[Samba] Samba PDC and Kerberos
Hi, This is with reference to kerberos mailing list ( http://mailman.mit.edu/pipermail/kerberos/2004-December/006868.html) on the Samba PDC and Kerberos. I am trying to make Samba PDC in a AD (LDAP + KRB) domain. Could you please answer few of my queries on the same issue. 1. Whats the problem with Samba 3 to work as PDC in an AD domain? 2. What has been fixed to make Samba 4 work as PDC in an AD domain? 3. When would Samba 4 be available? Also it would be really help full if you can direct me to release notes of Samba 4. Thanks! Regards, Shahid Shaikh. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC and Kerberos
Hi, This is with reference to kerberos mailing list ( http://mailman.mit.edu/pipermail/kerberos/2004-December/006868.html) on the Samba PDC and Kerberos. I am trying to make Samba PDC in a AD (LDAP + KRB) domain. Could you please answer few of my queries on the same issue. 1. Whats the problem with Samba 3 to work as PDC in an AD domain? 2. What has been fixed to make Samba 4 work as PDC in an AD domain? 3. When would Samba 4 be available? Also it would be really help full if you can direct me to release notes of Samba 4. Thanks! Regards, Shahid Shaikh. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Bugzilla Bug 5810
Hi, Does any one know if bug #5810 is fixed or not? Or is there any known workaround? Regards, Shahid Shaikh. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC - Kerberised CIFS access
Hi Eduardo, M1 is Samba PDC. It is hosting a domain. It also stores domain users. Though samba password for all the users are invalid in smbpasswd. M3 is CIFS Server and is part of the domain of Samba PDC. Hence I join M3 into M1 using net rpc join. For that I have created a machine user account on Samba PDC. On M3, I have configured smb.conf to accept kerberos tickets. So a client who wants to access the CIFS shares needs to have valid kerberos tickets ( user tgt and CIFS service principal tgs). Is that clear to you now? Regards, Shahid Shaikh. Eduardo Sachs To samba@lists.samba.org 13-03-09 10:23 PM cc Shahid M Shaikh/India/i...@ibmin Subject Re: [Samba] Samba PDC - Kerberised CIFS access Hi Shahid, I so sorry, but I don't understand your collocation about your answer. You managed to join the M3 in Samba PDC, and same time accessing it through the Kerberos authentication? Was that? Helmut, I so sorry! Thanks! 2009/3/13 Shahid M Shaikh : > Hi Eduardo, > > Thanks much for all the information you have shared with us regarding the > samba issue. > > I used net rpc join command to join into the domain hosted by M1. > > I was able to join to the domain successfully. > > Regards, > Shahid Shaikh. > > > > > Eduardo Sachs > com> To > Shahid M Shaikh/India/i...@ibmin > 13-03-09 07:19 PM cc > samba@lists.samba.org, Christian M > Ambach > , > volker.lende...@sernet.de, Mathias > Dietz , Ujjwal > Lanjewar/India/i...@ibmin, Michael > Diederich , > Pankaj S Zanwar/India/i...@ibmin > Subject > Re: [Samba] Samba PDC - Kerberised > CIFS access > > > > > > > > > > > I so sorry for many emails, but, is necessary: > > In my case, the Samba 3.0.x does not cause this problem, only in Samba > 3.2.x and 3.3.X. > > Thanks! > > 2009/3/13 Eduardo Sachs : >> More informations... >> >> Example of procedure: >> >> 1 - M4 Access M3 with auth Kerberos: >> M4# smbclient //M3/publico -k >> OS=[Unix] Server=[Samba 3.2.5] >> smb: \> ls >> . D 0 Wed Mar 11 21:04:19 2009 >> .. D 0 Wed Mar 11 21:04:19 2009 >> >> 48444 blocks of size 262144. 36638 blocks available >> smb: \> quit >> >> 2 - M3 Join Samba PDC: >> M3# net join -U root >> Enter root's password: >> Joined domain _LOCAL_. >> >> 3 - M4 Access M3 with auth Kerberos fail. >> M4# smbclient //M3/publico -k >> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, >> M3 is out of Domain Samba PDC because delete secrets.tdb: >> M3# /var/lib/samba/secrets.tdb && /etc/init.d/samba restart >> >> 5 - M4 to back access M3 with auth Kerberos: >> M4# smbclient //M3/publico -k >> OS=[Unix] Server=[Samba 3.2.5] >> smb: \> ls >> . D 0 Wed Mar 11 21:04:19 2009 >> .. D 0 Wed Mar 11 21:04:19 2009 >> >> 48444 blocks of size 262144. 366
Re: [Samba] Samba PDC - Kerberised CIFS access
Hi Eduardo, Thanks much for all the information you have shared with us regarding the samba issue. I used net rpc join command to join into the domain hosted by M1. I was able to join to the domain successfully. Regards, Shahid Shaikh. Eduardo Sachs To Shahid M Shaikh/India/i...@ibmin 13-03-09 07:19 PM cc samba@lists.samba.org, Christian M Ambach , volker.lende...@sernet.de, Mathias Dietz , Ujjwal Lanjewar/India/i...@ibmin, Michael Diederich , Pankaj S Zanwar/India/i...@ibmin Subject Re: [Samba] Samba PDC - Kerberised CIFS access I so sorry for many emails, but, is necessary: In my case, the Samba 3.0.x does not cause this problem, only in Samba 3.2.x and 3.3.X. Thanks! 2009/3/13 Eduardo Sachs : > More informations... > > Example of procedure: > > 1 - M4 Access M3 with auth Kerberos: > M4# smbclient //M3/publico -k > OS=[Unix] Server=[Samba 3.2.5] > smb: \> ls > . D 0 Wed Mar 11 21:04:19 2009 > .. D 0 Wed Mar 11 21:04:19 2009 > > 48444 blocks of size 262144. 36638 blocks available > smb: \> quit > > 2 - M3 Join Samba PDC: > M3# net join -U root > Enter root's password: > Joined domain _LOCAL_. > > 3 - M4 Access M3 with auth Kerberos fail. > M4# smbclient //M3/publico -k > cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) > session setup failed: NT_STATUS_LOGON_FAILURE > > 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, > M3 is out of Domain Samba PDC because delete secrets.tdb: > M3# /var/lib/samba/secrets.tdb && /etc/init.d/samba restart > > 5 - M4 to back access M3 with auth Kerberos: > M4# smbclient //M3/publico -k > OS=[Unix] Server=[Samba 3.2.5] > smb: \> ls > . D 0 Wed Mar 11 21:04:19 2009 > .. D 0 Wed Mar 11 21:04:19 2009 > > 48444 blocks of size 262144. 36638 blocks available > smb: \> quit > > Thanks! > > 2009/3/13 Eduardo Sachs : >> Shahid, >> >> You used the command 'net join' to join in domain Samba PDC in M3? >> >> My problem is when I join the M3 in domain Samba PDC (M1) with the >> command 'net join', after this, I can not access the M3 using Kerberos >> authentication. >> >> Other description, >> >> Your error is [1]: >> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error >> Decrypt integrity check failed >> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals >> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) >> >> My error is [23]: >> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error >> Decrypt integrity check failed >> ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab >> principals >> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) >> >> When I delete the file /var/lib/samba/secrets.tdb of M3 and restart >> Samba Client of M3, will be back to work authentication Kerberos in M3 >> for my cifs client M4, but, is out of domain Samba PDC. >> >> But, the problem may be related. >> >> My english is terrible, sorry... >> >> Thanks! >> >> >> 2009/3/12 Eduardo Sachs : >>> Shahid, >>> >>> I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: >>> >>> https://bugzilla.sa
[Samba] Samba PDC - Kerberised CIFS access
Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes >From M4, I do kinit and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting ExpiresService principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment - --- share Disk test share IPC$IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment ---- WorkgroupMaster ---- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0 added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0 added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0 Client started (version 3.2.8-ctdb-55). Connecting to 10.0.0.24 at port 445 Doing spnego session setup (blob length=111) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/sofsedun4.vsofs1@sonas.com Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Thu, 12 Mar 2009 21:36:54 TLT cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting ExpiresService principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 03/11/09 21:39:15 03/12/09 21:36:54 cifs/sofsedun4.vsofs1@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached On M3, I have enabled smbd logs with debug level 10. The corresponding errors for the above behavior are: [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 26858) conn 0x0 [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc801 [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 466 [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(282) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(171) ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_verify_ticket(458) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_