Re: [Samba] Samba PDC - Kerberised CIFS access
Shahid, You used the command 'net join' to join in domain Samba PDC in M3? My problem is when I join the M3 in domain Samba PDC (M1) with the command 'net join', after this, I can not access the M3 using Kerberos authentication. Other description, Your error is [1]: ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) My error is [23]: ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) When I delete the file /var/lib/samba/secrets.tdb of M3 and restart Samba Client of M3, will be back to work authentication Kerberos in M3 for my cifs client M4, but, is out of domain Samba PDC. But, the problem may be related. My english is terrible, sorry... Thanks! 2009/3/12 Eduardo Sachs edu.sa...@gmail.com: Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes From M4, I do kinit user and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment - --- share Disk test share IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment - --- Workgroup Master - --- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0 added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0 added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0 Client started (version 3.2.8-ctdb-55). Connecting to 10.0.0.24 at port 445 Doing spnego session setup (blob length=111) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/sofsedun4.vsofs1@sonas.com Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Thu, 12 Mar 2009 21:36:54 TLT cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 03/11/09 21:39:15 03/12/09 21:36:54 cifs/sofsedun4.vsofs1@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0
Re: [Samba] Samba PDC - Kerberised CIFS access
I so sorry for many emails, but, is necessary: In my case, the Samba 3.0.x does not cause this problem, only in Samba 3.2.x and 3.3.X. Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: More informations... Example of procedure: 1 - M4 Access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit 2 - M3 Join Samba PDC: M3# net join -U root Enter root's password: Joined domain _LOCAL_. 3 - M4 Access M3 with auth Kerberos fail. M4# smbclient //M3/publico -k cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, M3 is out of Domain Samba PDC because delete secrets.tdb: M3# /var/lib/samba/secrets.tdb /etc/init.d/samba restart 5 - M4 to back access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: Shahid, You used the command 'net join' to join in domain Samba PDC in M3? My problem is when I join the M3 in domain Samba PDC (M1) with the command 'net join', after this, I can not access the M3 using Kerberos authentication. Other description, Your error is [1]: ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) My error is [23]: ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) When I delete the file /var/lib/samba/secrets.tdb of M3 and restart Samba Client of M3, will be back to work authentication Kerberos in M3 for my cifs client M4, but, is out of domain Samba PDC. But, the problem may be related. My english is terrible, sorry... Thanks! 2009/3/12 Eduardo Sachs edu.sa...@gmail.com: Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes From M4, I do kinit user and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment - --- share Disk test share IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment - --- Workgroup Master - --- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k
Re: [Samba] Samba PDC - Kerberised CIFS access
More informations... Example of procedure: 1 - M4 Access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D0 Wed Mar 11 21:04:19 2009 .. D0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit 2 - M3 Join Samba PDC: M3# net join -U root Enter root's password: Joined domain _LOCAL_. 3 - M4 Access M3 with auth Kerberos fail. M4# smbclient //M3/publico -k cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, M3 is out of Domain Samba PDC because delete secrets.tdb: M3# /var/lib/samba/secrets.tdb /etc/init.d/samba restart 5 - M4 to back access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D0 Wed Mar 11 21:04:19 2009 .. D0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: Shahid, You used the command 'net join' to join in domain Samba PDC in M3? My problem is when I join the M3 in domain Samba PDC (M1) with the command 'net join', after this, I can not access the M3 using Kerberos authentication. Other description, Your error is [1]: ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) My error is [23]: ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) When I delete the file /var/lib/samba/secrets.tdb of M3 and restart Samba Client of M3, will be back to work authentication Kerberos in M3 for my cifs client M4, but, is out of domain Samba PDC. But, the problem may be related. My english is terrible, sorry... Thanks! 2009/3/12 Eduardo Sachs edu.sa...@gmail.com: Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes From M4, I do kinit user and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment - --- share Disk test share IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment - --- Workgroup Master - --- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface eth0 ip=10.0.0.23 bcast=10.0.0.255
Re: [Samba] Samba PDC - Kerberised CIFS access
