RE: Unable to authenticate with security=ADS
Starting up winbindd allows me to login!! I need to make sure that this isn't just letting samba fall back to the old passthru style authentication. Is there a quick way to tell which way it authenticated? Probably I can find it in a debug level 10 log. > [global] > realm = CONSUMOMS.ARANEA.COM.MX > ads server = MSKDC1.CONSUMOMS.ARANEA.COM.MX > security = ads > workgroup = CONSUMOMS > > [personal] > path = %H > writable = yes > > but I didn't see any info for realm and ads server in your smb.conf Look again ;-) I have security = ads, ads server = IP address, and realm = "" (samba autodetects). Thanks for all your help Alberto! --Matt
RE: Unable to authenticate with security=ADS
On Thu, 2002-11-14 at 16:26, ZINKEVICIUS,MATT (HP-Loveland,ex1) wrote:
> > -Original Message-
> > From: José Alberto Patiño Limón [mailto:jalbertop@;aranea.com.mx]
> > Sent: Wednesday, November 13, 2002 6:43 PM
> > To: ZINKEVICIUS,MATT " "(HP-Loveland,ex1)
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: Unable to authenticate with security=ADS
> >
> >
> > Ok. Well I had the same problem when I was starting to setup
> > SAMBA 3.0.
> > But I dont remember what I did to fix it.
> >
> > I remeber that the main problem that I had was with the
> > nss_ldap module,
> > remember that you need to have the passwd and group info available to
> > the samba daemon. I have 2 setups to get this info from
> > Active Directory
> > and OpenLDAP. But you must be certain at least that you have
> > a entry in
> > the /etc/passwd to get the uid data for the W2K user that you
> > are using
> > to share the storage in Samba.
>
> I need a local unix account for every user that can authenticate via ADS? I
> want to use ADS for authentication, not local unix accounts. That's the
> whole point.
>
> The error looks like a problem in ticket handling anyway, so I don't think
> this has to do with not being able to find a local account to verify
> against. sigh... I guess I'll go read the active directory code now.
>
Well I think you are right. You are having problems in this section of
code:
if ((ret = krb5_rd_req(context, &auth_context, &packet,
NULL, keytab, NULL, &tkt))) {
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
}
So the origin of the problem is in the MIT krb5_rd_req function
call..
My smb.conf file is:
bash-2.05$ cat /usr/local/samba-3.0alpha20/lib/smb.conf
[global]
realm = CONSUMOMS.ARANEA.COM.MX
ads server = MSKDC1.CONSUMOMS.ARANEA.COM.MX
security = ads
workgroup = CONSUMOMS
[personal]
path = %H
writable = yes
but I didn't see any info for realm and ads server in your smb.conf
my /etc/krb5.conf is:
[libdefaults]
default_realm = CONSUMOMS.ARANEA.COM.MX
egd_socket=/dev/egd-pool
clockskew = 300
# default_etypes_des = des-cbc-crc arcfour-hmac-md5
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
CONSUMOMS.ARANEA.COM.MX = {
kdc = MSKDC1.CONSUMOMS.ARANEA.COM.MX
kpasswd_server = MSKDC1.CONSUMOMS.ARANEA.COM.MX
admin_server = MSKDC1.CONSUMOMS.ARANEA.COM.MX
default_domain = CONSUMOMS.ARANEA.COM.MX
}
[domain_realm]
.consumoms.aranea.com.mx = CONSUMOMS.ARANEA.COM.MX
.CONSUMOMS.ARANEA.COM.MX = CONSUMOMS.ARANEA.COM.MX
Hopes this help you!
> > Just to be sure, I assume that you /etc/krb5.conf is configured to see
> > the kerberos "realm" for Active Directory.
>
> Yep. My krb5.conf is attached to the original email if you want to look at
> it.
>
> > I think that the klist tickets command is supposed to be tested in the
> > W2K machine and noy in the unix box.
>
> My W2K box doesn't seem to have klist installed (At least not in my path)
You need to download the klist command from the MS Site. Search for the
free W2K Resource Kit utilities.
Alberto
RE: Unable to authenticate with security=ADS
> -Original Message- > From: José Alberto Patiño Limón [mailto:jalbertop@;aranea.com.mx] > Sent: Wednesday, November 13, 2002 6:43 PM > To: ZINKEVICIUS,MATT " "(HP-Loveland,ex1) > Cc: [EMAIL PROTECTED] > Subject: RE: Unable to authenticate with security=ADS > > > Ok. Well I had the same problem when I was starting to setup > SAMBA 3.0. > But I dont remember what I did to fix it. > > I remeber that the main problem that I had was with the > nss_ldap module, > remember that you need to have the passwd and group info available to > the samba daemon. I have 2 setups to get this info from > Active Directory > and OpenLDAP. But you must be certain at least that you have > a entry in > the /etc/passwd to get the uid data for the W2K user that you > are using > to share the storage in Samba. I need a local unix account for every user that can authenticate via ADS? I want to use ADS for authentication, not local unix accounts. That's the whole point. The error looks like a problem in ticket handling anyway, so I don't think this has to do with not being able to find a local account to verify against. sigh... I guess I'll go read the active directory code now. > Just to be sure, I assume that you /etc/krb5.conf is configured to see > the kerberos "realm" for Active Directory. Yep. My krb5.conf is attached to the original email if you want to look at it. > I think that the klist tickets command is supposed to be tested in the > W2K machine and noy in the unix box. My W2K box doesn't seem to have klist installed (At least not in my path) --Matt
RE: Unable to authenticate with security=ADS
Ok. Well I had the same problem when I was starting to setup SAMBA 3.0. But I dont remember what I did to fix it. I remeber that the main problem that I had was with the nss_ldap module, remember that you need to have the passwd and group info available to the samba daemon. I have 2 setups to get this info from Active Directory and OpenLDAP. But you must be certain at least that you have a entry in the /etc/passwd to get the uid data for the W2K user that you are using to share the storage in Samba. Just to be sure, I assume that you /etc/krb5.conf is configured to see the kerberos "realm" for Active Directory. I think that the klist tickets command is supposed to be tested in the W2K machine and noy in the unix box. On Wed, 2002-11-13 at 14:50, ZINKEVICIUS,MATT (HP-Loveland,ex1) wrote: > > -Original Message- > > From: José Alberto Patiño Limón [mailto:jalbertop@;aranea.com.mx] > > Sent: Wednesday, November 13, 2002 12:05 PM > > To: '[EMAIL PROTECTED]' > > Subject: Re: Unable to authenticate with security=ADS > > > > Did you try to run net ads join first and after run the smbd and nmbd > > daemons later? > > > > Try it. But now use net ads leave first to delete the computer account > > in AD. > > Thanks. I tried that and it didn't help. > > Also, another oddity is that if I try to access the share using the IP > address as the server name it fails slighty differently: > > [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(551) > Doing spnego session setup > [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) > Got OID 1 2 840 48018 1 2 2 > [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) > Got OID 1 3 6 1 4 1 311 2 2 10 > [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(266) > Got secblob of size 1179 > [2002/11/13 13:30:54, 1] libads/kerberos_verify.c:ads_verify_ticket(91) > krb5_parse_name(HOST/charlie@) failed (Malformed representation of > principal) > [2002/11/13 13:30:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(134) > Failed to verify incoming ticket! > > Anybody?? :-) > > --Matt
RE: Unable to authenticate with security=ADS
> -Original Message- > From: José Alberto Patiño Limón [mailto:jalbertop@;aranea.com.mx] > Sent: Wednesday, November 13, 2002 12:05 PM > To: '[EMAIL PROTECTED]' > Subject: Re: Unable to authenticate with security=ADS > > Did you try to run net ads join first and after run the smbd and nmbd > daemons later? > > Try it. But now use net ads leave first to delete the computer account > in AD. Thanks. I tried that and it didn't help. Also, another oddity is that if I try to access the share using the IP address as the server name it fails slighty differently: [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(551) Doing spnego session setup [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) Got OID 1 2 840 48018 1 2 2 [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) Got OID 1 3 6 1 4 1 311 2 2 10 [2002/11/13 13:30:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(266) Got secblob of size 1179 [2002/11/13 13:30:54, 1] libads/kerberos_verify.c:ads_verify_ticket(91) krb5_parse_name(HOST/charlie@) failed (Malformed representation of principal) [2002/11/13 13:30:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(134) Failed to verify incoming ticket! Anybody?? :-) --Matt
Re: Unable to authenticate with security=ADS
On Tue, 2002-11-12 at 23:59, ZINKEVICIUS,MATT (HP-Loveland,ex1) wrote: > Howdy gang, > I am trying to use samba 3.0 to authenticate using kerberos/ldap to my ADS > server. It's not working. I am mostly going by tridge's ADS-HOWTO. > > My Setup: > - Win2k ADS server (dc-native.home.sln) > - Realm name is HOME.SLN > - Linux running samba 3.0alpha21cvs from a couple days ago > (charlie.home.sln) > - MIT kerberos5 1.2.6 > - OpenLDAP 2.1.5 > - krb5.conf and smb.conf are attached > > Here is what I am doing: > > 1. Start smbd/nmbd > 2. Run "kdestroy" to empty the ticket cache > 3. Run "net ads join -UAdministrator". It says it joined the realm > successfully. > 4. Run "klist" (not "klist tickets" as mentioned in the HOWTO which errors > out) > Did you try to run net ads join first and after run the smbd and nmbd daemons later? Try it. But now use net ads leave first to delete the computer account in AD. > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [EMAIL PROTECTED] > > Valid starting ExpiresService principal > 11/12/02 21:49:53 11/13/02 07:49:53 [EMAIL PROTECTED] > 11/12/02 21:49:53 11/13/02 07:49:53 dc-native$@HOME.SLN > 11/12/02 21:49:55 11/13/02 07:49:53 [EMAIL PROTECTED] > > 5. Attempt to connect to a share from the dc-native box, which requests a > password :-( > > The interesting (at least to me) part of log.smbd is: > > [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(551) > Doing spnego session setup > [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) > Got OID 1 2 840 48018 1 2 2 > [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(259) > Got OID 1 3 6 1 4 1 311 2 2 10 > [2002/11/12 21:50:38, 3] smbd/sesssetup.c:reply_spnego_negotiate(266) > Got secblob of size 1339 > [2002/11/12 21:50:38, 3] libads/kerberos_verify.c:ads_verify_ticket(125) > krb5_rd_req with auth failed (Decrypt integrity check failed) > [2002/11/12 21:50:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(134) > Failed to verify incoming ticket! > [2002/11/12 21:50:38, 3] smbd/error.c:error_packet(94) > error string = No such file or directory > [2002/11/12 21:50:38, 3] smbd/error.c:error_packet(113) > error packet at smbd/sesssetup.c(136) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > > Anybody have any idea what I am doing wrong? Full level 10 log available is > that helps. > > Matt Zinkevicius > Software Engineer > Network Storage Array Solutions > Hewlett-Packard > >
