OK, thanks Bertram ! I do not use nss_ldap ; I don't know if it's really necessary (my nss_winbind works pretty well). But I will check it out ! Anyway, I need winbind authentication (so the use of nss_winbind). I think you use nss_ldap because you don't have winbind ? (so your /etc/nsswitch.conf doesn't have any reference to winbind).
Tell me if your try with SFU worked ! And, if somebody has any idea about this kerberos problem, don't hesitate :) I still have my ethereal log file, if someone wants it ! Thanks, Christian Haessig Software engineer/Administrator IRCAD/EITS Phone : +33. (0)3.88.11.90.76 Fax : +33. (0)3.88.11.90.99 mailto:[EMAIL PROTECTED] > -----Message d'origine----- > De : Yohann Ferreira [mailto:[EMAIL PROTECTED] > Envoy� : mardi 4 mai 2004 11:52 > � : [EMAIL PROTECTED]; [EMAIL PROTECTED] > Objet : RE: [Samba] samba 3.0.2a & Win2003 AD controler > > > Sorry Christian ! > > I explain : > > nss_ldap.so is a lib used by the nss switch (winbind) to look > where to use > authentification. > In order to have some response from the 2k AD domain, I think, and it's > purely theorical because I'm right now doing tests about it, you'll need > then to install the 'Microsoft Windows Services For Unix' wich > provides the > LDAP and NIS communication protocol to your windows 2k AD controler. > > As for the others, if someone knows something about all of this, > such as a > configuration which works (!), please tell us ! > > Thanks for reading > > Bertram > > >From: "Christian HAESSIG" <[EMAIL PROTECTED]> > >To: "Yohann Ferreira" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > >Subject: RE: [Samba] samba 3.0.2a & Win2003 AD controler > >Date: Tue, 4 May 2004 10:21:18 +0200 > > > >Hi Bertram, hi the list, > > > >I added the samba list, so that they all get our mails :) > > > >No, I don't use the nss_ldap.so library. What does it do ? > >You told about a tool set to install on the W2K3 server. What is > this tool > >? > >I found on the Microsoft knowledge base a registry modification > concerning > >kerberos. I applied it, without any result. > > > >By the way, I sent an ethereal log showing the communication between the > >W2K > >client (192.168.2.33), the samba server (192.168.0.31) and the > W2K3 server > >(192.168.9.211). Did you get it ? > >This log indicates the problem : > >- there are first some krb5 exchanges between the W2K client and the W2K3 > >server > >- then, the samba server sends a krb5 request using the encryptions 0x12 > >(unknown), 0x11 (unknown), des3-cbc-sha1, rc4-hmac, des-cbc-crc, > >des-cbc-md5 > >and des-cbc-md4 > >- the W2K3 server responds : error_code: KRB5KDC_ERR_PREAUTH_REQUIRED > > > >Are there any krb5 experts in this list who could help us ? We > would surely > >appreciate ! > > > >Christian Haessig > >Software engineer/Administrator > >IRCAD/EITS > >Phone : +33. (0)3.88.11.90.76 > >Fax : +33. (0)3.88.11.90.99 > >mailto:[EMAIL PROTECTED] > > > > > -----Message d'origine----- > > > De : Yohann Ferreira [mailto:[EMAIL PROTECTED] > > > Envoy� : mardi 4 mai 2004 10:06 > > > � : [EMAIL PROTECTED] > > > Objet : RE: [Samba] samba 3.0.2a & Win2003 AD controler > > > > > > > > > I've got EXACTLY the same problem ! Exactly ! > > > > > > Do you use the nss_ldap.so tool from PADL ? > > > > > > Cause I've that you have install a tool set on the w2k AD server... > > > > > > Is that right samba Team ? > > > > > > Thanks for reading ! > > > > > > Bertram > > > > > > > > > >From: "Christian HAESSIG" <[EMAIL PROTECTED]> > > > >To: <[EMAIL PROTECTED]> > > > >Subject: [Samba] samba 3.0.2a & Win2003 AD controler > > > >Date: Tue, 4 May 2004 09:07:35 +0200 > > > > > > > >Hello samba experts ! > > > > > > > >I have a big problem with my samba 3.0.2a on debian. I use > > > winbindd, which > > > >seems to