[cifs-protocol] RE: [Pfif] Other types of Kerberos messages on SamLogon Generic
Andrew, We still have problem with the test. The following is we did during our test. Please give us some advice. Here's the output: [EMAIL PROTECTED] source]# bin/smbtorture -k yes --realm=test.net //W2K3SRV.test.net/public RPC-PAC -UTESTDOM/[EMAIL PROTECTED] Using seed 1221036728 Running PAC Domain join failed - Connection to SAMR pipe of DC W2K3SRV.test.net failed: Connection to DC W2K3SRV.test.net failed: NT_STATUS_INVALID_PARAMETER Setup failed: torture/rpc/rpc.c:144: Failed to join as BDC PAC took 0.194445 secs This is my krb5.conf file: [EMAIL PROTECTED] source]# cat /etc/krb5.conf [libdefaults] default_realm = TEST.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] TEST.NET = { kdc = W2K3SRV.test.net:88 admin_server = W2K3SRV.test.net:749 default_domain = test.net } [domain_realm] .test.net = TEST.NET test.net = TEST.NET Note: A netstat -an does not show any processes listening on port 749 on the W2K3SRV machine. Also, as a reference, here are the steps I followed on the Linux side: 1. Pulled down the current Samba source tree using rsync 2. ./configure 3. make 4. make install 5. setup/provision --realm=test.net --domain=TESTDOM [EMAIL PROTECTED] --server-role=dc 6. Copied /usr/local/samba/private/krb5.conf to /etc/ 7. Edited /etc/krb5.conf to look as shown above. Changed following entries: dns_lookup_realm dns_lookup_kdc kdc admin_server 8. Run smbtorture Linux is configured to use W2K3SRV as its DNS server. Thanks ! Hongwei -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2008 8:37 PM To: Hongwei Sun Cc: Stefan (metze) Metzmacher; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Pfif] Other types of Kerberos messages on SamLogon Generic On Tue, 2008-09-09 at 07:46 -0700, Hongwei Sun wrote: Metze, After we set time correctly, we got the following output. The error doesn't look like related to verify PAC message. Maybe we didn't go further enough. Any suggestion? Thanks! Hongwei --- After setting time [EMAIL PROTECTED] source]# bin/smbtorture //VM-W2K8.test.net/public RPC-PAC -UTESTDOM/[EMAIL PROTECTED] Add -k yes --realm=test.net TEST verify FAILED! - torture/rpc/remote_pac.c:101: status was NT_STATUS_INVALID_PARAMETER, expected NT_STATUS_OK: It failed to connect using kerberos (which was strictly required for this test) because it did not find the KDC (or some other pre-requisite). Also ensure your krb5.conf points the kerberos libs to your KDC with: [libdefaults] default_realm = S4.NAOMI.ABARTLET.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: [Pfif] Other types of Kerberos messages on SamLogon Generic
On Wed, 2008-09-10 at 15:00 -0700, Hongwei Sun wrote: Andrew, We still have problem with the test. The following is we did during our test. Please give us some advice. Turn up the debug level (-d10 for example to the command line) and see what the underlying error is. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] Re: [Pfif] Other types of Kerberos messages on SamLogon Generic
Hongwei Sun schrieb: Andrew, We ran Smbtortue RPC-PAC testing on windows 2008 DC and got the following output. [EMAIL PROTECTED] source]# bin/smbtorture -k yes //VM-W2K8.nick.com/public RPC-PAC Using seed 1220896649 Running PAC Password for [NICKDOM\root]: Domain join failed - Connection to SAMR pipe of DC VM-W2K8.nick.com failed: Connection to DC VM-W2K8.nick.com failed: NT_STATUS_UNSUCCESSFUL Setup failed: torture/rpc/rpc.c:144: Failed to join as BDC PAC took 11.264 sec I assume you're getting a clock skew error. Make shure the clock is in sync. We have a hacked patch to handle clock skew error more nicely, but it's not in our upstream code yet... metze signature.asc Description: OpenPGP digital signature ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: [Pfif] Other types of Kerberos messages on SamLogon Generic
On Tue, 2008-09-09 at 07:46 -0700, Hongwei Sun wrote: Metze, After we set time correctly, we got the following output. The error doesn't look like related to verify PAC message. Maybe we didn't go further enough. Any suggestion? Thanks! Hongwei --- After setting time [EMAIL PROTECTED] source]# bin/smbtorture //VM-W2K8.test.net/public RPC-PAC -UTESTDOM/[EMAIL PROTECTED] Add -k yes --realm=test.net TEST verify FAILED! - torture/rpc/remote_pac.c:101: status was NT_STATUS_INVALID_PARAMETER, expected NT_STATUS_OK: It failed to connect using kerberos (which was strictly required for this test) because it did not find the KDC (or some other pre-requisite). Also ensure your krb5.conf points the kerberos libs to your KDC with: [libdefaults] default_realm = S4.NAOMI.ABARTLET.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol