Hi Shahid, I so sorry, but I don't understand your collocation about your answer.
You managed to join the M3 in Samba PDC, and same time accessing it through the Kerberos authentication? Was that? Helmut, I so sorry! Thanks! 2009/3/13 Shahid M Shaikh <[email protected]>: > Hi Eduardo, > > Thanks much for all the information you have shared with us regarding the > samba issue. > > I used net rpc join command to join into the domain hosted by M1. > > I was able to join to the domain successfully. > > Regards, > Shahid Shaikh. > > > > > Eduardo Sachs > <edu.sa...@gmail. > com> To > Shahid M Shaikh/India/i...@ibmin > 13-03-09 07:19 PM cc > [email protected], Christian M > Ambach > <[email protected]>, > [email protected], Mathias > Dietz <[email protected]>, Ujjwal > Lanjewar/India/i...@ibmin, Michael > Diederich <[email protected]>, > Pankaj S Zanwar/India/i...@ibmin > Subject > Re: [Samba] Samba PDC - Kerberised > CIFS access > > > > > > > > > > > I so sorry for many emails, but, is necessary: > > In my case, the Samba 3.0.x does not cause this problem, only in Samba > 3.2.x and 3.3.X. > > Thanks! > > 2009/3/13 Eduardo Sachs <[email protected]>: >> More informations... >> >> Example of procedure: >> >> 1 - M4 Access M3 with auth Kerberos: >> M4# smbclient //M3/publico -k >> OS=[Unix] Server=[Samba 3.2.5] >> smb: \> ls >> . D 0 Wed Mar 11 21:04:19 2009 >> .. D 0 Wed Mar 11 21:04:19 2009 >> >> 48444 blocks of size 262144. 36638 blocks available >> smb: \> quit >> >> 2 - M3 Join Samba PDC: >> M3# net join -U root >> Enter root's password: >> Joined domain _LOCAL_. >> >> 3 - M4 Access M3 with auth Kerberos fail. >> M4# smbclient //M3/publico -k >> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client, >> M3 is out of Domain Samba PDC because delete secrets.tdb: >> M3# /var/lib/samba/secrets.tdb && /etc/init.d/samba restart >> >> 5 - M4 to back access M3 with auth Kerberos: >> M4# smbclient //M3/publico -k >> OS=[Unix] Server=[Samba 3.2.5] >> smb: \> ls >> . D 0 Wed Mar 11 21:04:19 2009 >> .. D 0 Wed Mar 11 21:04:19 2009 >> >> 48444 blocks of size 262144. 36638 blocks available >> smb: \> quit >> >> Thanks! >> >> 2009/3/13 Eduardo Sachs <[email protected]>: >>> Shahid, >>> >>> You used the command 'net join' to join in domain Samba PDC in M3? >>> >>> My problem is when I join the M3 in domain Samba PDC (M1) with the >>> command 'net join', after this, I can not access the M3 using Kerberos >>> authentication. >>> >>> Other description, >>> >>> Your error is [1]: >>> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error >>> Decrypt integrity check failed >>> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab > principals >>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) >>> >>> My error is [23]: >>> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error >>> Decrypt integrity check failed >>> ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab >>> principals >>> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in > request) >>> >>> When I delete the file /var/lib/samba/secrets.tdb of M3 and restart >>> Samba Client of M3, will be back to work authentication Kerberos in M3 >>> for my cifs client M4, but, is out of domain Samba PDC. >>> >>> But, the problem may be related. >>> >>> My english is terrible, sorry... >>> >>> Thanks! >>> >>> >>> 2009/3/12 Eduardo Sachs <[email protected]>: >>>> Shahid, >>>> >>>> I have same problem, but, I use Domain Heimdal Kerberos, look this bug > ticket: >>>> >>>> https://bugzilla.samba.org/show_bug.cgi?id=5810 >>>> >>>> The developers have not yet responded. >>>> >>>> Thanks! >>>> >>>> 2009/3/11 Shahid M Shaikh <[email protected]>: >>>>> Hi All, >>>>> >>>>> I have machine M1 hosting Samba PDC. It stores only user information. >>>>> I have machine M2 acting as KDC server. >>>>> I have machine M3 hosting CIFS shares and it joins into the domain > hosted >>>>> by PDC M1. >>>>> I have