Re: [Samba] Samba 3: is LDAP required?
On Tue, Oct 21, 2003 at 09:43:03PM +, John H Terpstra wrote: Alright, does samba support joining a Samba Win2k3 domain in native 2003 mode? I have asked this before and not gotten a straight answer. The HOWTO does not cover this specific topic, I get Decrypt Integrity Failed errors for the kerberos tickets from said domain. I see something about heimdal less than version 0.6 not working with Win2k3 (no mention of native 2k3 or native or whatever). It will work if Samba-3 has been compiled with MIT Kerberos 1.3.x, not 1.2.x. Alternately, Samba-3 compiled with Heimdal 0.6.1 or later should work fine with Win2003 Native ADS. Alright background, Windows 2003 running in Native 2003 Mode (the highest one). Samba 3.0.1pre1 , two version compiled one with mit krb5 1.3.1 and one with the latest snapshot of heimdal 0.6-20031022. Ok I don't think that you are correct, with Heimdal (0.6 release 20031022, there is no 0.6.1 that I can find) I get this, [2003/10/22 15:22:45, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No such file or directory) [2003/10/22 15:22:46, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown error -1765328332 The error is KRB5KRB_ERR_RESPONSE_TOO_BIG. [EMAIL PROTECTED] heimdal-0.6-20031022]# grep -r 1765328332 * include/krb5_err.h: KRB5KRB_ERR_RESPONSE_TOO_BIG = -1765328332, lib/krb5/krb5_err.h:KRB5KRB_ERR_RESPONSE_TOO_BIG = -1765328332, This is when running `net ads join -U derek` and typing in my windows administrator password. I can get further with mit krb5-1.3.1, I can do a net ads join and successfully join the domain. But then get the decrypt integrity failed error when a client tries to connect. The log for heimdal is attached, I will send the one for mit krb5 after. -- --- Derek T. Yarnell University of Maryland Computer Science Department Unix Staff [EMAIL PROTECTED] [2003/10/22 15:31:49, 5] lib/debug.c:debug_dump_status(359) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 [2003/10/22 15:31:49, 3] param/loadparm.c:lp_load(3914) lp_load: refreshing parameters [2003/10/22 15:31:49, 3] param/loadparm.c:init_globals(1301) Initialising global parameters [2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(87) Attempting to register new charset UCS-2LE [2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(95) Registered charset UCS-2LE [2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(87) Attempting to register new charset UTF8 [2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(95) Registered charset UTF8 [2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(87) Attempting to register new charset ASCII [2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(95) Registered charset ASCII [2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(87) Attempting to register new charset 646 [2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(95) Registered charset 646 [2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(87) Attempting to register new charset UCS2-HEX [2003/10/22 15:31:49, 5] lib/iconv.c:smb_register_charset(95) Registered charset UCS2-HEX [2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74) Substituting charset 'ISO-8859-1' for LOCALE [2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74) Substituting charset 'ISO-8859-1' for LOCALE [2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74) Substituting charset 'ISO-8859-1' for LOCALE [2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74) Substituting charset 'ISO-8859-1' for LOCALE [2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74) Substituting charset 'ISO-8859-1' for LOCALE [2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74) Substituting charset 'ISO-8859-1' for LOCALE [2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74) Substituting charset 'ISO-8859-1' for LOCALE [2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74) Substituting charset 'ISO-8859-1' for LOCALE [2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74) Substituting charset 'ISO-8859-1' for LOCALE [2003/10/22 15:31:49, 5] lib/charcnv.c:charset_name(74) Substituting charset 'ISO-8859-1' for LOCALE [2003/10/22 15:31:49, 3] param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file /usr/local/samba-3.0.1pre1/lib/smb.conf [2003/10/22 15:31:49, 3] param/loadparm.c:do_section(3417) Processing section [global] doing parameter workgroup = UMD-CSD-NT doing parameter server string = printer doing parameter security = ads doing parameter realm = PC.CS.UMD.EDU doing parameter use spnego = yes doing parameter load printers = yes doing parameter printing = cups
Re: [Samba] Samba 3: is LDAP required?
