Oups, I made a mistake : the samba server communicates through kerberos with the W2K3 server. I attached the ethereal log which shows all the kerberos packages going to or from the W2K3 server.
Thanks, Christian Haessig Software engineer/Administrator IRCAD/EITS Phone : +33. (0)3.88.11.90.76 Fax : +33. (0)3.88.11.90.99 mailto:[EMAIL PROTECTED] > -----Message d'origine----- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > rg]De la part de Christian HAESSIG > Envoy� : mardi 4 mai 2004 09:08 > � : [EMAIL PROTECTED] > Objet : [Samba] samba 3.0.2a & Win2003 AD controler > > > Hello samba experts ! > > I have a big problem with my samba 3.0.2a on debian. I use winbindd, which > seems to work (getent passwd/group and wbinfo -u works), and the net ads > join worked too, but the authentication with the AD controler, hosted on > Win2003 Server, fails. > > Sample of the level 3 log file : > > ... > [2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685) > switch message SMBsesssetupX (pid 1210) > [2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638) > wct=12 flg2=0xc807 > [2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would > close all > old resources. > [2004/05/04 08:47:20, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518) > Doing spnego session setup > [2004/05/04 08:47:20, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549) > NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] > PrimaryDomain=[] > [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > Got OID 1 2 840 48018 1 2 2 > [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > Got OID 1 2 840 113554 1 2 2 > [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > Got OID 1 3 6 1 4 1 311 2 2 10 > [2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430) > Got secblob of size 1263 > [2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(323) > ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt > integrity check failed > [2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(330) > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) > [2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > ... > > So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found a > technet article talking from a krb problem on win2003, and registry > modifications to apply. I did so, but nothing changed. > > Another point : I did a tcpdump between the samba server and the 2003 > server. When I do a kinit, there is communication between the servers. But > when I try to connect to the samba server from a W2K client, there is no > communication between the samba and the W2K server ! > > So, do you have an explanation ? > > Here is my krb5.conf file : > > [logging] > default = FILE:/var/log/krb5/libs.log > kdc = FILE:/var/log/krb5/kdc.log > admin_server = FILE:/var/log/krb5/admin.log > > [libdefaults] > ticket_lifetime = 24000 > default_realm = IRCADSTAGE.FR > > [realms] > IRCADSTAGE.FR = { > kdc = stageadmin11.ircadstage.fr:88 > default_domain = ircadstage.fr > } > > [domain_realm] > .ircadstage.fr = IRCADSTAGE.FR > ircadstage.fr = IRCADSTAGE.FR > > Thanks ! > > Christian Haessig > Software engineer/Administrator > IRCAD/EITS > Phone : +33. (0)3.88.11.90.76 > Fax : +33. (0)3.88.11.90.99 > mailto:[EMAIL PROTECTED] > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
