Shahid, I have same problem, but, I use Domain Heimdal Kerberos, look this bug ticket:
https://bugzilla.samba.org/show_bug.cgi?id=5810 The developers have not yet responded. Thanks! 2009/3/11 Shahid M Shaikh <[email protected]>: > Hi All, > > I have machine M1 hosting Samba PDC. It stores only user information. > I have machine M2 acting as KDC server. > I have machine M3 hosting CIFS shares and it joins into the domain hosted > by PDC M1. > I have machine M4 used as CIFS client. > > On M2, I have added users and cifs/host service principals for M3. Also > added service principal in keytab file. > I have added all the user and service principals using des-cbc-crc > encryption triplet. > > M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. > > I have configured M3's smb.conf file to accept kerberos keytab and also for > the kerberos realm. > > realm = SONAS.COM > use kerberos keytab = yes > client use spnego = yes > > > >From M4, I do kinit <user> and then try to see exported shares from M3. > > [r...@sofsedun3 ~]# kinit domuser > Password for [email protected]: > [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser > [r...@sofsedun3 ~]# klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/[email protected] > renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with > CRC-32, DES cbc mode with CRC-32 > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser > Enter domuser's password: > Anonymous login successful > Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] > > Sharename Type Comment > --------- ---- ------- > share Disk test share > IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) > Anonymous login successful > Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > > It works with anonymous login. But when i try to use -k it fails. I tried > smbclient with -k and debug level 3. I get these on console. > > [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k > lp_load_ex: refreshing parameters > Initialising global parameters > params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" > Processing section "[global]" > added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0 > added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0 > added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0 > Client started (version 3.2.8-ctdb-55). > Connecting to 10.0.0.24 at port 445 > Doing spnego session setup (blob length=111) > got OID=1 2 840 113554 1 2 2 > got OID=1 2 840 48018 1 2 2 > got OID=1 3 6 1 4 1 311 2 2 10 > got principal=cifs/[email protected] > Doing kerberos session setup > ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration > Thu, 12 Mar 2009 21:36:54 TLT > cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) > SPNEGO login failed: Logon failure > session setup failed: NT_STATUS_LOGON_FAILURE > [r...@sofsedun3 ~]# klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/[email protected] > renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with > CRC-32, DES cbc mode with CRC-32 > 03/11/09 21:39:15 03/12/09 21:36:54 cifs/[email protected] > renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with > CRC-32, DES cbc mode with CRC-32 > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > > On M3, I have enabled smbd logs with debug level 10. The corresponding > errors for the above behavior are: > > [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361) > switch message SMBsesssetupX (pid 26858) conn 0x0 > [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) > wct=12 flg2=0xc801 > [2009/03/11 21:58:54, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) > Doing spnego session setup > [2009/03/11 21:58:54, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) > NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] > [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) > reply_spnego_negotiate: Got secblob of size 466 > [2009/03/11 21:58:54, 3] > libads/kerberos_verify.c:ads_secrets_verify_ticket(282) > ads_secrets_verify_ticket: enc type [1] failed to decrypt with error > Decrypt integrity check failed > [2009/03/11 21:58:54, 3] > libads/kerberos_verify.c:ads_keytab_verify_ticket(171) > ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab > principals > [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_verify_ticket(458) > ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) > [2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) > Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! > [2009/03/11 21:58:54, 3] smbd/error.c:error_packet_set(61) > error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > [2009/03/11 21:58:54, 3] smbd/process.c:smbd_process(2036) > receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting > [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2009/03/11 21:58:54, 3] smbd/connection.c:yield_connection(31) > Yielding