OK a little more on the mit krb5 one, [EMAIL PROTECTED] ~]# smbclient //kenny.cs.umd.edu/c$ -k -U derek%passwd -d 10 SNIP [2003/10/22 16:33:06, 2] libsmb/cliconnect.c:cli_session_setup_spnego(635) Doing spnego session setup (blob length=108) [2003/10/22 16:33:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660) got OID=1 2 840 48018 1 2 2 [2003/10/22 16:33:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660) got OID=1 2 840 113554 1 2 2 [2003/10/22 16:33:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660) got OID=1 2 840 113554 1 2 2 3 [2003/10/22 16:33:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660) got OID=1 3 6 1 4 1 311 2 2 10 [2003/10/22 16:33:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(667) got [EMAIL PROTECTED] [2003/10/22 16:33:06, 0] libsmb/cliconnect.c:cli_session_setup_spnego(683) Kinit failed: Decrypt integrity check failed [2003/10/22 16:33:06, 10] intl/lang_tdb.c:lang_tdb_init(135) session setup failed: NT_STATUS_OK [EMAIL PROTECTED] ~]# ldd `which smbclient` libreadline.so.4 = /usr/lib/libreadline.so.4 (0x40033000) libncurses.so.5 = /usr/lib/libncurses.so.5 (0x4006) libcrypt.so.1 = /lib/libcrypt.so.1 (0x4009f000) libresolv.so.2 = /lib/libresolv.so.2 (0x400cc000) libnsl.so.1 = /lib/libnsl.so.1 (0x400de000) libdl.so.2 = /lib/libdl.so.2 (0x400f4000) libpopt.so.0 = /usr/lib/libpopt.so.0 (0x400f7000) libcrypto.so.2 = /lib/libcrypto.so.2 (0x4010) libgssapi_krb5.so.2 = /usr/local/krb5-1.3.1/lib/libgssapi_krb5.so.2 (0x401d4000) libkrb5.so.3 = /usr/local/krb5-1.3.1/lib/libkrb5.so.3 (0x401e5000) libk5crypto.so.3 = /usr/local/krb5-1.3.1/lib/libk5crypto.so.3 (0x40243000) libcom_err.so.3 = /usr/local/krb5-1.3.1/lib/libcom_err.so.3 (0x40263000) libldap.so.2 = /usr/lib/libldap.so.2 (0x40265000) liblber.so.2 = /usr/lib/liblber.so.2 (0x4029) libc.so.6 = /lib/i686/libc.so.6 (0x4200) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) libsasl.so.7 = /usr/lib/libsasl.so.7 (0x4029b000) libssl.so.2 = /lib/libssl.so.2 (0x402a6000) libgdbm.so.2 = /usr/lib/libgdbm.so.2 (0x402d6000) libpam.so.0 = /lib/libpam.so.0 (0x402dd000) Also attached is the smbd -d 10 log for a session running the mit krb5 1.3.1 version. On Wed, Oct 22, 2003 at 03:38:03PM -0400, Derek T. Yarnell wrote: On Tue, Oct 21, 2003 at 09:43:03PM +, John H Terpstra wrote: Alright, does samba support joining a Samba Win2k3 domain in native 2003 mode? I have asked this before and not gotten a straight answer. The HOWTO does not cover this specific topic, I get Decrypt Integrity Failed errors for the kerberos tickets from said domain. I see something about heimdal less than version 0.6 not working with Win2k3 (no mention of native 2k3 or native or whatever). It will work if Samba-3 has been compiled with MIT Kerberos 1.3.x, not 1.2.x. Alternately, Samba-3 compiled with Heimdal 0.6.1 or later should work fine with Win2003 Native ADS. Alright background, Windows 2003 running in Native 2003 Mode (the highest one). Samba 3.0.1pre1 , two version compiled one with mit krb5 1.3.1 and one with the latest snapshot of heimdal 0.6-20031022. Ok I don't think that you are correct, with Heimdal (0.6 release 20031022, there is no 0.6.1 that I can find) I get this, [2003/10/22 15:22:45, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No such file or directory) [2003/10/22 15:22:46, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown error -1765328332 The error is KRB5KRB_ERR_RESPONSE_TOO_BIG. [EMAIL PROTECTED] heimdal-0.6-20031022]# grep -r 1765328332 * include/krb5_err.h: KRB5KRB_ERR_RESPONSE_TOO_BIG = -1765328332, lib/krb5/krb5_err.h:KRB5KRB_ERR_RESPONSE_TOO_BIG = -1765328332, This is when running `net ads join -U derek` and typing in my windows administrator password. I can get further with mit krb5-1.3.1, I can do a net ads join and successfully join the domain. But then get the decrypt integrity failed error when a client tries to connect. The log for heimdal is attached, I will send the one for mit krb5 after. -- --- Derek T. Yarnell University of Maryland Computer Science Department Unix Staff [EMAIL PROTECTED] [2003/10/22 15:31:49, 5] lib/debug.c:debug_dump_status(359) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 [2003/10/22 15:31:49, 3] param/loadparm.c:lp_load(3914) lp_load: refreshing parameters [2003/10/22 15:31:49, 3] param/loadparm.c:init_globals(1301) Initialising global parameters [2003/10/22
Re: [Samba] Samba 3: is LDAP required?
On Fri, Oct 17, 2003 at 09:00:48PM +, John H Terpstra wrote: On Wed, 15 Oct 2003, tvsjr wrote: Yes or no - is OpenLDAP required to be on the SAMBA 3.0 server in order for Active Directory support to work? Active Directory support == security = ads. Are you trying to make Samba act as an Active Directory server? If so, then Samba won't do that, you're SOL. If you're trying to make your Samba machine join an Active Directory, no, OpenLDAP is not required. The Active Directory must be running in Mixed or Native mode, not in Native 2003 (2k3 Server only) mode. Alright, does samba support joining a Samba Win2k3 domain in native 2003 mode? I have asked this before and not gotten a straight answer. The HOWTO does not cover this specific topic, I get Decrypt Integrity Failed errors for the kerberos tickets from said domain. I see something about heimdal less than version 0.6 not working with Win2k3 (no mention of native 2k3 or native or whatever). Am I screwed? Not quite! Samba-3.0.x can join a Win2K3 AD Domain that is in Native Mode. This is documented in the Samba-HOWTO-Collection.pdf available with Samba-3 in the chapter on Domain Membership. PS: You can obtain this document from: http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.pdf It is also available from Amazon.Com as The Official Samba-3 HOWTO and Reference Guide for those who want a hard copy. The book has more information in it than the HOWTO. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- --- Derek T. Yarnell University of Maryland Computer Science Department Unix Staff [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3: is LDAP required?
On Wed, 15 Oct 2003, tvsjr wrote: Yes or no - is OpenLDAP required to be on the SAMBA 3.0 server in order for Active Directory support to work? Active Directory support == security = ads. Are you trying to make Samba act as an Active Directory server? If so, then Samba won't do that, you're SOL. If you're trying to make your Samba machine join an Active Directory, no, OpenLDAP is not required. The Active Directory must be running in Mixed or Native mode, not in Native 2003 (2k3 Server only) mode. Not quite! Samba-3.0.x can join a Win2K3 AD Domain that is in Native Mode. This is documented in the Samba-HOWTO-Collection.pdf available with Samba-3 in the chapter on Domain Membership. PS: You can obtain this document from: http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.pdf It is also available from Amazon.Com as The Official Samba-3 HOWTO and Reference Guide for those who want a hard copy. The book has more information in it than the HOWTO. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3: is LDAP required?
I found when runnig configure that the openldap library files are required in order for --with-ads to work. Samba 3.0 will make ldap calls to the AD so this is logical, as a result I've had to install openldap with a null backend in order to get everything to work. -Original Message- From: tvsjr [mailto:[EMAIL PROTECTED] Sent: 15 October 2003 23:31 To: Ron Gage; [EMAIL PROTECTED] Subject: Re: [Samba] Samba 3: is LDAP required? Yes or no - is OpenLDAP required to be on the SAMBA 3.0 server in order for Active Directory support to work? Active Directory support == security = ads. Are you trying to make Samba act as an Active Directory server? If so, then Samba won't do that, you're SOL. If you're trying to make your Samba machine join an Active Directory, no, OpenLDAP is not required. The Active Directory must be running in Mixed or Native mode, not in Native 2003 (2k3 Server only) mode. Terry -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3: is LDAP required?
Yes or no - is OpenLDAP required to be on the SAMBA 3.0 server in order for Active Directory support to work? Active Directory support == security = ads. Are you trying to make Samba act as an Active Directory server? If so, then Samba won't do that, you're SOL. If you're trying to make your Samba machine join an Active Directory, no, OpenLDAP is not required. The Active Directory must be running in Mixed or Native mode, not in Native 2003 (2k3 Server only) mode. Terry -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba