Re: [Samba] PAM_WINBIND problem with sambaPwdMustChange
Hi Friends... Now is working. When I use the command: smbldap-usermod sachs -B 1 Smbldap-tools change only sambaPwdMustChange to 0, I will report this for IDEALX and to group Debian. Thanks! 2009/3/13 David Markey dmar...@comp.dit.ie: sambaPwdMustChange is depreciated. Its now calculated dynamically. sambaPwdLastSet + sambaMaxPwdAge If you want to force a password change set sambaPwdLastSet to 0. Eduardo Sachs wrote: Hi People! I use pam_winbind for authentication in my computer workstation using Debian Lenny 5.0, Stable Version. I configure my user with this option sambaPwdMustChange: 0, and I logon in GDM without asking to change password. Who knows what can be? I use Samba PDC with Heimdal Kerberos, but, I configure PAM with only pam_winbind for tests... Client versions: ii libwbclient0 2:3.2.5-4 client library for interfacing with winbind service ii samba 2:3.2.5-4 a LanManager-like file and printer server for Unix ii samba-common 2:3.2.5-4 Samba common files used by both the server and the client ii winbind 2:3.2.5-4 service to resolve user and group information from Windows NT Server versions: ii samba 2:3.2.5-4 a LanManager-like file and printer server for Unix My configuration of PAM is simple: auth sufficient pam_winbind.so debug auth required pam_unix.so nullok_secure use_first_pass account sufficient pam_unix.so account sufficient pam_winbind.so account required pam_deny.so password sufficient pam_unix.so nullok obscure md5 password required pam_winbind.so session optional pam_unix.so session optional pam_winbind.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=077 Debug PAM: pam_winbind(gdm:auth): [pamh: 0x88bcf70] ENTER: pam_sm_authenticate (flags: 0x) pam_winbind(gdm:auth): getting password (0x0181) pam_winbind(gdm:auth): Verify user 'sachs' pam_winbind(gdm:auth): CONFIG file: krb5_ccache_type 'FILE' pam_winbind(gdm:auth): enabling krb5 login flag pam_winbind(gdm:auth): enabling request for a FILE krb5 ccache pam_winbind(gdm:auth): user 'sachs' granted access pam_winbind(gdm:auth): Returned user was 'sachs' pam_winbind(gdm:auth): [pamh: 0x88bcf70] LEAVE: pam_sm_authenticate returning 0 pam_winbind(gdm:account): user 'sachs' OK pam_winbind(gdm:account): user 'sachs' granted access pam_winbind(gdm:setcred): [pamh: 0x88bcf70] ENTER: pam_sm_setcred (flags: 0x0002) pam_winbind(gdm:setcred): PAM_ESTABLISH_CRED not implemented pam_winbind(gdm:setcred): [pamh: 0x88bcf70] LEAVE: pam_sm_setcred returning 0 Some configurations: 1 - Nsswitch configure with LDAP, its work fine. 2 - smb.conf [global] workgroup = _LOCAL_ netbios name = debian-x11 realm = LOCAL.INT.BR security = domain wins server = 10.111.222.100 use kerberos keytab = yes client use spnego = yes client NTLMv2 auth = yes bind interfaces only = yes interfaces = eth0 10.111.222.103, lo 127.0.0.1 hosts allow = 10.111.222.0/24, 127.0.0.1 debug level = 2 log file = /var/log/samba/%m.log max log size = 50 log level = 1 syslog = 0 utmp = Yes idmap uid = 1-15000 idmap gid = 1-15000 template shell = /bin/bash template homedir = /home/users/%U winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes encrypt passwords = yes invalid users = root socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no dns proxy = no preserve case = yes short preserve case = no default case = lower case sensitive = no dos charset = cp850 unix charset = iso8859-1 display charset = LOCALE restrict anonymous = 0 Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC - Kerberised CIFS access
Shahid, You used the command 'net join' to join in domain Samba PDC in M3? My problem is when I join the M3 in domain Samba PDC (M1) with the command 'net join', after this, I can not access the M3 using Kerberos authentication. Other description, Your error is [1]: ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) My error is [23]: ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) When I delete the file /var/lib/samba/secrets.tdb of M3 and restart Samba Client of M3, will be back to work authentication Kerberos in M3 for my cifs client M4, but, is out of domain Samba PDC. But, the problem may be related. My english is terrible, sorry... Thanks! 2009/3/12 Eduardo Sachs edu.sa...@gmail.com: Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes From M4, I do kinit user and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment - --- share Disk test share IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment - --- Workgroup Master - --- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0 added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0 added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0 Client started (version 3.2.8-ctdb-55). Connecting to 10.0.0.24 at port 445 Doing spnego session setup (blob length=111) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/sofsedun4.vsofs1@sonas.com Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Thu, 12 Mar 2009 21:36:54 TLT cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 03/11/09 21:39:15 03/12/09 21:36:54 cifs/sofsedun4.vsofs1@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0
