[cifs-protocol] RE: [Pfif] Other types of Kerberos messages on SamLogon Generic
Andrew,
We still have problem with the test. The following is we did during our test.
Please give us some advice.
Here's the output:
[EMAIL PROTECTED] source]# bin/smbtorture -k yes --realm=test.net
//W2K3SRV.test.net/public RPC-PAC -UTESTDOM/[EMAIL PROTECTED]
Using seed 1221036728
Running PAC
Domain join failed - Connection to SAMR pipe of DC W2K3SRV.test.net failed:
Connection to DC W2K3SRV.test.net failed: NT_STATUS_INVALID_PARAMETER
Setup failed: torture/rpc/rpc.c:144: Failed to join as BDC
PAC took 0.194445 secs
This is my krb5.conf file:
[EMAIL PROTECTED] source]# cat /etc/krb5.conf
[libdefaults]
default_realm = TEST.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
TEST.NET = {
kdc = W2K3SRV.test.net:88
admin_server = W2K3SRV.test.net:749
default_domain = test.net
}
[domain_realm]
.test.net = TEST.NET
test.net = TEST.NET
Note: A netstat -an does not show any processes listening on port 749 on the
W2K3SRV machine.
Also, as a reference, here are the steps I followed on the Linux side:
1. Pulled down the current Samba source tree using rsync
2. ./configure
3. make
4. make install
5. setup/provision --realm=test.net --domain=TESTDOM [EMAIL PROTECTED]
--server-role=dc
6. Copied /usr/local/samba/private/krb5.conf to /etc/
7. Edited /etc/krb5.conf to look as shown above.
Changed following entries:
dns_lookup_realm
dns_lookup_kdc
kdc
admin_server
8. Run smbtorture
Linux is configured to use W2K3SRV as its DNS server.
Thanks !
Hongwei
-Original Message-
From: Andrew Bartlett [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 09, 2008 8:37 PM
To: Hongwei Sun
Cc: Stefan (metze) Metzmacher; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [Pfif] Other types of Kerberos messages on SamLogon Generic
On Tue, 2008-09-09 at 07:46 -0700, Hongwei Sun wrote:
Metze,
After we set time correctly, we got the following output. The error
doesn't look like related to verify PAC message. Maybe we didn't go
further enough. Any suggestion?
Thanks!
Hongwei
--- After setting time
[EMAIL PROTECTED] source]# bin/smbtorture //VM-W2K8.test.net/public RPC-PAC
-UTESTDOM/[EMAIL PROTECTED]
Add -k yes --realm=test.net
TEST verify FAILED! - torture/rpc/remote_pac.c:101: status was
NT_STATUS_INVALID_PARAMETER, expected NT_STATUS_OK:
It failed to connect using kerberos (which was strictly required for this test)
because it did not find the KDC (or some other pre-requisite).
Also ensure your krb5.conf points the kerberos libs to your KDC with:
[libdefaults]
default_realm = S4.NAOMI.ABARTLET.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
___
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: [Pfif] Other types of Kerberos messages on SamLogon Generic
On Wed, 2008-09-10 at 15:00 -0700, Hongwei Sun wrote: Andrew, We still have problem with the test. The following is we did during our test. Please give us some advice. Turn up the debug level (-d10 for example to the command line) and see what the underlying error is. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] Re: [Pfif] Other types of Kerberos messages on SamLogon Generic
Hongwei Sun schrieb: Andrew, We ran Smbtortue RPC-PAC testing on windows 2008 DC and got the following output. [EMAIL PROTECTED] source]# bin/smbtorture -k yes //VM-W2K8.nick.com/public RPC-PAC Using seed 1220896649 Running PAC Password for [NICKDOM\root]: Domain join failed - Connection to SAMR pipe of DC VM-W2K8.nick.com failed: Connection to DC VM-W2K8.nick.com failed: NT_STATUS_UNSUCCESSFUL Setup failed: torture/rpc/rpc.c:144: Failed to join as BDC PAC took 11.264 sec I assume you're getting a clock skew error. Make shure the clock is in sync. We have a hacked patch to handle clock skew error more nicely, but it's not in our upstream code yet... metze signature.asc Description: OpenPGP digital signature ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: [Pfif] Other types of Kerberos messages on SamLogon Generic
On Tue, 2008-09-09 at 07:46 -0700, Hongwei Sun wrote: Metze, After we set time correctly, we got the following output. The error doesn't look like related to verify PAC message. Maybe we didn't go further enough. Any suggestion? Thanks! Hongwei --- After setting time [EMAIL PROTECTED] source]# bin/smbtorture //VM-W2K8.test.net/public RPC-PAC -UTESTDOM/[EMAIL PROTECTED] Add -k yes --realm=test.net TEST verify FAILED! - torture/rpc/remote_pac.c:101: status was NT_STATUS_INVALID_PARAMETER, expected NT_STATUS_OK: It failed to connect using kerberos (which was strictly required for this test) because it did not find the KDC (or some other pre-requisite). Also ensure your krb5.conf points the kerberos libs to your KDC with: [libdefaults] default_realm = S4.NAOMI.ABARTLET.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