connection to > [2009/03/11 21:58:54, 3] smbd/server.c:exit_server_common(958) > Server exit (normal exit) > > > > In the above scenario, M1 and M2 are not aware about each other. That > means, M1 is not kerberos client. > I tried setting M1 as kerberos client as well. But the result was the same. > > Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1. > I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos clients. > > > My queries are: > 1. Is it a know issue with samba or kerberos? > 2. Am I missing anything on configuration? > 3. What should I do to make the above setup working? > > > Please feel free to ask for more information if the provided one is not > sufficient. > > > P.S.: I am copying my configuration files here for reference. > > > > > [r...@sofsedun2 ~]# cat /etc/samba/smb.conf > # Samba Configuration file. > # > # ****************** WARNING ******************************** > # The contents of this file should not be modified directly ! > # > # The samba options are stored in the registry. > # Use the "net conf" command to add/modify samba options in the registry > # *************************************************************** > [global] > workgroup = VSOFS1.COM > server string = Samba/NT PDC > netbios name = sofsedun2 > passdb backend = tdbsam > log level = 3 > log file = /var/log/samba/%m.log > max log size = 50 > delete user script = /usr/sbin/userdel "%u" > add group script = /usr/sbin/groupadd "%g" > delete group script = /usr/sbin/groupdel "%g" > delete user from group script = /usr/sbin/userdel "%u" "%g" > add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M > -d /nohome -s /bin/false "%u" > add user script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d > /nohome -s /bin/false "%u" > domain logons = Yes > os level = 64 > preferred master = Yes > domain master = Yes > local master = Yes > wins support = Yes > cups options = raw > security = user > encrypt passwords = Yes > [netlogon] > path = /etc/samba/netlogon > writeable = no > write list = ntadmin > guest ok = no > [profiles] > path = /usr/smb/ntprofile > writeable = yes > create mask = 0600 > directory mask = 0700 > > > > 2. CIFS server smb.conf > [r...@sofsedun4 ~]# cat /etc/samba/smb.conf > # Samba Configuration file. > # > # ****************** WARNING ******************************** > # The contents of this file should not be modified directly ! > # > # The samba options are stored in the registry. > # Use the "net conf" command to add/modify samba options in the registry > # *************************************************************** > [global] > workgroup = VSOFS1.COM > password server = sofsedun2 > security = domain > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > template shell = /bin/sh > winbind use default domain = false > winbind offline logon = false > realm = SONAS.COM > use kerberos keytab = yes > client use spnego = yes > wins support = Yes > cups options = raw > log level = 3 > log file = /var/log/samba/%m.log > [share] > comment = test share > path = /home/share > read only = no > public = yes > valid users = 'VSOFS1.COM\domuser' 'VSOFS1.COM\domadmin' > 'VSOFS1.COM\domguest' > > > > > [r...@sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf > [kdcdefaults] > v4_mode = nopreauth > kdc_tcp_ports = 88 > > [realms] > SONAS.COM = { > #master_key_type = des3-hmac-sha1 > acl_file = /var/kerberos/krb5kdc/kadm5.acl > dict_file = /usr/share/dict/words > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab > supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal > des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 > des-cbc-crc:afs3 > } > > > > [r...@sofsedun3 ~]# cat /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = SONAS.COM > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > default_tkt_enctypes = des-cbc-crc des-cbc-md5 > default_tgs_enctypes = des-cbc-crc des-cbc-md5 > > [realms] > VSOFS1.COM = { > kdc = sofsedutsm.VSOFS1.COM > } > SONAS.COM = { > kdc = sofsedutsm.VSOFS1.COM:88 > admin_server = sofsedutsm.VSOFS1.COM:749 > default_domain = VSOFS1.COM > } > > [domain_realm] > .VSOFS1.COM = SONAS.COM > VSOFS1.COM = SONAS.COM > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > > 5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured to > use winbind for auth, account and passwords. > > > > [r...@sofsedun4 ~]# klist -kte > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 3 03/11/09 20:24:49 cifs/[email protected] (DES cbc mode > with CRC-32) > 3 03/11/09 20:25:05 host/[email protected] (DES cbc mode > with CRC-32) > 3 03/11/09 20:25:19 host/[email protected] (DES cbc mode > with CRC-32) > 3 03/11/09 20:25:36 cifs/[email protected] (DES cbc mode > with CRC-32) > [r...@sofsedun4 ~]# > > > Regards, > Shahid Shaikh. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
