[Samba] Samba on Linux + Windows Server 2003 R2 / ADS: Clients can connect using IP but no hostname

Mon, 07 Jan 2008 09:11:35 -0800 


        Hello everyone,


 I'm trying to make Samba authenticate clients against an Active  
Directory Server running on W2k3 R2. Samba is running on a Debian Linux:


virtual-101:~# dpkg -l | egrep -i '(samba|kerb)'

ii  krb5-config                       1.17               Configuration  
files for Kerberos Version 5
ii  krb5-user                         1.6.dfsg.3~beta1-2 Basic  
programs to authenticate using MIT Kerberos
ii  libkadm55                         1.6.dfsg.3~beta1-2 MIT Kerberos  
administration runtime libraries
ii  libkrb53                          1.6.dfsg.3~beta1-2 MIT Kerberos  
runtime libraries
ii  samba                             3.0.28-1           a LanManager- 
like file and printer server for Unix
ii  samba-common                      3.0.28-1           Samba common  
files used by both the server and the client


 This is the Samba and Kerberos configuration:

virtual-101:~# egrep -v '^(#|;|$)' /etc/samba/smb.conf
[global]
   workgroup = INTERNAL
   realm = INTERNAL.TESTLABOR.XX.COM
   preferred master = no
   server string = Samba Public Server
   include = /etc/samba/dhcp.conf
   dns proxy = no
   log file = /var/log/samba/log.%m
   log level = 5
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
    security = ADS
   encrypt passwords = yes
   passdb backend = tdbsam
   obey pam restrictions = yes
   invalid users = root
   passwd program = /usr/bin/passwd %u

   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX 
\spassword:* %n\n *password\supdated\ssuccessfully* .

   printcap name = cups
   printing = cups
   socket options = TCP_NODELAY
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum groups = yes
   winbind enum users = yes
   winbind separator = +
[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   public = no
   writable = no
   create mode = 0700
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
[ftp]
   comment = Public FTP Resource
   writable = no
   locking = no
   path = /home/ftp
   public = yes
   guest ok = no


virtual-101:~# egrep -v '^$' /etc/krb5.conf
[libdefaults]
        default_realm = INTERNAL.TESTLABOR.XX.COM
        default_tgs_enctypes = des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des-cbc-crc des-cbc-md5
        permitted_enctypes = des-cbc-crc des-cbc-md5
[realms]
        INTERNAL.TESTLABOR.XX.COM = {
                kdc = virtual-100.internal.testlabor.xx.com
                #admin_server = virtual-100.internal.testlabor.xx.com
        }
[domain_realms]
        .kerberos.server = INTERNAL.TESTLABOR.XX.COM



 From the Samba Server, I was able to get a Kerberos ticket from the  
AD:

virtual-101:~# kinit  [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]:
virtual-101:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
01/07/08 17:06:58  01/08/08 03:07:00  krbtgt/[EMAIL PROTECTED]

	renew until 01/08/08 17:06:58, Etype (skey, tkt): DES cbc mode with  
CRC-32, DES cbc mode with CRC-32


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


 From the Samba Server I am able to mount a local resource, either by  
using the Kerberos ticket or by authentication with a Domain User:

virtual-101:~# smbclient -k //virtual-101/ftp
OS=[Unix] Server=[Samba 3.0.28]
smb: \>
virtual-101:~# smbclient  -U INTERNAL+test1 //virtual-101/ftp
Password:
Domain=[INTERNAL] OS=[Unix] Server=[Samba 3.0.28]
smb: \>


 The problem is that from a Windows 2k workstation (also part of the  
Domain), the mapping of the Samba resource is possible only when using  
the IP adress of the Samba server ("net use y: \\10.10.0.101\ftp / 
USER:INTERNAL\test1") but not when using the Hostname of the Samba  
server ("net use y: \\virtual-101\ftp /USER:INTERNAL\test1"). When  
using the Hostname of the Samba server, this is what Samba is logging:


..................
[2008/01/07 17:46:37, 2] smbd/sesssetup.c:setup_new_vc_session(1200)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would  
close all old resources.
[2008/01/07 17:46:37, 3] smbd/ 
sesssetup.c:reply_sesssetup_and_X_spnego(1029)

  Doing spnego session setup

[2008/01/07 17:46:37, 3] smbd/ 
sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]  
PrimaryDomain=[]

[2008/01/07 17:46:37, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667)
  parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2
[2008/01/07 17:46:37, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667)
  parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10
[2008/01/07 17:46:37, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1236

[2008/01/07 17:46:37, 3] libads/ 
kerberos_verify.c:ads_secrets_verify_ticket(279)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with  
error Encryption type not permitted

[2008/01/07 17:46:37, 3] libads/kerberos_verify.c:ads_verify_ticket(427)

  ads_verify_ticket: krb5_rd_req with auth failed (Encryption type  
not permitted)

[2008/01/07 17:46:37, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/01/07 17:46:37, 3] smbd/error.c:error_packet_set(106)

  error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX)  
NT_STATUS_LOGON_FAILURE

[2008/01/07 17:46:37, 5] lib/util.c:show_msg(484)
[2008/01/07 17:46:37, 5] lib/util.c:show_msg(494)
..................

[2008/01/07 17:46:42, 3] smbd/ 
sesssetup.c:reply_sesssetup_and_X_spnego(1029)

  Doing spnego session setup

[2008/01/07 17:46:42, 3] smbd/ 
sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]  
PrimaryDomain=[]

[2008/01/07 17:46:42, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667)
  parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2
[2008/01/07 17:46:42, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667)
  parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10
[2008/01/07 17:46:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1206

[2008/01/07 17:46:42, 3] libads/ 
kerberos_verify.c:ads_secrets_verify_ticket(279)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with  
error Encryption type not permitted

[2008/01/07 17:46:42, 3] libads/kerberos_verify.c:ads_verify_ticket(427)

  ads_verify_ticket: krb5_rd_req with auth failed (Encryption type  
not permitted)

[2008/01/07 17:46:42, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/01/07 17:46:42, 3] smbd/error.c:error_packet_set(106)

  error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX)  
NT_STATUS_LOGON_FAILURE

[2008/01/07 17:46:42, 5] lib/util.c:show_msg(484)
[2008/01/07 17:46:42, 5] lib/util.c:show_msg(494)
..................



 What could be the problem? I have tried more Kerberos settings  
(playing with default_tgs_enctypes/default_tkt_enctypes in /etc/ 
krb5.conf, trying to comment them, etc.), but nothing seems to work --  
and the error messages in Samba are the same.


 Any ideas would be appreciated!

 Thank you,
 Bogdan



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba














    











					Reply via email to