On Fri Jul 30 17:10:45 2004 nuno.silva at novabase.pt (Nuno Silva) wrote: > > I'm trying to get Samba 3.0.2 working against a Windows 2003 Active > > Directory. I can join the Linux box (RedHat Advanced Server) to the > > domain using "net ads join" and it appears in the Windows machine's > > Users and Computers snap in but when trying to map a drive from > > Windows you just get a continuous password dialog bog and on the > > Linux box Samba produces the following error in the Samba log: > > > > Smbd/sesssetup.c:reply_spnego_kerberos(173) > > Failed to verify incoming ticket! > > This is probably a problem with your kerberos version.
I have been having the very same problem and managed to solve this. I'm
posting an answer to this question so that others can find this if
needed. (I'm not subscribed to the list, so please CC follow-ups if
needed).
The problem is, as you said, with the Kerberos version, I first used
MIT's implementation of Kerberos. Samba clients could correctly access
my Samba server (and I could see the KRB requests going to and from the
Win2k AD server) but as soon as I tried and did the same with a
Windows-based client, nothing worked, the Windows box kept asking for a
valid user/pass whereas the given ones were correct, and I got the same
"failed tickets" entries in my smbd logs.
I solved the problem compiling samba (3.0.7) against Heimdal Kerberos
insted of MIT.
As far as I understand the problem, this is due to MIT not supporting
the kind of encryption the Windows client is using to get the
tickets (this explains the problem not occuring with Samba clients).
Here is my smb.conf, in case it's needed:
-----
password server = ADVSERV
security = ADS
realm = EXAMPLE.COM
encrypt passwords = yes
client use spnego = no
username map = /usr/local/samba-ads/lib/username_map
workgroup=EXAMPLE
auth methods = winbind
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
[tmp]
path = /tmp
browsable = yes
writeable = yes
preserve case = yes
[homes]
comment = Home Directories
valid users = %S
force user = %S
writable = yes
guest ok = no
browseable = no
-----
And (roughly) the process I followed to register the machine was:
# kinit [EMAIL PROTECTED]
[EMAIL PROTECTED]'s Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Principal: [EMAIL PROTECTED]
Cache version: 4
Server: krbtgt/[EMAIL PROTECTED]
Ticket etype: arcfour-hmac-md5
Auth time: Oct 28 14:38:00 2004
End time: Oct 29 00:38:00 2004
Renew till: Nov 4 13:38:00 2004
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:172.20.0.133
# net ads join
Using short domain name -- EXAMPLE
Joined 'FOO' to realm 'EXAMPLE.COM'
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Principal: [EMAIL PROTECTED]
Cache version: 4
Server: krbtgt/[EMAIL PROTECTED]
Ticket etype: arcfour-hmac-md5
Auth time: Oct 28 14:38:00 2004
End time: Oct 29 00:38:00 2004
Renew till: Nov 4 13:38:00 2004
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:172.20.0.133
Server: [EMAIL PROTECTED]
Ticket etype: arcfour-hmac-md5
Auth time: Oct 28 14:38:00 2004
Start time: Oct 28 14:40:10 2004
End time: Oct 29 00:38:00 2004
Ticket flags: pre-authenticated, ok-as-delegate
Addresses: IPv4:172.20.0.133
Server: kadmin/[EMAIL PROTECTED]
Ticket etype: arcfour-hmac-md5
Auth time: Oct 28 14:38:00 2004
Start time: Oct 28 14:40:10 2004
End time: Oct 29 00:38:00 2004
Ticket flags: pre-authenticated
Addresses: IPv4:172.20.0.133
At this point, I could have Windows-using users connect to the Samba
server, and mapped to Unix users thanks to the username map.
--
Olivier Mehani <[EMAIL PROTECTED]>
Free&ALter Soft/Linbox - Paris
http://www.linbox.com
pgpbGqpxs4KQA.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
