Hi Tim, I'm still with the krb5_tickets+AD problem. It worked for me once and I still don't know what I did. I thought it was the Administrator password change however I've done a clean installation in another server (RH8 again and krb5 1.3.1 and samba_3.0.1rc2) and I have again the same problem.
Could you give me your "klist -e" output for your KDC server ticket I'd like to compare it with mine. I still have the encryption to ARCFOUR-HMAC-MD5 for my KDC server and I cannot change to DES-CBC-MD5 although I have the following lines in my /etc/krb5.conf file: default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 # Commented out the following line. # permitted_enctypes = des-cbc-md5 des-cbc-crc How can I change it to DES-CBC-MD5 ?? The ticket for my kdc server is: 12/18/03 11:15:22 12/18/03 21:03:19 [EMAIL PROTECTED] renew until 12/19/03 10:14:31, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Thanks and regards, Fernando. On Fri, 2003-12-12 at 21:56, Tim Jordan wrote: > Browsing is working from my W2K and XP clients to the samba server > using kerberos. > Samba Server is joined to Active Directory as a Domain Member server. > > I commented out the following line of my krb5.conf: > > #permitted_enctypes = des-cbc-crc des-cbc-md5 > > Make sure these lines are correct: > default_tgs_enctypes = des-cbc-crc des-cbc-md5 > efault_tkt_enctypes = des-cbc-crc des-cbc-md5 > > *Make sure to stop and restart smbd, nmbd, and winbindd. These > changes did nothing for me until I restarted at least winbindd. > > > I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586 > rpm's from: > http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/ > > > I'm working on a final write up of my configuration if anyone is > interested in creating an Active Directory member server running Samba > 3. > > Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for > lending his Windows expertise! > > Tim > > > > > On Fri, 2003-12-12 at 08:07, Tom Dickson wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > You can try running the > > > > strings /usr/lib/libkrb5.so.3.2 | grep BRAND > > > > command and looking at what you get. 1-3-1 or something is MIT. > > > > Also, I'm wondering if the fact that you can connect by IP and not by > > name indicates that the 2000 server is looking up the name in, say, DNS > > only and ignoring WINS. Perhaps my WINS server is misconfigured. > > > > Well, I have to run Netbench tests, so I just dropped back to NT4 style > > auth, which works fine for me. > > > > - -Tom > > > > Tim Jordan wrote: > > > > | Perhaps we can work together. Jerry mentioned in previous posts about > > | the encryption options if the krb5.conf. > > | The Official Samba How To states: " On a Windows 2000 client, try /net > > | use * \\server\share/. You should be logged in with Kerberos without > > | needing to know a password. If this fails then run /klist tickets./ > > | Did you get a tecket for the server? Does it have an encryption type of > > | DES-CBC-MD5?" > > | > > | "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 > > | encoding." > > | > > | I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as > > | Jerry sugested: > > | > > | /etc/krb5.conf: > > | > > |>[EMAIL PROTECTED] samba3]# cat /etc/krb5.conf > > |>[logging] > > |> default = FILE:/var/log/kerberos/krb5libs.log > > |> kdc = FILE:/var/log/kerberos/krb5kdc.log > > |> admin_server = FILE:/var/log/kerberos/kadmind.log > > |> > > |>[libdefaults] > > |> ticket_lifetime = 24000 > > |> default_realm = LABOR.AK > > |> default_tgs_enctypes = des-cbc-md5 des-cbc-crc > > |> default_tkt_enctypes = des-cbc-md5 des-cbc-crc > > |> permitted_enctypes = des-cbc-md5 des-cbc-crc > > |> dns_lookup_realm = false > > |> dns_lookup_kdc = false > > |> kdc_req_checksum_type = 2 > > |> checksum_type = 2 > > |> ccache_type = 1 > > |> forwardable = true > > |> proxiable = true > > |> > > |>[realms] > > |> LABOR.AK = { > > |> kdc = MY-KDC.LABOR.AK:88 > > |> admin_server = MY-KDC.LABOR.AK:749 > > |> default_domain = LABOR.AK > > |> } > > |> > > |>[domain_realm] > > |> .LABOR.AK = LABOR.AK > > |> > > |>[kdc] > > |> profile = /etc/kerberos/krb5kdc/kdc.conf > > |> > > |>[pam] > > |> debug = false > > |> ticket_lifetime = 36000 > > |> renew_lifetime = 36000 > > |> forwardable = true > > |> krb4_convert = false > > |> > > |> [login] > > |> krb4_convert = false > > |> krb4_get_tickets = fals > > |> > > | It did change the encryption ticket I'm getting when /kinit/ as my > > username. > > | > > |>Valid starting Expires Service principal > > |>12/11/03 16:00:49 12/12/03 02:01:00 krbtgt/[EMAIL PROTECTED] > > |> renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode > > with RSA-MD5, DES cbc mode with RSA-MD5 > > |> > > |> > > |>Kerberos 4 ticket cache: /tmp/tkt0 > > |> > > | Notice I'm getting "DES cbc mode with RSA-MD5". > > | > > | This did not solve the underlying problem of being able to view the > > samba shares from a w2k or xp client. > > | > > | How would I be able to tell if I'm using MIT or Hemidal kerberos? > > | > > | I did get this working on a Gentoo system, so I know it works. > > | > > | Who knows encryption on the list that can advise....anyone? > > | > > | Tim > > | > > | On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote: > > | > > |>/Same problem. I have been with it for weeks. I can connect using IP > > |>address from the Win2k clients however with the netbios name I get the > > |>error. > > |> > > |>Someone has told me today that this was solved in the new release > > |>samba-3.0.1rc2-1 , however I've already tested it and I still have the > > |>same problem. > > |> > > |>Please any more clues. > > |> > > |>Thanks, > > |> > > |>Fernando. > > |> > > |> > > |>On Fri, 2003-12-12 at 00:26, Tim Jordan wrote: > > |>> I'm getting same error about encryption ... > > |>> > > |>> I have taken Tom's lead and have provided the output below. Is there a > > |>> certain version of krb5 that we should be running? > > |>> > > |>> > > |>> [EMAIL PROTECTED] tim]# smbd3 --version > > |>> Version 3.0.1pre3 > > |>> > > |>> [EMAIL PROTECTED] tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND > > |>> KRB5_BRAND: krb5-1-3-final 1.3 20030708 > > |>> > > |>> I'm running Mandrake 9.2 > > |>> > > |>> Thank You Samba Team! > > |>> Tim > > |>> > > |>> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote: > > |>> > > |>> > -----BEGIN PGP SIGNED MESSAGE----- > > |>> > Hash: SHA1 > > |>> > > > |>> > OK. I've done some more research, and here's what I get. > > |>> > > > |>> > smbd --version > > |>> > Version 3.0.0 > > |>> > > > |>> > strings libkrb5.so.3.2 | grep BRAND > > |>> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730 > > |>> > > > |>> > Everything seems to work, but trying to access the Samba server > > results in: > > |>> > > > |>> > [2003/12/11 14:54:19, 3] > > libads/kerberos_verify.c:ads_verify_ticket(308) > > |>> > ~ ads_verify_ticket: enc type [23] failed to decrypt with error > > Decrypt > > |>> > integrity check failed > > |>> > [2003/12/11 14:54:19, 3] > > libads/kerberos_verify.c:ads_verify_ticket(316) > > |>> > ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption > > type) > > |>> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) > > |>> > ~ Failed to verify incoming ticket! > > |>> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109) > > |>> > ~ error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) > > |>> > NT_STATUS_LOGON_FAILURE > > |>> > > > |>> > This is the same error you get if you're running the wrong KRB5 libs, > > |>> > but I've the right ones. The windows 2000 machine is 5.00.2195 > > |>> > > > |>> > Windows 2000 clients connect to the ADS server fine, and will > > connect to > > |>> > the Samba server if you enter Username/Password. The 2000 server > > cannot > > |>> > connect to the Samba machine at all, even with the right > > username/pass. > > |>> > > > |>> > Is there a magic registry setting I'm missing? I've changed the > > |>> > Administrator password at least once. > > |>> > > > |>> > - -Tom > > |>> > -----BEGIN PGP SIGNATURE----- > > |>> > Version: GnuPG v1.2.2-nr2 (Windows 2000) > > |>> > Comment: Using GnuPG with Mozilla - //_http://enigmail.mozdev.org_ > > |>> > > > |>> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO > > |>> > F9F+8BTOPIyoybZBYIlCouU= > > |>> > =94FA > > |>> > -----END PGP SIGNATURE----- > > |>/ > > |> > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.2-nr2 (Windows 2000) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > iD8DBQE/2fXg2dxAfYNwANIRAlFEAJ9uSUkNH5u/O2PBb8eY8PExrsq2rACdE6r/ > > xbPZjNjGNK2FYhHQZnqmgYs= > > =2f/q > > -----END PGP SIGNATURE----- -- Fernando Ruza ([EMAIL PROTECTED]) Tfl: 949 209 215 661 123 845 Linux user: #273644 (http://counter.li.org) Debian Sid (Kernel 2.4.20 & ext3) ------------------------------------------------------------------- Por favor, NO utilice formatos de archivo propietarios para el intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o cualquier otro que no obligue a utilizar un programa de un fabricante concreto. Gracias. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
