I explain :
nss_ldap.so is a lib used by the nss switch (winbind) to look where to use authentification.
In order to have some response from the 2k AD domain, I think, and it's purely theorical because I'm right now doing tests about it, you'll need then to install the 'Microsoft Windows Services For Unix' wich provides the LDAP and NIS communication protocol to your windows 2k AD controler.
As for the others, if someone knows something about all of this, such as a configuration which works (!), please tell us !
Thanks for reading
Bertram
From: "Christian HAESSIG" <[EMAIL PROTECTED]> To: "Yohann Ferreira" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: RE: [Samba] samba 3.0.2a & Win2003 AD controler Date: Tue, 4 May 2004 10:21:18 +0200
Hi Bertram, hi the list,
I added the samba list, so that they all get our mails :)
No, I don't use the nss_ldap.so library. What does it do ?
You told about a tool set to install on the W2K3 server. What is this tool ?
I found on the Microsoft knowledge base a registry modification concerning
kerberos. I applied it, without any result.
By the way, I sent an ethereal log showing the communication between the W2K
client (192.168.2.33), the samba server (192.168.0.31) and the W2K3 server
(192.168.9.211). Did you get it ?
This log indicates the problem :
- there are first some krb5 exchanges between the W2K client and the W2K3
server
- then, the samba server sends a krb5 request using the encryptions 0x12
(unknown), 0x11 (unknown), des3-cbc-sha1, rc4-hmac, des-cbc-crc, des-cbc-md5
and des-cbc-md4
- the W2K3 server responds : error_code: KRB5KDC_ERR_PREAUTH_REQUIRED
Are there any krb5 experts in this list who could help us ? We would surely appreciate !
Christian Haessig Software engineer/Administrator IRCAD/EITS Phone : +33. (0)3.88.11.90.76 Fax : +33. (0)3.88.11.90.99 mailto:[EMAIL PROTECTED]
> -----Message d'origine-----
> De : Yohann Ferreira [mailto:[EMAIL PROTECTED]
> Envoy� : mardi 4 mai 2004 10:06
> � : [EMAIL PROTECTED]
> Objet : RE: [Samba] samba 3.0.2a & Win2003 AD controler
>
>
> I've got EXACTLY the same problem ! Exactly !
>
> Do you use the nss_ldap.so tool from PADL ?
>
> Cause I've that you have install a tool set on the w2k AD server...
>
> Is that right samba Team ?
>
> Thanks for reading !
>
> Bertram
>
>
> >From: "Christian HAESSIG" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Subject: [Samba] samba 3.0.2a & Win2003 AD controler
> >Date: Tue, 4 May 2004 09:07:35 +0200
> >
> >Hello samba experts !
> >
> >I have a big problem with my samba 3.0.2a on debian. I use
> winbindd, which
> >seems to work (getent passwd/group and wbinfo -u works), and the net ads
> >join worked too, but the authentication with the AD controler, hosted on
> >Win2003 Server, fails.
> >
> >Sample of the level 3 log file :
> >
> >...
> >[2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685)
> > switch message SMBsesssetupX (pid 1210)
> >[2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
> > wct=12 flg2=0xc807
> >[2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591)
> > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> >all
> >old resources.
> >[2004/05/04 08:47:20, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
> > Doing spnego session setup
> >[2004/05/04 08:47:20, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
> > NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> >PrimaryDomain=[]
> >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> > Got OID 1 2 840 48018 1 2 2
> >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> > Got OID 1 2 840 113554 1 2 2
> >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
> > Got OID 1 3 6 1 4 1 311 2 2 10
> >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430)
> > Got secblob of size 1263
> >[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
> > ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
> >integrity check failed
> >[2004/05/04 08:47:20, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
> > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> >[2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> > Failed to verify incoming ticket!
> >...
> >
> >So, it seems there is a kerberos problem. I use MIT krb5 1.3.3. I found a
> >technet article talking from a krb problem on win2003, and registry
> >modifications to apply. I did so, but nothing changed.
> >
> >Another point : I did a tcpdump between the samba server and the 2003
> >server. When I do a kinit, there is communication between the
> servers. But
> >when I try to connect to the samba server from a W2K client, there is no
> >communication between the samba and the W2K server !
> >
> >So, do you have an explanation ?
> >
> >Here is my krb5.conf file :
> >
> >[logging]
> > default = FILE:/var/log/krb5/libs.log
> > kdc = FILE:/var/log/krb5/kdc.log
> > admin_server = FILE:/var/log/krb5/admin.log
> >
> >[libdefaults]
> > ticket_lifetime = 24000
> > default_realm = IRCADSTAGE.FR
> >
> >[realms]
> > IRCADSTAGE.FR = {
> > kdc = stageadmin11.ircadstage.fr:88
> > default_domain = ircadstage.fr
> > }
> >
> >[domain_realm]
> > .ircadstage.fr = IRCADSTAGE.FR
> > ircadstage.fr = IRCADSTAGE.FR
> >
> >Thanks !
> >
> >Christian Haessig
> >Software engineer/Administrator
> >IRCAD/EITS
> >Phone : +33. (0)3.88.11.90.76
> >Fax : +33. (0)3.88.11.90.99
> >mailto:[EMAIL PROTECTED]
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions: http://lists.samba.org/mailman/listinfo/samba
>
> _________________________________________________________________
> Bloquez les fen�tres pop-up, c'est gratuit ! http://toolbar.msn.fr
>
_________________________________________________________________
Hotmail : un compte GRATUIT qui vous suit partout et tout le temps ! http://g.msn.fr/FR1000/9493
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