Hi Eduardo, Thanks much for all the information you have shared with us regarding the samba issue. I used net rpc join command to join into the domain hosted by M1. I was able to join to the domain successfully. Regards, Shahid Shaikh. Eduardo Sachs edu.sa...@gmail. com To Shahid M Shaikh/India/i...@ibmin 13-03-09 07:19 PM cc samba@lists.samba.org, Christian M Ambach christian.amb...@de.ibm.com, volker.lende...@sernet.de, Mathias Dietz mdi...@de.ibm.com, Ujjwal Lanjewar/India/i...@ibmin, Michael Diederich dieder...@de.ibm.com, Pankaj S Zanwar/India/i...@ibmin Subject Re: [Samba] Samba PDC - Kerberised CIFS access I so sorry for many emails, but, is necessary: In my case, the Samba 3.0.x does not cause this problem, only in Samba 3.2.x and 3.3.X. Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: More informations... Example of procedure: 1 - M4 Access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit 2 - M3 Join Samba PDC: M3# net join -U root Enter root's password: Joined domain _LOCAL_. 3 - M4 Access M3 with auth Kerberos fail. M4# smbclient //M3/publico -k cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, M3 is out of Domain Samba PDC because delete secrets.tdb: M3# /var/lib/samba/secrets.tdb /etc/init.d/samba restart 5 - M4 to back access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: Shahid, You used the command 'net join' to join in domain Samba PDC in M3? My problem is when I join the M3 in domain Samba PDC (M1) with the command 'net join', after this, I can not access the M3 using Kerberos authentication. Other description, Your error is [1]: ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) My error is [23]: ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) When I delete the file /var/lib/samba/secrets.tdb of M3 and restart Samba Client of M3, will be back to work authentication Kerberos in M3 for my cifs client M4, but, is out of domain Samba PDC. But, the problem may be related. My english is terrible, sorry... Thanks! 2009/3/12 Eduardo Sachs edu.sa...@gmail.com: Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine
Re: [Samba] Samba PDC - Kerberised CIFS access
Hallo, Shahid, Du meintest am 13.03.09: Thanks much for all the information you have shared with us regarding the samba issue. I used net rpc join command to join into the domain hosted by M1. I was able to join to the domain successfully. And for these kind words you push again 17 kByte through the net - that's very nasty. Please don't full quote, please don't top post. And please leave the traffic in the mailing list, don't send individual mail. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC - Kerberised CIFS access
Hi Shahid, I so sorry, but I don't understand your collocation about your answer. You managed to join the M3 in Samba PDC, and same time accessing it through the Kerberos authentication? Was that? Helmut, I so sorry! Thanks! 2009/3/13 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi Eduardo, Thanks much for all the information you have shared with us regarding the samba issue. I used net rpc join command to join into the domain hosted by M1. I was able to join to the domain successfully. Regards, Shahid Shaikh. Eduardo Sachs edu.sa...@gmail. com To Shahid M Shaikh/India/i...@ibmin 13-03-09 07:19 PM cc samba@lists.samba.org, Christian M Ambach christian.amb...@de.ibm.com, volker.lende...@sernet.de, Mathias Dietz mdi...@de.ibm.com, Ujjwal Lanjewar/India/i...@ibmin, Michael Diederich dieder...@de.ibm.com, Pankaj S Zanwar/India/i...@ibmin Subject Re: [Samba] Samba PDC - Kerberised CIFS access I so sorry for many emails, but, is necessary: In my case, the Samba 3.0.x does not cause this problem, only in Samba 3.2.x and 3.3.X. Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: More informations... Example of procedure: 1 - M4 Access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit 2 - M3 Join Samba PDC: M3# net join -U root Enter root's password: Joined domain _LOCAL_. 3 - M4 Access M3 with auth Kerberos fail. M4# smbclient //M3/publico -k cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, M3 is out of Domain Samba PDC because delete secrets.tdb: M3# /var/lib/samba/secrets.tdb /etc/init.d/samba restart 5 - M4 to back access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: Shahid, You used the command 'net join' to join in domain Samba PDC in M3? My problem is when I join the M3 in domain Samba PDC (M1) with the command 'net join', after this, I can not access the M3 using Kerberos authentication. Other description, Your error is [1]: ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) My error is [23]: ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) When I delete the file /var/lib/samba/secrets.tdb of M3 and restart Samba Client of M3, will be back to work authentication Kerberos in M3 for my cifs client M4, but, is out of domain Samba PDC. But, the problem may be related. My english is terrible, sorry... Thanks! 2009/3/12 Eduardo Sachs edu.sa...@gmail.com: Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf
Re: [Samba] Samba PDC - Kerberised CIFS access
Hi Eduardo, M1 is Samba PDC. It is hosting a domain. It also stores domain users. Though samba password for all the users are invalid in smbpasswd. M3 is CIFS Server and is part of the domain of Samba PDC. Hence I join M3 into M1 using net rpc join. For that I have created a machine user account on Samba PDC. On M3, I have configured smb.conf to accept kerberos tickets. So a client who wants to access the CIFS shares needs to have valid kerberos tickets ( user tgt and CIFS service principal tgs). Is that clear to you now? Regards, Shahid Shaikh. Eduardo Sachs edu.sa...@gmail. com To samba@lists.samba.org 13-03-09 10:23 PM cc Shahid M Shaikh/India/i...@ibmin Subject Re: [Samba] Samba PDC - Kerberised CIFS access Hi Shahid, I so sorry, but I don't understand your collocation about your answer. You managed to join the M3 in Samba PDC, and same time accessing it through the Kerberos authentication? Was that? Helmut, I so sorry! Thanks! 2009/3/13 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi Eduardo, Thanks much for all the information you have shared with us regarding the samba issue. I used net rpc join command to join into the domain hosted by M1. I was able to join to the domain successfully. Regards, Shahid Shaikh. Eduardo Sachs edu.sa...@gmail. com To Shahid M Shaikh/India/i...@ibmin 13-03-09 07:19 PM cc samba@lists.samba.org, Christian M Ambach christian.amb...@de.ibm.com, volker.lende...@sernet.de, Mathias Dietz mdi...@de.ibm.com, Ujjwal Lanjewar/India/i...