f0000) > libldap.so.2 => /usr/lib/libldap.so.2 (0x401f2000) > liblber.so.2 => /usr/lib/liblber.so.2 (0x4021c000) > libc.so.6 => /lib/i686/libc.so.6 (0x42000000) > libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40228000) > libssl.so.2 => /lib/libssl.so.2 (0x40233000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) > libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40263000) > libpam.so.0 => /lib/libpam.so.0 (0x4026a000) > > [EMAIL PROTECTED] sbin]# ldd smbd > libldap.so.2 => /usr/lib/libldap.so.2 (0x4002c000) > liblber.so.2 => /usr/lib/liblber.so.2 (0x40057000) > libcrypto.so.2 => /lib/libcrypto.so.2 (0x40062000) > libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x40136000) > libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40147000) > libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x401a5000) > libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x401c5000) > libresolv.so.2 => /lib/libresolv.so.2 (0x401c8000) > libcups.so.2 => /usr/lib/libcups.so.2 (0x401da000) > libssl.so.2 => /lib/libssl.so.2 (0x401f4000) > libnsl.so.1 => /lib/libnsl.so.1 (0x40224000) > libcrypt.so.1 => /lib/libcrypt.so.1 (0x40239000) > libpam.so.0 => /lib/libpam.so.0 (0x40266000) > libattr.so.1 => /lib/libattr.so.1 (0x4026f000) > libacl.so.1 => /lib/libacl.so.1 (0x40273000) > libdl.so.2 => /lib/libdl.so.2 (0x4027b000) > libpopt.so.0 => /usr/lib/libpopt.so.0 (0x4027e000) > libc.so.6 => /lib/i686/libc.so.6 (0x42000000) > libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40286000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) > libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40292000) > > ======================== kerberos version =============== > > [EMAIL PROTECTED] sbin]# strings /usr/local/lib/libkrb5.so.3.2 | grep BRAND > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730 > > ======================== ld.so.conf ===================== > > /usr/local/lib > /usr/X11R6/lib > /usr/lib/mysql > /usr/lib/qt-3.0.5/lib > /usr/lib/sane > /usr/lib/qt2/lib > /usr/lib/wine > > ================= smb.conf ======================== > [global] > workgroup = HGUV > realm = HGUV.LOCAL > server string = %h server (Samba %v) > security = ADS > password server = 10.36.192.24 > log level = 2 winbind:5 > log file = /var/log/samba/%m.log > max log size = 0 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > dns proxy = No > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template shell = /bin/bash > winbind separator = + > printing = lprng > > [homes] > comment = Home Directories > path = /home/%U > valid users = %D+%U > read only = No > create mask = 0664 > directory mask = 0775 > browseable = No > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > > [tmp] > comment = Temporary file space > path = /tmp > force user = inform > force group = inform > read only = No > guest ok = Yes > > [Intranet] > comment = DocumentRoot del servidor web de la intranet del HGUV > path = /var/www > valid users = root, HGUV+Administrador, HGUV+fruza, HGUV+bperez > force user = inform > force group = inform > read only = No > create mask = 0777 > directory mask = 0777 > > [mysql] > comment = Base de datos mysql > path = /var/lib/mysql > force user = inform > force group = inform > read only = No > guest ok = Yes > > ========================================================= > > Thanks in advanced for any reply, > > Fernando. > > > On Fri, 2003-12-12 at 21:56, Tim Jordan wrote: > > Browsing is working from my W2K and XP clients to the samba server > > using kerberos. > > Samba Server is joined to Active Directory as a Domain Member server. > > > > I commented out the following line of my krb5.conf: > > > > #permitted_enctypes = des-cbc-crc des-cbc-md5 > > > > Make sure these lines are correct: > > default_tgs_enctypes = des-cbc-crc des-cbc-md5 > > efault_tkt_enctypes = des-cbc-crc des-cbc-md5 > > > > *Make sure to stop and restart smbd, nmbd, and winbindd. These > > changes did nothing for me until I restarted at least winbindd. > > > > > > I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586 > > rpm's from: > > http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/ > > > > > > I'm working on a final write up of my configuration if anyone is > > interested in creating an Active Directory member server running Samba > > 3. > > > > Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for > > lending his Windows expertise! > > > > Tim > > > > > > > > > > On Fri, 2003-12-12 at 08:07, Tom Dickson wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > You can try running the > > > > > > strings /usr/lib/libkrb5.so.3.2 | grep BRAND > > > > > > command and looking at what you get. 1-3-1 or something is MIT. > > > > > > Also, I'm wondering if the fact that you can connect by IP and not by > > > name indicates that the 2000 server is looking up the name in, say, DNS > > > only and ignoring WINS. Perhaps my WINS server is misconfigured. > > > > > > Well, I have to run Netbench tests, so I just dropped back to NT4 style > > > auth, which works fine for me. > > > > > > - -Tom > > > > > > Tim Jordan wrote: > > > > > > | Perhaps we can work together. Jerry mentioned in previous posts about > > > | the encryption options if the krb5.conf. > > > | The Official Samba How To states: " On a Windows 2000 client, try /net > > > | use * \\server\share/. You should be logged in with Kerberos without > > > | needing to know a password. If this fails then run /klist tickets./ > > > | Did you get a tecket for the server? Does it have an encryption type of > > > | DES-CBC-MD5?" > > > | > > > | "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 > > > | encoding." > > > | > > > | I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as > > > | Jerry sugested: > > > | > > > | /etc/krb5.conf: > > > | > > > |>[EMAIL PROTECTED] samba3]# cat /etc/krb5.conf > > > |>[logging] > > > |> default = FILE:/var/log/kerberos/krb5libs.log > > > |> kdc = FILE:/var/log/kerberos/krb5kdc.log > > > |> admin_server = FILE:/var/log/kerberos/kadmind.log > > > |> > > > |>[libdefaults] > > > |> ticket_lifetime = 24000 > > > |> default_realm = LABOR.AK > > > |> default_tgs_enctypes = des-cbc-md5 des-cbc-crc > > > |> default_tkt_enctypes = des-cbc-md5 des-cbc-crc > > > |> permitted_enctypes = des-cbc-md5 des-cbc-crc > > > |> dns_lookup_realm = false > > > |> dns_lookup_kdc = false > > > |> kdc_req_checksum_type = 2 > > > |> checksum_type = 2 > > > |> ccache_type = 1 > > > |> forwardable = true > > > |> proxiable = true > > > |> > > > |>[realms] > > > |> LABOR.AK = { > > > |> kdc = MY-KDC.LABOR.AK:88 > > > |> admin_server = MY-KDC.LABOR.AK:749 > > > |> default_domain = LABOR.AK > > > |> } > > > |> > > > |>[domain_realm] > > > |> .LABOR.AK = LABOR.AK > > > |> > > > |>[kdc] > > > |> profile = /etc/kerberos/krb5kdc/kdc.conf > > > |> > > > |>[pam] > > > |> debug = false > > > |> ticket_lifetime = 36000 > > > |> renew_lifetime = 36000 > > > |> forwardable = true > > > |> krb4_convert = false > > > |> > > > |> [login] > > > |> krb4_convert = false > > > |> krb4_get_tickets = fals > > > |> > > > | It did change the encryption ticket I'm getting when /kinit/ as my > > > username. > > > | > > > |>Valid starting Expires Service principal > > > |>12/11/03 16:00:49 12/12/03 02:01:00 krbtgt/[EMAIL PROTECTED] > > > |> renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode > > > with RSA-MD5, DES cbc mode with RSA-MD5 > > > |> > > > |> > > > |>Kerberos 4 ticket cache: /tmp/tkt0 > > > |> > > > | Notice I'm getting "DES cbc mode with RSA-MD5". > > > | > > > | This did not solve the underlying problem of being able to view the > > > samba shares from a w2k or xp client. > > > | > > > | How would I be able to tell if I'm using MIT or Hemidal