Re: [Samba] Samba PDC - Kerberised CIFS access
I so sorry for many emails, but, is necessary: In my case, the Samba 3.0.x does not cause this problem, only in Samba 3.2.x and 3.3.X. Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: More informations... Example of procedure: 1 - M4 Access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit 2 - M3 Join Samba PDC: M3# net join -U root Enter root's password: Joined domain _LOCAL_. 3 - M4 Access M3 with auth Kerberos fail. M4# smbclient //M3/publico -k cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, M3 is out of Domain Samba PDC because delete secrets.tdb: M3# /var/lib/samba/secrets.tdb /etc/init.d/samba restart 5 - M4 to back access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: Shahid, You used the command 'net join' to join in domain Samba PDC in M3? My problem is when I join the M3 in domain Samba PDC (M1) with the command 'net join', after this, I can not access the M3 using Kerberos authentication. Other description, Your error is [1]: ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) My error is [23]: ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) When I delete the file /var/lib/samba/secrets.tdb of M3 and restart Samba Client of M3, will be back to work authentication Kerberos in M3 for my cifs client M4, but, is out of domain Samba PDC. But, the problem may be related. My english is terrible, sorry... Thanks! 2009/3/12 Eduardo Sachs edu.sa...@gmail.com: Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes From M4, I do kinit user and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment - --- share Disk test share IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment - --- Workgroup Master - --- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k lp_load_ex
Re: [Samba] Samba PDC - Kerberised CIFS access
More informations... Example of procedure: 1 - M4 Access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D0 Wed Mar 11 21:04:19 2009 .. D0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit 2 - M3 Join Samba PDC: M3# net join -U root Enter root's password: Joined domain _LOCAL_. 3 - M4 Access M3 with auth Kerberos fail. M4# smbclient //M3/publico -k cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, M3 is out of Domain Samba PDC because delete secrets.tdb: M3# /var/lib/samba/secrets.tdb /etc/init.d/samba restart 5 - M4 to back access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D0 Wed Mar 11 21:04:19 2009 .. D0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: Shahid, You used the command 'net join' to join in domain Samba PDC in M3? My problem is when I join the M3 in domain Samba PDC (M1) with the command 'net join', after this, I can not access the M3 using Kerberos authentication. Other description, Your error is [1]: ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) My error is [23]: ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) When I delete the file /var/lib/samba/secrets.tdb of M3 and restart Samba Client of M3, will be back to work authentication Kerberos in M3 for my cifs client M4, but, is out of domain Samba PDC. But, the problem may be related. My english is terrible, sorry... Thanks! 2009/3/12 Eduardo Sachs edu.sa...@gmail.com: Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes From M4, I do kinit user and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment - --- share Disk test share IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment - --- Workgroup Master - --- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface eth0 ip=10.0.0.23 bcast=10.0.0.255
Re: [Samba] Samba PDC - Kerberised CIFS access
