I so sorry for many emails, but, is necessary: In my case, the Samba 3.0.x does not cause this problem, only in Samba 3.2.x and 3.3.X.
Thanks! 2009/3/13 Eduardo Sachs <[email protected]>: > More informations... > > Example of procedure: > > 1 - M4 Access M3 with auth Kerberos: > M4# smbclient //M3/publico -k > OS=[Unix] Server=[Samba 3.2.5] > smb: \> ls > . D 0 Wed Mar 11 21:04:19 2009 > .. D 0 Wed Mar 11 21:04:19 2009 > > 48444 blocks of size 262144. 36638 blocks available > smb: \> quit > > 2 - M3 Join Samba PDC: > M3# net join -U root > Enter root's password: > Joined domain _LOCAL_. > > 3 - M4 Access M3 with auth Kerberos fail. > M4# smbclient //M3/publico -k > cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) > session setup failed: NT_STATUS_LOGON_FAILURE > > 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, > M3 is out of Domain Samba PDC because delete secrets.tdb: > M3# /var/lib/samba/secrets.tdb && /etc/init.d/samba restart > > 5 - M4 to back access M3 with auth Kerberos: > M4# smbclient //M3/publico -k > OS=[Unix] Server=[Samba 3.2.5] > smb: \> ls > . D 0 Wed Mar 11 21:04:19 2009 > .. D 0 Wed Mar 11 21:04:19 2009 > > 48444 blocks of size 262144. 36638 blocks available > smb: \> quit > > Thanks! > > 2009/3/13 Eduardo Sachs <[email protected]>: >> Shahid, >> >> You used the command 'net join' to join in domain Samba PDC in M3? >> >> My problem is when I join the M3 in domain Samba PDC (M1) with the >> command 'net join', after this, I can not access the M3 using Kerberos >> authentication. >> >> Other description, >> >> Your error is [1]: >> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error >> Decrypt integrity check failed >> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab >> principals >> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) >> >> My error is [23]: >> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error >> Decrypt integrity check failed >> ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab >> principals >> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) >> >> When I delete the file /var/lib/samba/secrets.tdb of M3 and restart >> Samba Client of M3, will be back to work authentication Kerberos in M3 >> for my cifs client M4, but, is out of domain Samba PDC. >> >> But, the problem may be related. >> >> My english is terrible, sorry... >> >> Thanks! >> >> >> 2009/3/12 Eduardo Sachs <[email protected]>: >>> Shahid, >>> >>> I have same problem, but, I use Domain Heimdal Kerberos, look this bug >>> ticket: >>> >>> https://bugzilla.samba.org/show_bug.cgi?id=5810 >>> >>> The developers have not yet responded. >>> >>> Thanks! >>> >>> 2009/3/11 Shahid M Shaikh <[email protected]>: >>>> Hi All, >>>> >>>> I have machine M1 hosting Samba PDC. It stores only user information. >>>> I have machine M2 acting as KDC server. >>>> I have machine M3 hosting CIFS shares and it joins into the domain hosted >>>> by PDC M1. >>>> I have machine M4 used as CIFS client. >>>> >>>> On M2, I have added users and cifs/host service principals for M3. Also >>>> added service principal in keytab file. >>>> I have added all the user and service principals using des-cbc-crc >>>> encryption triplet. >>>> >>>> M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. >>>> >>>> I have configured M3's smb.conf file to accept kerberos keytab and also for >>>> the kerberos realm. >>>> >>>> realm = SONAS.COM >>>> use kerberos keytab = yes >>>> client use spnego = yes >>>> >>>> >>>> >From M4, I do kinit <user> and then try to see exported shares from M3. >>>> >>>> [r...@sofsedun3 ~]# kinit domuser >>>> Password for [email protected]: >>>> [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser >>>> [r...@sofsedun3 ~]# klist -e >>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>> Default principal: [email protected] >>>> >>>> Valid starting Expires Service principal >>>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/[email protected] >>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with >>>> CRC-32, DES cbc mode with CRC-32 >>>> >>>> >>>> Kerberos 4 ticket cache: /tmp/tkt0 >>>> klist: You have no tickets cached >>>> [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser >>>> Enter domuser's password: >>>> Anonymous login successful >>>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] >>>> >>>> Sharename Type Comment >>>> --------- ---- ------- >>>> share Disk test share >>>> IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) >>>> Anonymous login successful >>>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] >>>> >>>> Server Comment >>>> --------- ------- >>>> >>>> Workgroup Master >>>> --------- ------- >>>> >>>> It works with anonymous