kerberos? > > > | > > > | I did get this working on a Gentoo system, so I know it works. > > > | > > > | Who knows encryption on the list that can advise....anyone? > > > | > > > | Tim > > > | > > > | On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote: > > > | > > > |>/Same problem. I have been with it for weeks. I can connect using IP > > > |>address from the Win2k clients however with the netbios name I get the > > > |>error. > > > |> > > > |>Someone has told me today that this was solved in the new release > > > |>samba-3.0.1rc2-1 , however I've already tested it and I still have the > > > |>same problem. > > > |> > > > |>Please any more clues. > > > |> > > > |>Thanks, > > > |> > > > |>Fernando. > > > |> > > > |> > > > |>On Fri, 2003-12-12 at 00:26, Tim Jordan wrote: > > > |>> I'm getting same error about encryption ... > > > |>> > > > |>> I have taken Tom's lead and have provided the output below. Is there a > > > |>> certain version of krb5 that we should be running? > > > |>> > > > |>> > > > |>> [EMAIL PROTECTED] tim]# smbd3 --version > > > |>> Version 3.0.1pre3 > > > |>> > > > |>> [EMAIL PROTECTED] tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND > > > |>> KRB5_BRAND: krb5-1-3-final 1.3 20030708 > > > |>> > > > |>> I'm running Mandrake 9.2 > > > |>> > > > |>> Thank You Samba Team! > > > |>> Tim > > > |>> > > > |>> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote: > > > |>> > > > |>> > -----BEGIN PGP SIGNED MESSAGE----- > > > |>> > Hash: SHA1 > > > |>> > > > > |>> > OK. I've done some more research, and here's what I get. > > > |>> > > > > |>> > smbd --version > > > |>> > Version 3.0.0 > > > |>> > > > > |>> > strings libkrb5.so.3.2 | grep BRAND > > > |>> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730 > > > |>> > > > > |>> > Everything seems to work, but trying to access the Samba server > > > results in: > > > |>> > > > > |>> > [2003/12/11 14:54:19, 3] > > > libads/kerberos_verify.c:ads_verify_ticket(308) > > > |>> > ~ ads_verify_ticket: enc type [23] failed to decrypt with error > > > Decrypt > > > |>> > integrity check failed > > > |>> > [2003/12/11 14:54:19, 3] > > > libads/kerberos_verify.c:ads_verify_ticket(316) > > > |>> > ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption > > > type) > > > |>> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) > > > |>> > ~ Failed to verify incoming ticket! > > > |>> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109) > > > |>> > ~ error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) > > > |>> > NT_STATUS_LOGON_FAILURE > > > |>> > > > > |>> > This is the same error you get if you're running the wrong KRB5 libs, > > > |>> > but I've the right ones. The windows 2000 machine is 5.00.2195 > > > |>> > > > > |>> > Windows 2000 clients connect to the ADS server fine, and will > > > connect to > > > |>> > the Samba server if you enter Username/Password. The 2000 server > > > cannot > > > |>> > connect to the Samba machine at all, even with the right > > > username/pass. > > > |>> > > > > |>> > Is there a magic registry setting I'm missing? I've changed the > > > |>> > Administrator password at least once. > > > |>> > > > > |>> > - -Tom > > > |>> > -----BEGIN PGP SIGNATURE----- > > > |>> > Version: GnuPG v1.2.2-nr2 (Windows 2000) > > > |>> > Comment: Using GnuPG with Mozilla - //_http://enigmail.mozdev.org_ > > > |>> > > > > |>> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO > > > |>> > F9F+8BTOPIyoybZBYIlCouU= > > > |>> > =94FA > > > |>> > -----END PGP SIGNATURE----- > > > |>/ > > > |> > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v1.2.2-nr2 (Windows 2000) > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > > > iD8DBQE/2fXg2dxAfYNwANIRAlFEAJ9uSUkNH5u/O2PBb8eY8PExrsq2rACdE6r/ > > > xbPZjNjGNK2FYhHQZnqmgYs= > > > =2f/q > > > -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba