Hi Bertram, hi the list, I added the samba list, so that they all get our mails :)
No, I don't use the nss_ldap.so library. What does it do ? You told about a tool set to install on the W2K3 server. What is this tool ? I found on the Microsoft knowledge base a registry modification concerning kerberos. I applied it, without any result. By the way, I sent an ethereal log showing the communication between the W2K client (192.168.2.33), the samba server (192.168.0.31) and the W2K3 server (192.168.9.211). Did you get it ? This log indicates the problem : - there are first some krb5 exchanges between the W2K client and the W2K3 server - then, the samba server sends a krb5 request using the encryptions 0x12 (unknown), 0x11 (unknown), des3-cbc-sha1, rc4-hmac, des-cbc-crc, des-cbc-md5 and des-cbc-md4 - the W2K3 server responds : error_code: KRB5KDC_ERR_PREAUTH_REQUIRED Are there any krb5 experts in this list who could help us ? We would surely appreciate ! Christian Haessig Software engineer/Administrator IRCAD/EITS Phone : +33. (0)3.88.11.90.76 Fax : +33. (0)3.88.11.90.99 mailto:[EMAIL PROTECTED] > -----Message d'origine----- > De : Yohann Ferreira [mailto:[EMAIL PROTECTED] > Envoy� : mardi 4 mai 2004 10:06 > � : [EMAIL PROTECTED] > Objet : RE: [Samba] samba 3.0.2a & Win2003 AD controler > > > I've got EXACTLY the same problem ! Exactly ! > > Do you use the nss_ldap.so tool from PADL ? > > Cause I've that you have install a tool set on the w2k AD server... > > Is that right samba Team ? > > Thanks for reading ! > > Bertram > > > >From: "Christian HAESSIG" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Subject: [Samba] samba 3.0.2a & Win2003 AD controler > >Date: Tue, 4 May 2004 09:07:35 +0200 > > > >Hello samba experts ! > > > >I have a big problem with my samba 3.0.2a on debian. I use > winbindd, which > >seems to work (getent passwd/group and wbinfo -u works), and the net ads > >join worked too, but the authentication with the AD controler, hosted on > >Win2003 Server, fails. > > > >Sample of the level 3 log file : > > > >... > >[2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685) > > switch message SMBsesssetupX (pid 1210) > >[2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638) > > wct=12 flg2=0xc807 > >[2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591) > > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > >all > >old resources. > >[2004/05/04 08:47:20, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518) > > Doing spnego session setup > >[2004/05/04 08:47:20, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549) > > NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] > >PrimaryDomain=[] > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > Got OID 1 2 840 48018 1 2 2 > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > Got OID 1 2 840 113554 1 2 2 > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > Got OID 1 3 6 1 4 1 311 2 2 10 > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430) > > Got secblob of size 1263 > >[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(323) > > ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt > >integrity check failed > >[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(330) > > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) > >[2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > > Failed to verify incoming ticket! > >... > > > >So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found a > >technet article talking from a krb problem on win2003, and registry > >modifications to apply. I did so, but nothing changed. > > > >Another point : I did a tcpdump between the samba server and the 2003 > >server. When I do a kinit, there is communication between the > servers. But > >when I try to connect to the samba server from a W2K client, there is no > >communication between the samba and the W2K server ! > > > >So, do you have an explanation ? > > > >Here is my krb5.conf file : > > > >[logging] > > default = FILE:/var/log/krb5/libs.log > > kdc = FILE:/var/log/krb5/kdc.log > > admin_server = FILE:/var/log/krb5/admin.log > > > >[libdefaults] > > ticket_lifetime = 24000 > > default_realm = IRCADSTAGE.FR > > > >[realms] > > IRCADSTAGE.FR = { > > kdc = stageadmin11.ircadstage.fr:88 > > default_domain = ircadstage.fr > > } > > > >[domain_realm] > > .ircadstage.fr = IRCADSTAGE.FR > > ircadstage.fr = IRCADSTAGE.FR > > > >Thanks ! > > > >Christian Haessig > >Software engineer/Administrator > >IRCAD/EITS > >Phone : +33. (0)3.88.11.90.76 > >Fax : +33. (0)3.88.11.90.99 > >mailto:[EMAIL PROTECTED] > > > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: http://lists.samba.org/mailman/listinfo/samba > > _________________________________________________________________ > Bloquez les fen�tres pop-up, c'est gratuit ! http://toolbar.msn.fr > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