Hi Shahid, I so sorry, but I don't understand your collocation about your answer. You managed to join the M3 in Samba PDC, and same time accessing it through the Kerberos authentication? Was that? Helmut, I so sorry! Thanks! 2009/3/13 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi Eduardo, Thanks much for all the information you have shared with us regarding the samba issue. I used net rpc join command to join into the domain hosted by M1. I was able to join to the domain successfully. Regards, Shahid Shaikh. Eduardo Sachs edu.sa...@gmail. com To Shahid M Shaikh/India/i...@ibmin 13-03-09 07:19 PM cc samba@lists.samba.org, Christian M Ambach christian.amb...@de.ibm.com, volker.lende...@sernet.de, Mathias Dietz mdi...@de.ibm.com, Ujjwal Lanjewar/India/i...@ibmin, Michael Diederich dieder...@de.ibm.com, Pankaj S Zanwar/India/i...@ibmin Subject Re: [Samba] Samba PDC - Kerberised CIFS access I so sorry for many emails, but, is necessary: In my case, the Samba 3.0.x does not cause this problem, only in Samba 3.2.x and 3.3.X. Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: More informations... Example of procedure: 1 - M4 Access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit 2 - M3 Join Samba PDC: M3# net join -U root Enter root's password: Joined domain _LOCAL_. 3 - M4 Access M3 with auth Kerberos fail. M4# smbclient //M3/publico -k cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, M3 is out of Domain Samba PDC because delete secrets.tdb: M3# /var/lib/samba/secrets.tdb /etc/init.d/samba restart 5 - M4 to back access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: Shahid, You used the command 'net join' to join in domain Samba PDC in M3? My problem is when I join the M3 in domain Samba PDC (M1) with the command 'net join', after this, I can not access the M3 using Kerberos authentication. Other description, Your error is [1]: ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) My error is [23]: ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) When I delete the file /var/lib/samba/secrets.tdb of M3 and restart Samba Client of M3, will be back to work authentication Kerberos in M3 for my cifs client M4, but, is out of domain Samba PDC. But, the problem may be related. My english is terrible, sorry... Thanks! 2009/3/12 Eduardo Sachs edu.sa...@gmail.com: Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf
Re: [Samba] Samba PDC - Kerberised CIFS access
Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes From M4, I do kinit user and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment - --- share Disk test share IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment - --- Workgroup Master - --- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0 added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0 added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0 Client started (version 3.2.8-ctdb-55). Connecting to 10.0.0.24 at port 445 Doing spnego session setup (blob length=111) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/sofsedun4.vsofs1@sonas.com Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Thu, 12 Mar 2009 21:36:54 TLT cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 03/11/09 21:39:15 03/12/09 21:36:54 cifs/sofsedun4.vsofs1@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached On M3, I have enabled smbd logs with debug level 10. The corresponding errors for the above behavior are: [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 26858) conn 0x0 [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc801 [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 466 [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(282) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(171) ads_keytab_verify_ticket:
[Samba] PAM_WINBIND problem with sambaPwdMustChange
Hi People! I use pam_winbind for authentication in my computer workstation using Debian Lenny 5.0, Stable Version. I configure my user with this option sambaPwdMustChange: 0, and I logon in GDM without asking to change password. Who knows what can be? I use Samba PDC with Heimdal Kerberos, but, I configure PAM with only pam_winbind for tests... Client versions: ii libwbclient0 2:3.2.5-4 client library for interfacing with winbind service ii samba2:3.2.5-4 a LanManager-like file and printer server for Unix ii samba-common 2:3.2.5-4 Samba common files used by both the server and the client ii winbind 2:3.2.5-4 service to resolve user and group information from Windows NT Server versions: ii samba2:3.2.5-4 a LanManager-like file and printer server for Unix My configuration of PAM is simple: authsufficient pam_winbind.so debug authrequiredpam_unix.so nullok_secure use_first_pass account sufficient pam_unix.so account sufficient pam_winbind.so account requiredpam_deny.so passwordsufficient pam_unix.so nullok obscure md5 passwordrequiredpam_winbind.so session optionalpam_unix.so session optionalpam_winbind.so session optionalpam_mkhomedir.so skel=/etc/skel/ umask=077 Debug PAM: pam_winbind(gdm:auth): [pamh: 0x88bcf70] ENTER: pam_sm_authenticate (flags: 0x) pam_winbind(gdm:auth): getting password (0x0181) pam_winbind(gdm:auth): Verify user 'sachs' pam_winbind(gdm:auth): CONFIG file: krb5_ccache_type 'FILE' pam_winbind(gdm:auth): enabling krb5 login flag pam_winbind(gdm:auth): enabling request for a FILE krb5 ccache pam_winbind(gdm:auth): user 'sachs' granted access pam_winbind(gdm:auth): Returned user was 'sachs' pam_winbind(gdm:auth): [pamh: 0x88bcf70] LEAVE: pam_sm_authenticate returning 0 pam_winbind(gdm:account): user 'sachs' OK pam_winbind(gdm:account): user 'sachs' granted access pam_winbind(gdm:setcred): [pamh: 0x88bcf70] ENTER: pam_sm_setcred (flags: 0x0002) pam_winbind(gdm:setcred): PAM_ESTABLISH_CRED not implemented pam_winbind(gdm:setcred): [pamh: 0x88bcf70] LEAVE: pam_sm_setcred returning 0 Some configurations: 1 - Nsswitch configure with LDAP, its work fine. 2 - smb.conf [global] workgroup = _LOCAL_ netbios name = debian-x11 realm = LOCAL.INT.BR security = domain wins server = 10.111.222.100 use kerberos keytab = yes client use spnego = yes client NTLMv2 auth = yes bind interfaces only = yes interfaces = eth0 10.111.222.103, lo 127.0.0.1 hosts allow = 10.111.222.0/24, 127.0.0.1 debug level = 2 log file = /var/log/samba/%m.log max log size = 50 log level = 1 syslog = 0 utmp = Yes idmap uid = 1-15000 idmap gid = 1-15000 template shell = /bin/bash template homedir = /home/users/%U winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes encrypt passwords = yes invalid users = root socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no dns proxy = no preserve case = yes short preserve case = no default case = lower case sensitive = no dos charset = cp850 unix charset = iso8859-1 display charset = LOCALE restrict anonymous = 0 Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Kerberos authentication for non-windows KDCs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Asier, It's only for Linux clients (smb clients), but, Windows can join in Domain Kerberos. Look this page how you configuring your Windows for join in Domain Kerberos: http://www.h5l.org/manual/heimdal-0-7-branch/info/heimdal.html#Windows-2000-compatability In this configuration your Windows be out Domain Samba, but, you can authenticate via Kerberos your access in shares Samba (\\server\share). My english is very terrible, I so sorry! Thanks! Asier Baranguán escreveu: Eduardo Sachs escribió: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Wes! Look this howto about Kerberized OpenLDAP, Samba PDC and Squid: http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Etch But, it's only portuguese :( Hmmm... AFAIK this setup serves well with samba clients connecting to samba servers. Windows clients joined to the domain don't seem to benefit from this kind of setup. ¿Am I ok? Thanks - -- Eduardo Sachs (51) 9262-3803 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH26miKB6+7l7CbHURAikgAJ9ZdLwB1jFdyntINqVTd+Tm//oB+gCdFmk9 xj1gRZRFzTy1rZwengihKNo= =pzTm -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos authentication for non-windows KDCs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Wes! Look this howto about Kerberized OpenLDAP, Samba PDC and Squid: http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Etch But, it's only portuguese :( []'s Wes Modes escreveu: I was told recently that Kerberos authentication won't work against a non-windows KDC. Is that accurate? So for instance, it is not possible for Samba running on say RHEL, to authenticate against a Linux server running MIT Kerberos? Additionally, many people said that setting this up was well-documented. Any suggestions of particularly good docs / how-to's?' And lastly, is there anyone here currently who's set up both Kerberos authentication AND an OpenLDAP user/group data repository for their Samba server? W. - -- Eduardo Sachs (51) 9262-3803 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH1xo+KB6+7l7CbHURAvvbAJ9ERaagWpkpw1whwQyuTK/52yNjQACfZk8o OTl+FXyvtHSzdM3I7p5tdiY= =+WMZ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba to Kerberos via OpenLDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wes Modes, Look this howto about Kerberized OpenLDAP, Samba PDC and Squid: http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Etch But, it's only portuguese :( []'s Wes Modes escreveu: First, I'll just say this is a question principally about the arcane mysteries of Samba to OpenLDAP authentication. I've had Samba to OpenLDAP authentication running for a while now using the samba.schema and the ldapsam module. Now I'd like to understand a bit more about how that works in order to take it a step further and get openLDAP to bind against a Kerberos database via SASL. An aside; Yes, I'd heard that Samba can be configured to authenticate against Kerberos directly, but for my own reasons, I'd prefer that Samba talk only to OpenLDAP, and OpenLDAP can do the authentication. I'll fall back on the Samba to Kerberos direct route if I can't find a way to do what I want. I've noted that the Samba schema and smbldap-tools add to the user record two Samba specific password fields, sambaNTPassword and sambaLMPassword. If I have the ldapsam module specified as the passdb backend in smb.conf, is OpenLDAP merely storing the samba passwords while Samba does the password comparisons? Or does OpenLDAP do the authentication and return a yes or no? Is it possible to have Samba defer authentication to OpenLDAP? If so, I can have OpenLDAP use the {SASL} method to do authentication via kerberos. Wes - -- Eduardo Sachs (51) 9262-3803 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH0ltmKB6+7l7CbHURAlb9AJ9J8DX8CeV9YLsRbIcCspP2oI3T3ACgqpQ4 KGpIQrpWdxbZaO4TvPXERVA= =6OOw -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Missing Heimdal, Kerberos, Samba and OpenLdap how-to
Hi, I made this script for integration of Samba + Heimdal + SASL + OpenLDAP for ONLY Debian Etch 4. I edited smbldap-useradd and smbldap-passwd for the password to fix [EMAIL PROTECTED] I tested this script, more than 50 times, its perfect. The script is in annex. I so sorry for my terrible english. Please, let me know its suggestions. Andrew Bartlett wrote: On Fri, 2007-08-03 at 22:29 +0200, Marcello De Geronimo wrote: Hi, i'm looking for this how-to, often referenced but no more available: https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap Is there anywhere an how-to about integrating Heimdal, Kerberos, Samba and OpenLdap? In short, see smbk5pwd if you want to have the LDAP server update the passwords, and Heimdal 1.0 (0.8 and above) will read Samba password entries as kerberos keys. I know the howto did get reposted somewhere, but I never kept enough track of it, but can help you though the setup (as can the heimdal mailing list). Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Kerberizing Samba PDC
Hi! I used Heimdal Kerberos+LDAP, but, I want add samba pdc on my kerberos. My system: Debian Sarge, I used apt-get backports for upgrade samba 3.0.23c. I made principals and keytabs for my samba pdc, In server Kerberos: kadmin add -random-key cifs/sambapdc Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes []: kadmin ext_key cifs/sambapdc I transfer keytab for my samba pdc: In server Kerberos: # ktutil -k krb5.keytab get cifs/sambapdc # scp krb5.keytab sambapdc:/etc/ In client: # smbclient //sambapdc/homes -k (note, I used -k) I receive this error: session setup failed: Call returned zero bytes (EOF) And my logs samba: [2007/02/24 12:06:03, 0] lib/fault.c:fault_report(41) === [2007/02/24 12:06:03, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 1901 (3.0.23c) Please read the Trouble-Shooting section of the Samba3-HOWTO [2007/02/24 12:06:03, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2007/02/24 12:06:03, 0] lib/fault.c:fault_report(45) === [2007/02/24 12:06:03, 0] lib/util.c:smb_panic(1592) PANIC (pid 1901): internal error [2007/02/24 12:06:03, 0] lib/util.c:log_stack_trace(1699) BACKTRACE: 20 stack frames: #0 /usr/sbin/smbd(log_stack_trace+0x23) [0x822ce53] #1 /usr/sbin/smbd(smb_panic+0x48) [0x822ccd8] #2 /usr/sbin/smbd [0x821a9fc] #3 /lib/libpthread.so.0 [0x4035c825] #4 /lib/libc.so.6 [0x401ca678] #5 /usr/lib/libkrb5.so.3(krb5_ktfile_get_next+0x3c) [0x400aa2cc] #6 /usr/lib/libkrb5.so.3(krb5_kt_next_entry+0x3c) [0x400a9d4c] #7 /usr/sbin/smbd [0x82ad876] #8 /usr/sbin/smbd(ads_verify_ticket+0x81d) [0x82ae67d] #9 /usr/sbin/smbd [0x80be6b3] #10 /usr/sbin/smbd [0x80bf805] #11 /usr/sbin/smbd [0x80bff34] #12 /usr/sbin/smbd(reply_sesssetup_and_X+0xfb7) [0x80c1247] #13 /usr/sbin/smbd [0x80e985f] #14 /usr/sbin/smbd [0x80e9a84] #15 /usr/sbin/smbd [0x80e9ca2] #16 /usr/sbin/smbd(smbd_process+0x155) [0x80eab85] #17 /usr/sbin/smbd(main+0x92e) [0x82c221e] #18 /lib/libc.so.6(__libc_start_main+0xc6) [0x401b6e36] #19 /usr/sbin/smbd [0x80829d1] [2007/02/24 12:06:03, 0] lib/fault.c:dump_core(173) dumping core in /var/log/samba/cores/smbd Sorry, my english is sucks, but, I need help! Thanks for all -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba