I think it has something to do with the key type of the Kerberos tickets ( etype or enctype in krb5.conf ). Does Windows 2000 speak the same Kerberos 5 as Windows XP? Which key types are used by Windows? How do I know which enctype I need, and why doesn't the default enctype setting negotiate something that works?
It might also have something to do with trust relationships, since my samba machine is in domain D1.DOMAIN.COM, but my users are in domain D2.DOMAIN.COM. (And my client machine is in D3.DOMAIN.COM). Each of these domains is an active directory tree, with trust relationships between them...
But it works with an XP client, so what's different between XP and Windows 2000?
Thanks,
Gordon
Configuration files follow.
------------------------- # smb.conf: [global] workgroup = D1 realm = D1.DOMAIN.COM security = ADS password server = d1dc02.d1.domain.com log file = /etc/samba/samba.log
[t] comment = Test Share path = /tmp read only = No guest ok = Yes browseable = Yes
------------------------- # krb5.conf: [logging] default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
default_realm = D1.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
# According to http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
# "the only supported encryption types are des3-hmac-sha1 and des-cbc-crc."
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
# However, http://lists.samba.org/archive/samba/2004-October/093761.html suggests:
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
[realms]
D1.DOMAIN.COM = {
kdc = d1dc01.d1.domain.com
}
D2.DOMAIN.COM = {
kdc = d2dc01.d2.domain.com
}------------------------------ # from an XP machine in the d2 Domain C:\>net use * \\samba07\t Drive Y: is now connected to \\samba07\t .
The command completed successfully.
----------------------------- # from an XP machine NOT in the Domain C:\>net use * \\samba07\t The password or user name is invalid for \\samba07\t .
Enter the user name for 'samba07': d2\username Enter the password for samba07: Drive Z: is now connected to \\samba07\t .
The command completed successfully.
------------------------------ # from a Windows 2000 machine in the d2 Domain:
C:\>net use * \\samba07\t The password or user name is invalid for \\samba07\t.
Type the password for \\samba07\t: System error 1326 has occurred.
Logon failure: unknown user name or bad password.
C:\>net use * \\samba07\t /USER:d2\username The password or user name is invalid for \\samba07\t .
Type the password for \\samba07\t : System error 1326 has occurred.
Logon failure: unknown user name or bad password.
# I get this message in the samba.log:
[2004/10/13 17:44:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket!
----------------------------
# List of relevant packages (These are the latest updates available for RHEL 3)
$ rpm -qa | egrep 'krb5|samba'
krb5-devel-1.2.7-28
krb5-libs-1.2.7-28
krb5-workstation-1.2.7-28
samba-3.0.7-1.3E
samba-client-3.0.7-1.3E
samba-common-3.0.7-1.3E
----------------------------
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