machine M4 used as CIFS client. >>>>> >>>>> On M2, I have added users and cifs/host service principals for M3. > Also >>>>> added service principal in keytab file. >>>>> I have added all the user and service principals using des-cbc-crc >>>>> encryption triplet. >>>>> >>>>> M3 and M4 are KDC clients. I have scped the keytab file on M3 from M2. >>>>> >>>>> I have configured M3's smb.conf file to accept kerberos keytab and > also for >>>>> the kerberos realm. >>>>> >>>>> realm = SONAS.COM >>>>> use kerberos keytab = yes >>>>> client use spnego = yes >>>>> >>>>> >>>>> >From M4, I do kinit <user> and then try to see exported shares from > M3. >>>>> >>>>> [r...@sofsedun3 ~]# kinit domuser >>>>> Password for [email protected]: >>>>> [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser >>>>> [r...@sofsedun3 ~]# klist -e >>>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>>> Default principal: [email protected] >>>>> >>>>> Valid starting Expires Service principal >>>>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/[email protected] >>>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode > with >>>>> CRC-32, DES cbc mode with CRC-32 >>>>> >>>>> >>>>> Kerberos 4 ticket cache: /tmp/tkt0 >>>>> klist: You have no tickets cached >>>>> [r...@sofsedun3 ~]# smbclient -L sofsedun4 -U domuser >>>>> Enter domuser's password: >>>>> Anonymous login successful >>>>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] >>>>> >>>>> Sharename Type Comment >>>>> --------- ---- ------- >>>>> share Disk test share >>>>> IPC$ IPC IPC Service (Samba 3.2.8-ctdb-55) >>>>> Anonymous login successful >>>>> Domain=[VSOFS1.COM] OS=[Unix] Server=[Samba 3.2.8-ctdb-55] >>>>> >>>>> Server Comment >>>>> --------- ------- >>>>> >>>>> Workgroup Master >>>>> --------- ------- >>>>> >>>>> It works with anonymous login. But when i try to use -k it fails. I > tried >>>>> smbclient with -k and debug level 3. I get these on console. >>>>> >>>>> [r...@sofsedun3 ~]# smbclient -d3 -L sofsedun4 -U domuser -k >>>>> lp_load_ex: refreshing parameters >>>>> Initialising global parameters >>>>> params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" >>>>> Processing section "[global]" >>>>> added interface eth0 ip=10.0.0.23 bcast=10.0.0.255 > netmask=255.255.255.0 >>>>> added interface eth1 ip=10.0.1.23 bcast=10.0.1.255 > netmask=255.255.255.0 >>>>> added interface eth2 ip=10.0.2.23 bcast=10.0.2.255 > netmask=255.255.255.0 >>>>> Client started (version 3.2.8-ctdb-55). >>>>> Connecting to 10.0.0.24 at port 445 >>>>> Doing spnego session setup (blob length=111) >>>>> got OID=1 2 840 113554 1 2 2 >>>>> got OID=1 2 840 48018 1 2 2 >>>>> got OID=1 3 6 1 4 1 311 2 2 10 >>>>> got principal=cifs/[email protected] >>>>> Doing kerberos session setup >>>>> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] > expiration >>>>> Thu, 12 Mar 2009 21:36:54 TLT >>>>> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) >>>>> SPNEGO login failed: Logon failure >>>>> session setup failed: NT_STATUS_LOGON_FAILURE >>>>> [r...@sofsedun3 ~]# klist -e >>>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>>> Default principal: [email protected] >>>>> >>>>> Valid starting Expires Service principal >>>>> 03/11/09 21:36:54 03/12/09 21:36:54 krbtgt/[email protected] >>>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode > with >>>>> CRC-32, DES cbc mode with CRC-32 >>>>> 03/11/09 21:39:15 03/12/09 > 21:36:54 cifs/[email protected] >>>>> renew until 03/11/09 21:36:54, Etype (skey, tkt): DES cbc mode > with >>>>> CRC-32, DES cbc mode with CRC-32 >>>>> >>>>> Kerberos 4 ticket cache: /tmp/tkt0 >>>>> klist: You have no tickets cached >>>>> >>>>> >>>>> On M3, I have enabled smbd logs with debug level 10. The corresponding >>>>> errors for the above behavior are: >>>>> >>>>> [2009/03/11 21:58:54, 3] smbd/process.c:switch_message(1361) >>>>> switch message SMBsesssetupX (pid 26858) conn 0x0 >>>>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) >>>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>> [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) >>>>> wct=12 flg2=0xc801 >>>>> [2009/03/11 21:58:54, 3] >>>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) >>>>> Doing spnego session setup >>>>> [2009/03/11 21:58:54, 3] >>>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) >>>>> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] >>>>> [2009/03/11 21:58:54, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) >>>>> reply_spnego_negotiate: Got secblob of size 466 >>>>> [2009/03/11 21:58:54, 3] >>>>> libads/kerberos_verify.c:ads_secrets_verify_ticket(282) >>>>> ads_secrets_verify_ticket: enc type [1] failed to decrypt with error >>>>> Decrypt integrity check failed >>>>> [2009/03/11 21:58:54, 3] >>>>> libads/kerberos_verify.c:ads_keytab_verify_ticket(171) >>>>> ads_keytab_verify_ticket: krb5_rd_req failed for all 2 matched keytab >>>>> principals >>>>> [2009/03/11 21:58:54, 3] > libads/kerberos_verify.c:ads_verify_ticket(458) >>>>> ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) >>>>> [2009/03/11 21:58:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) >>>>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! >>>>> [2009/03/11 21:58:54, 3] smbd/error.c:error_packet_set(61) >>>>> error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) >>>>> NT_STATUS_LOGON_FAILURE >>>>> [2009/03/11 21:58:54, 3] smbd/process.c:smbd_process(2036) >>>>> receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting >>>>> [2009/03/11 21:58:54, 3] smbd/sec_ctx.c:set_sec_ctx(324) >>>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>> [2009/03/11 21:58:54, 3] smbd/connection.c:yield_connection(31) >>>>> Yielding connection to >>>>> [2009/03/11 21:58:54, 3] smbd/server.c:exit_server_common(958) >>>>> Server exit (normal exit) >>>>> >>>>> >>>>> >>>>> In the above scenario, M1 and M2 are not aware about each other. That >>>>> means, M1 is not kerberos client. >>>>> I tried setting M1 as kerberos client as well. But the result was the > same. >>>>> >>>>> Samba installed on M1, M3 and M4 is samba-3.2.8_ctdb_55-1. >>>>> I am using MIT Kerberos version 1.6.1-25.el5 on KDC and kerberos > clients. >>>>> >>>>> >>>>> My queries are: >>>>> 1. Is it a know issue with samba or kerberos? >>>>> 2. Am I missing anything on configuration? >>>>> 3. What should I do to make the above setup working? >>>>> >>>>> >>>>> Please feel free to ask for more information if the provided one is > not >>>>> sufficient. >>>>> >>>>> >>>>> P.S.: I am copying my configuration files here for reference. >>>>> >>>>> >>>>> >>>>> >>>>> [r...@sofsedun2 ~]# cat /etc/samba/smb.conf >>>>> # Samba Configuration file. >>>>> # >>>>> # ****************** WARNING ******************************** >>>>> # The contents of this file should not be modified directly ! >>>>> # >>>>> # The samba options are stored in the registry. >>>>> # Use the "net conf" command to add/modify samba options in the > registry >>>>> # *************************************************************** >>>>> [global] >>>>> workgroup = VSOFS1.COM >>>>> server string = Samba/NT PDC >>>>> netbios name = sofsedun2 >>>>> passdb backend = tdbsam >>>>> log level = 3 >>>>> log file = /var/log/samba/%m.log >>>>> max log size = 50 >>>>> delete user script = /usr/sbin/userdel "%u" >>>>> add group script = /usr/sbin/groupadd "%g" >>>>> delete group script = /usr/sbin/groupdel "%g" >>>>> delete user from group script = /usr/sbin/userdel "%u" "%g" >>>>> add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" > -M >>>>> -d /nohome -s /bin/false "%u" >>>>> add user script = /usr/sbin/useradd -n -c "Workstation (%u)" -M > -d >>>>> /nohome -s /bin/false "%u" >>>>> domain logons = Yes >>>>> os level = 64 >>>>> preferred master = Yes >>>>> domain master = Yes >>>>> local master = Yes >>>>> wins support = Yes >>>>> cups options = raw >>>>> security = user >>>>> encrypt passwords = Yes >>>>> [netlogon] >>>>> path = /etc/samba/netlogon >>>>> writeable = no >>>>> write list = ntadmin >>>>> guest ok = no >>>>> [profiles] >>>>> path = /usr/smb/ntprofile >>>>> writeable = yes >>>>> create mask = 0600 >>>>> directory mask = 0700 >>>>> >>>>> >>>>> >>>>> 2. CIFS server smb.conf >>>>> [r...