login. But when i try to use -k it fails. I tried >>>> smbclient with -k and debug level 3. I get these on console. >>>> >>>> [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k >>>> lp_load_ex: refreshing parameters >>>> Initialising global parameters >>>> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" >>>> Processing section "[global]" >>>> added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 netmask=255.255.255.0 >>>> added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 netmask=255.255.255.0 >>>> added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 netmask=255.255.255.0 >>>> Client started (version 3.2.8-ctdb-55). >>>> Connecting to 10.0.0.24 at port 445 >>>> Doing spnego session setup (blob length=111) >>>> got OID=1 2 840 113554 1 2 2 >>>> got OID=1 2 840 48018 1 2 2 >>>> got OID=1 3 6 1 4 1 311 2 2 10 >>>> got principal=cifs/[email protected] >>>> Doing kerberos session setup >>>> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration >>>> Thu, 12 Mar 2009 21:36:54 TLT >>>> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) >>>> SPNEGO login failed: Logon failure >>>> session setup failed: NT_STATUS_LOGON_FAILURE >>>> [r...@sofsedun3 ~]# klist -e >>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>> Default principal: [email protected] >>>> >>>> Valid starting Expires Service principal >>>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/[email protected] >>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with >>>> CRC-32, DES cbc mode with CRC-32 >>>> 03/11/09 21:39:15 03/12/09 21:36:54 cifs/[email protected] >>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode with >>>> CRC-32, DES cbc mode with CRC-32 >>>> >>>> Kerberos 4 ticket cache: /tmp/tkt0 >>>> klist: You have no tickets cached >>>> >>>> >>>> On M3, I have enabled smbd logs with debug level 10. The corresponding >>>> errors for the above behavior are: >>>> >>>> [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361) >>>> switch message SMBsesssetupX (pid 26858) conn 0x0 >>>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) >>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>> [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) >>>> wct=12 flg2=0xc801 >>>> [2009/03/11 21:58:54, 3] >>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) >>>> Doing spnego session setup >>>> [2009/03/11 21:58:54, 3] >>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) >>>> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] >>>> [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) >>>> reply_spnego_negotiate: Got secblob of size 466 >>>> [2009/03/11 21:58:54, 3] >>>> libads/kerberos_verify.c:ads_secrets_verify_ticket(282) >>>> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error >>>> Decrypt integrity check failed >>>> [2009/03/11 21:58:54, 3] >>>> libads/kerberos_verify.c:ads_keytab_verify_ticket(171) >>>> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab >>>> principals >>>> [2009/03/11 21:58:54, 3] libads/kerberos_verify.c:ads_verify_ticket(458) >>>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) >>>> [2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) >>>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! >>>> [2009/03/11 21:58:54, 3] smbd/error.c:error_packet_set(61) >>>> error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) >>>> NT_STATUS_LOGON_FAILURE >>>> [2009/03/11 21:58:54, 3] smbd/process.c:smbd_process(2036) >>>> receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting >>>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) >>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>> [2009/03/11 21:58:54, 3] smbd/connection.c:yield_connection(31) >>>> Yielding connection to >>>> [2009/03/11 21:58:54, 3] smbd/server.c:exit_server_common(958) >>>> Server exit (normal exit) >>>> >>>> >>>> >>>> In the above scenario, M1 and M2 are not aware about each other. That >>>> means, M1 is not kerberos client. >>>> I tried setting M1 as kerberos client as well. But the result was the same. >>>> >>>> Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1. >>>> I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos clients. >>>> >>>> >>>> My queries are: >>>> 1. Is it a know issue with samba or kerberos? >>>> 2. Am I missing anything on configuration? >>>> 3. What should I do to make the above setup working? >>>> >>>> >>>> Please feel free to ask for more information if the provided one is not >>>> sufficient. >>>> >>>> >>>> P.S.: I am copying my configuration files here for reference. >>>> >>>> >>>> >>>> >>>> [r...@sofsedun2 ~]# cat /etc/samba/smb.conf >>>> # Samba Configuration file. >>>> # >>>> # ****************** WARNING ******************************** >>>> # The contents of this file should not be modified directly ! >>>> # >>>> # The samba options are stored in the registry. >>>> # Use the "net conf" command to add/modify samba options in the registry >>>> # *************************************************************** >>>> [global] >>>> workgroup = VSOFS1.COM >>>> server string = Samba/NT PDC >>>> netbios name = sofsedun2 >>>> passdb backend = tdbsam >>>> log level = 3 >>>> log file = /var/log/samba/%m.log >>>> max log size = 50 >>>> delete user script = /usr/sbin/userdel "%u" >>>> add group script = /usr/sbin/groupadd "%g" >>>> delete group script = /usr/sbin/groupdel "%g" >>>> delete user from group script = /usr/sbin/userdel "%u" "%g" >>>> add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M >>>> -d /nohome -s /bin/false "%u" >>>> add user script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d >>>> /nohome -s /bin/false "%u" >>>> domain logons = Yes >>>> os level = 64 >>>> preferred master = Yes >>>> domain master = Yes >>>> local master = Yes >>>> wins support = Yes >>>> cups options = raw >>>> security = user >>>> encrypt passwords = Yes >>>> [netlogon] >>>> path = /etc/samba/netlogon >>>> writeable = no >>>> write list = ntadmin >>>> guest ok = no >>>> [profiles] >>>> path = /usr/smb/ntprofile >>>> writeable = yes >>>> create mask = 0600 >>>> directory mask = 0700 >>>> >>>> >>>> >>>> 2. CIFS server smb.conf >>>> [r...@sofsedun4 ~]# cat /etc/samba/smb.conf >>>> # Samba Configuration file. >>>> # >>>> # ****************** WARNING ******************************** >>>> # The contents of this file should not be modified directly ! >>>> # >>>> # The samba options are stored in the registry. >>>> # Use the "net conf" command to add/modify samba options in the registry >>>> # *************************************************************** >>>> [global] >>>> workgroup = VSOFS1.COM >>>> password server = sofsedun2 >>>> security = domain >>>> idmap uid = 16777216-33554431 >>>> idmap gid = 16777216-33554431 >>>> template shell = /bin/sh >>>> winbind use default domain = false >>>> winbind offline logon = false >>>> realm = SONAS.COM >>>> use kerberos keytab = yes >>>> client use spnego = yes >>>> wins support = Yes >>>> cups options = raw >>>> log level = 3 >>>> log file = /var/log/samba/%m.log >>>> [share] >>>> comment = test share >>>> path = /home/share >>>> read only = no >>>> public = yes >>>> valid users = 'VSOFS1.COM\domuser' 'VSOFS1.COM\domadmin' >>>> 'VSOFS1.COM\domguest' >>>> >>>> >>>> >>>> >>>> [r...@sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf >>>> [kdcdefaults] >>>> v4_mode = nopreauth >>>> kdc_tcp_ports = 88 >>>> >>>> [realms] >>>> SONAS.COM = { >>>> #master_key_type = des3-hmac-sha1 >>>> acl_file = /var/kerberos/krb5kdc/kadm5.acl >>>> dict_file = /usr/share/dict/words >>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab >>>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal >>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 >>>> des-cbc-crc:afs3 >>>> } >>>> >>>> >>>> >>>> [r...@sofsedun3 ~]# cat /etc/krb5.conf >>>> [logging] >>>> default = FILE:/var/log/krb5libs.log >>>> kdc = FILE:/var/log/krb5kdc.log >>>> admin_server = FILE:/var/log/kadmind.log >>>> >>>> [libdefaults] >>>> default_realm = SONAS.COM >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> default_tkt_enctypes = des-cbc-crc des-cbc-md5 >>>> default_tgs_enctypes = des-cbc-crc des-cbc-md5 >>>> >>>> [realms] >>>> VSOFS1.COM = { >>>> kdc = sofsedutsm.VSOFS1.COM >>>> } >>>> SONAS.COM = { >>>> kdc = sofsedutsm.VSOFS1.COM:88 >>>> admin_server = sofsedutsm.VSOFS1.COM:749 >>>> default_domain = VSOFS1.COM >>>> } >>>> >>>> [domain_realm] >>>> .VSOFS1.COM = SONAS.COM >>>> VSOFS1.COM = SONAS.COM >>>> >>>> [appdefaults] >>>> pam = { >>>> debug = false >>>> ticket_lifetime = 36000 >>>> renew_lifetime = 36000 >>>> forwardable = true >>>> krb4_convert = false >>>> } >>>> >>>> >>>> 5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured to >>>> use winbind for auth, account and passwords. >>>> >>>> >>>> >>>> [r...@sofsedun4 ~]# klist -kte >>>> Keytab name: FILE:/etc/krb5.keytab >>>> KVNO Timestamp Principal >>>> ---- ----------------- >>>> -------------------------------------------------------- >>>> 3 03/11/09 20:24:49 cifs/[email protected] (DES cbc mode >>>> with CRC-32) >>>> 3 03/11/09 20:25:05 host/[email protected] (DES cbc mode >>>> with CRC-32) >>>> 3 03/11/09 20:25:19 host/[email protected] (DES cbc mode >>>> with CRC-32) >>>> 3 03/11/09 20:25:36 cifs/[email protected] (DES cbc mode >>>> with CRC-32) >>>> [r...@sofsedun4 ~]# >>>> >>>> >>>> Regards, >>>> Shahid Shaikh. >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
