Re: [Samba] Can't maintain a connection to the Server 2003 ADS on a subdomain

Mon, 13 Jun 2005 09:24:45 -0700 

Daniel Kvitko wrote:


Hello to every Samba expert out there,

We've been having a hard time figuring out a particular problem with Samba.
After joining the Server 2003 ADS, which is on a different subnet - just
going through a router, the membership would drop all of a sudden.
Everything works great when the Samba server is on the same subnet as the
Server 2003 ADS. I have posted some details on forums, here is a link if you
need to see the configuration:
http://www.learninglinux.com/modules.php?name=Forums&file=viewtopic&t=474

I have been struggling for weeks and really need some insight from some
experts. The purpose of the Samba servers is just for file sharing and we
really do not want to install Microsoft Servers. If there is no one here
that can offer any assistance, then I guess there isn't anyone out there
that can.

Hi Dan,
While processing a TGS request for the target server host/uni-samba.rhb.local, the account [EMAIL PROTECTED] did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 16. The accounts available etypes were 23 -133 -128 3 1. 

The requested enctype of 16 corresponds to DES3_CBC_SHA1.
The encryption types the 2003 server knows how to decode are
23 ARCFOUR_HMAC
3   DES_CBC_MD5
1   DES_CBC_CRC
I don't know what encryption types -133 & -128 are.
If you do a
   klist -ke
on the samba machine, it will list the keys in /etc/krb5.keytab and what encryption types they are. With your version of kerberos and samba, you should be joined normally without the flag for DES_CBC_MD5 encryption required. As fas as I know, this implies the samba server will be using ARCFOUR_HMAC which is the native encryption type of windows 2003. 
Would you mind verifying your keytab on the samba host still has a
   host/[EMAIL PROTECTED] (ArcFour with HMAC/md5)
entry and that you ran the ktpass.exe on the windows 2003 server to generate the host entry for the samba machine? 

Regards, Doug

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to