@sofsedun4 ~]# cat /etc/samba/smb.conf >>>>> # Samba Configuration file. >>>>> # >>>>> # ****************** WARNING ******************************** >>>>> # The contents of this file should not be modified directly ! >>>>> # >>>>> # The samba options are stored in the registry. >>>>> # Use the "net conf" command to add/modify samba options in the > registry >>>>> # *************************************************************** >>>>> [global] >>>>> workgroup = VSOFS1.COM >>>>> password server = sofsedun2 >>>>> security = domain >>>>> idmap uid = 16777216-33554431 >>>>> idmap gid = 16777216-33554431 >>>>> template shell = /bin/sh >>>>> winbind use default domain = false >>>>> winbind offline logon = false >>>>> realm = SONAS.COM >>>>> use kerberos keytab = yes >>>>> client use spnego = yes >>>>> wins support = Yes >>>>> cups options = raw >>>>> log level = 3 >>>>> log file = /var/log/samba/%m.log >>>>> [share] >>>>> comment = test share >>>>> path = /home/share >>>>> read only = no >>>>> public = yes >>>>> valid users = 'VSOFS1.COM\domuser' 'VSOFS1.COM\domadmin' >>>>> 'VSOFS1.COM\domguest' >>>>> >>>>> >>>>> >>>>> >>>>> [r...@sofsedutsm ~]# cat /var/kerberos/krb5kdc/kdc.conf >>>>> [kdcdefaults] >>>>> v4_mode = nopreauth >>>>> kdc_tcp_ports = 88 >>>>> >>>>> [realms] >>>>> SONAS.COM = { >>>>> #master_key_type = des3-hmac-sha1 >>>>> acl_file = /var/kerberos/krb5kdc/kadm5.acl >>>>> dict_file = /usr/share/dict/words >>>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab >>>>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal >>>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal > des-cbc-crc:v4 >>>>> des-cbc-crc:afs3 >>>>> } >>>>> >>>>> >>>>> >>>>> [r...@sofsedun3 ~]# cat /etc/krb5.conf >>>>> [logging] >>>>> default = FILE:/var/log/krb5libs.log >>>>> kdc = FILE:/var/log/krb5kdc.log >>>>> admin_server = FILE:/var/log/kadmind.log >>>>> >>>>> [libdefaults] >>>>> default_realm = SONAS.COM >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> ticket_lifetime = 24h >>>>> forwardable = yes >>>>> default_tkt_enctypes = des-cbc-crc des-cbc-md5 >>>>> default_tgs_enctypes = des-cbc-crc des-cbc-md5 >>>>> >>>>> [realms] >>>>> VSOFS1.COM = { >>>>> kdc = sofsedutsm.VSOFS1.COM >>>>> } >>>>> SONAS.COM = { >>>>> kdc = sofsedutsm.VSOFS1.COM:88 >>>>> admin_server = sofsedutsm.VSOFS1.COM:749 >>>>> default_domain = VSOFS1.COM >>>>> } >>>>> >>>>> [domain_realm] >>>>> .VSOFS1.COM = SONAS.COM >>>>> VSOFS1.COM = SONAS.COM >>>>> >>>>> [appdefaults] >>>>> pam = { >>>>> debug = false >>>>> ticket_lifetime = 36000 >>>>> renew_lifetime = 36000 >>>>> forwardable = true >>>>> krb4_convert = false >>>>> } >>>>> >>>>> >>>>> 5. /etc/nsswitch.conf and /etc/pam.d/system-auth have been configured > to >>>>> use winbind for auth, account and passwords. >>>>> >>>>> >>>>> >>>>> [r...@sofsedun4 ~]# klist -kte >>>>> Keytab name: FILE:/etc/krb5.keytab >>>>> KVNO Timestamp Principal >>>>> ---- ----------------- >>>>> -------------------------------------------------------- >>>>> 3 03/11/09 20:24:49 cifs/[email protected] (DES cbc > mode >>>>> with CRC-32) >>>>> 3 03/11/09 20:25:05 host/[email protected] (DES cbc > mode >>>>> with CRC-32) >>>>> 3 03/11/09 20:25:19 host/[email protected] (DES cbc > mode >>>>> with CRC-32) >>>>> 3 03/11/09 20:25:36 cifs/[email protected] (DES cbc > mode >>>>> with CRC-32) >>>>> [r...@sofsedun4 ~]# >>>>> >>>>> >>>>> Regards, >>>>> Shahid Shaikh. >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> >>> >> > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
