Blindauer Emmanuel wrote:
Le samedi 11 Septembre 2004 00:17, Blindauer Emmanuel a écrit :
[global]attached are log from smbd, krb5.conf and smb.conf
workgroup = DPTINFO
server string = %h server (Samba %v)
security = ads
realm = DPTINFO.URS.LOCAL
[libdefaults]
default_realm = DPTINFO.URS.LOCAL krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } }
[realms] DPTINFO.URS.LOCAL = { kdc = canard.u-strasbg.fr admin_server = canard.u-strasbg.fr }
[domain_realm] .u-strasbg.fr = DPTINFO.URS.LOCAL u-strasbg.fr = DPTINFO.URS.LOCAL
Hi, Your situation looks a lot like mine. Your realm and DNS names are not equivalent. See https://bugzilla.samba.org/show_bug.cgi?id=1651 You'll find a workarond in there.
For you and your domain_realm mapping, it looks like a client machine called hypothetically poem.u-strasbg.fr in the realm DPTINFO.URS.LOCAL ought to have a servicePrincipalName of HOST/[EMAIL PROTECTED] That would comply with your domain_realm mapping.
But if you checked the AD, it would probably have been created by samba as HOST/[EMAIL PROTECTED] Attempts to communicate by constructing the long form servicePrincipalName using the HOST/[EMAIL PROTECTED] will fail. Although samba mostly works OK because it mostly seems to use the short form of the service name HOST/[EMAIL PROTECTED] when it builds servicePrincipalName or CIFS/[EMAIL PROTECTED]
The hardest part of Kerberos AD integration is trying to talk sensibly about HOST/[EMAIL PROTECTED] and HOST/[EMAIL PROTECTED] in an environment where REALM and DOMAIN get used interchangably.
Also, I found I had to explicitly state my default enctypes to include rc4-hmac
or apply the hotfix from MS to allow des-cbc-crc enctypes
Also, if I want to make these log entries go away
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183) ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type
I have to explicitly set the order of the permitted enctypes so the common case is the first in the list.
During debugging, I just listed every possible enctype in the permitted list and just haven't cleaned it up.
MS AD uses rc4-hmac (arcfour-hmac-md5). If it's first in the default list, the first attempt will succeed.
This krb5.conf works with MIT kerberos 3.1.4.
Oh, and you have to add the real dns names in MS AD servicePrincipalName as HOST and CIFS
[libdefaults]
default_realm = NT.LDXNET.COM
default_keytab_name = FILE:/etc/krb5.keytab
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-cbc-sha1 des-cbc-md4 ...
[realms]
NT.LDXNET.COM = {
kdc = ranger1.nt.ldxnet.com:88
admin_server = ranger1.nt.ldxnet.com:749
default_domain = nt.ldxnet.com
}[domain_realm] .nt.ldxnet.com = NT.LDXNET.COM nt.ldxnet.com = NT.LDXNET.COM gate.ldxnet.com = NT.LDXNET.COM ldxnet.com = NT.LDXNET.COM .ldxnet.com = NT.LDXNET.COM
Hope it helps.
Regards, Doug
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