work (getent passwd/group and wbinfo -u works), and the net > >ads > > > >join worked too, but the authentication with the AD > controler, hosted > >on > > > >Win2003 Server, fails. > > > > > > > >Sample of the level 3 log file : > > > > > > > >... > > > >[2004/05/04 08:47:20, 3] smbd/process.c:switch_message(685) > > > > switch message SMBsesssetupX (pid 1210) > > > >[2004/05/04 08:47:20, 3] smbd/sec_ctx.c:set_sec_ctx(288) > > > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638) > > > > wct=12 flg2=0xc807 > > > >[2004/05/04 08:47:20, 2] smbd/sesssetup.c:setup_new_vc_session(591) > > > > setup_new_vc_session: New VC == 0, if NT4.x compatible we would > >close > > > >all > > > >old resources. > > > >[2004/05/04 08:47:20, 3] > > > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518) > > > > Doing spnego session setup > > > >[2004/05/04 08:47:20, 3] > > > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549) > > > > NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] > > > >PrimaryDomain=[] > > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > > > Got OID 1 2 840 48018 1 2 2 > > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > > > Got OID 1 2 840 113554 1 2 2 > > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) > > > > Got OID 1 3 6 1 4 1 311 2 2 10 > > > >[2004/05/04 08:47:20, 3] smbd/sesssetup.c:reply_spnego_negotiate(430) > > > > Got secblob of size 1263 > > > >[2004/05/04 08:47:20, 3] > >libads/kerberos_verify.c:ads_verify_ticket(323) > > > > ads_verify_ticket: enc type [3] failed to decrypt with > error Decrypt > > > >integrity check failed > > > >[2004/05/04 08:47:20, 3] > >libads/kerberos_verify.c:ads_verify_ticket(330) > > > > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption > >type) > > > >[2004/05/04 08:47:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > > > > Failed to verify incoming ticket! > > > >... > > > > > > > >So, it seems there is a kerberos problem. I use MIT krb5 > 1.3.3. I found > >a > > > >technet article talking from a krb problem on win2003, and registry > > > >modifications to apply. I did so, but nothing changed. > > > > > > > >Another point : I did a tcpdump between the samba server and the 2003 > > > >server. When I do a kinit, there is communication between the > > > servers. But > > > >when I try to connect to the samba server from a W2K client, > there is > >no > > > >communication between the samba and the W2K server ! > > > > > > > >So, do you have an explanation ? > > > > > > > >Here is my krb5.conf file : > > > > > > > >[logging] > > > > default = FILE:/var/log/krb5/libs.log > > > > kdc = FILE:/var/log/krb5/kdc.log > > > > admin_server = FILE:/var/log/krb5/admin.log > > > > > > > >[libdefaults] > > > > ticket_lifetime = 24000 > > > > default_realm = IRCADSTAGE.FR > > > > > > > >[realms] > > > > IRCADSTAGE.FR = { > > > > kdc = stageadmin11.ircadstage.fr:88 > > > > default_domain = ircadstage.fr > > > > } > > > > > > > >[domain_realm] > > > > .ircadstage.fr = IRCADSTAGE.FR > > > > ircadstage.fr = IRCADSTAGE.FR > > > > > > > >Thanks ! > > > > > > > >Christian Haessig > > > >Software engineer/Administrator > > > >IRCAD/EITS > > > >Phone : +33. (0)3.88.11.90.76 > > > >Fax : +33. (0)3.88.11.90.99 > > > >mailto:[EMAIL PROTECTED] > > > > > > > >-- > > > >To unsubscribe from this list go to the following URL and read the > > > >instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > _________________________________________________________________ > > > Bloquez les fen�tres pop-up, c'est gratuit ! http://toolbar.msn.fr > > > > > > > _________________________________________________________________ > Hotmail : un compte GRATUIT qui vous suit partout et tout le temps ! > http://g.msn.fr/FR1000/9493 > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