@ibmin, Michael Diederich dieder...@de.ibm.com, Pankaj S Zanwar/India/i...@ibmin Subject Re: [Samba] Samba PDC - Kerberised CIFS access I so sorry for many emails, but, is necessary: In my case, the Samba 3.0.x does not cause this problem, only in Samba 3.2.x and 3.3.X. Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: More informations... Example of procedure: 1 - M4 Access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit 2 - M3 Join Samba PDC: M3# net join -U root Enter root's password: Joined domain _LOCAL_. 3 - M4 Access M3 with auth Kerberos fail. M4# smbclient //M3/publico -k cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, M3 is out of Domain Samba PDC because delete secrets.tdb: M3# /var/lib/samba/secrets.tdb /etc/init.d/samba restart 5 - M4 to back access M3 with auth Kerberos: M4# smbclient //M3/publico -k OS=[Unix] Server=[Samba 3.2.5] smb: \ ls . D 0 Wed Mar 11 21:04:19 2009 .. D 0 Wed Mar 11 21:04:19 2009 48444 blocks of size 262144. 36638 blocks available smb: \ quit Thanks! 2009/3/13 Eduardo Sachs edu.sa...@gmail.com: Shahid, You used the command 'net join' to join in domain Samba PDC in M3? My problem is when I join the M3 in domain Samba PDC (M1) with the command 'net join', after this, I can not access the M3 using Kerberos
Re: [Samba] Samba PDC - Kerberised CIFS access
Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket: https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh shahid.sha...@in.ibm.com: Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes From M4, I do kinit user and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment - --- share Disk test share IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment - --- Workgroup Master - --- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0 added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0 added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0 Client started (version 3.2.8-ctdb-55). Connecting to 10.0.0.24 at port 445 Doing spnego session setup (blob length=111) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/sofsedun4.vsofs1@sonas.com Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Thu, 12 Mar 2009 21:36:54 TLT cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting Expires Service principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 03/11/09 21:39:15 03/12/09 21:36:54 cifs/sofsedun4.vsofs1@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached On M3, I have enabled smbd logs with debug level 10. The corresponding errors for the above behavior are: [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 26858) conn 0x0 [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc801 [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 466 [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(282) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(171) ads_keytab_verify_ticket:
[Samba] Samba PDC - Kerberised CIFS access
Hi All, I have machine M1 hosting Samba PDC. It stores only user information. I have machine M2 acting as KDC server. I have machine M3 hosting CIFS shares and it joins into the domain hosted by PDC M1. I have machine M4 used as CIFS client. On M2, I have added users and cifs/host service principals for M3. Also added service principal in keytab file. I have added all the user and service principals using des-cbc-crc encryption triplet. M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. I have configured M3's smb.conf file to accept kerberos keytab and also for the kerberos realm. realm = SONAS.COM use kerberos keytab = yes client use spnego = yes From M4, I do kinit user and then try to see exported shares from M3. [r...@sofsedun3 ~]# kinit domuser Password for domu...@sonas.com: [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting ExpiresService principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser Enter domuser's password: Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Sharename Type Comment - --- share Disk test share IPC$IPC IPC Service (Samba 3.2.8-ctdb-55) Anonymous login successful Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] Server Comment ---- WorkgroupMaster ---- It works with anonymous login. But when i try to use -k it fails. I tried smbclient with -k and debug level 3. I get these on console. [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0 added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0 added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0 Client started (version 3.2.8-ctdb-55). Connecting to 10.0.0.24 at port 445 Doing spnego session setup (blob length=111) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/sofsedun4.vsofs1@sonas.com Doing kerberos session setup ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration Thu, 12 Mar 2009 21:36:54 TLT cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE [r...@sofsedun3 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: domu...@sonas.com Valid starting ExpiresService principal 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/sonas@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 03/11/09 21:39:15 03/12/09 21:36:54 cifs/sofsedun4.vsofs1@sonas.com renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached On M3, I have enabled smbd logs with debug level 10. The corresponding errors for the above behavior are: [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 26858) conn 0x0 [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc801 [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 466 [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(282) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Decrypt integrity check failed [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(171) ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab principals [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_verify_ticket(458) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error
