[Samba] Different kerberos build than listed in Samba-3 By Example, p. 225
Although I have the correct krb5 (1.3.1 running on a Red Hat Linux 9 system), I get the following result: [EMAIL PROTECTED] root]# smbd -b | grep KRB HAVE_KRB5_H HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_KRB5 HAVE_KRB5_AUTH_CON_SETUSERUSERKEY HAVE_KRB5_ENCRYPT_DATA HAVE_KRB5_FREE_DATA_CONTENTS HAVE_KRB5_FREE_KTYPES HAVE_KRB5_GET_PERMITTED_ENCTYPES HAVE_KRB5_KEYTAB_ENTRY_KEY HAVE_KRB5_LOCATE_KDC HAVE_KRB5_MK_REQ_EXTENDED HAVE_KRB5_PRINCIPAL2SALT HAVE_KRB5_PRINC_COMPONENT HAVE_KRB5_SET_DEFAULT_TGS_KTYPES HAVE_KRB5_SET_REAL_TIME HAVE_KRB5_STRING_TO_KEY HAVE_KRB5_TKT_ENC_PART2 HAVE_KRB5_USE_ENCTYPE HAVE_LIBGSSAPI_KRB5 HAVE_LIBKRB5 Which may explain this: [EMAIL PROTECTED] root]# net ads join -U root root password: [2004/04/27 20:43:14, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: ASN.1 failed call to system time library [EMAIL PROTECTED] root]# kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: kinit(v5): ASN.1 failed call to system time library while getting initial credentials Does anyone know how to rectify this? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 7:40 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Anyone know where I can get Kerberos 1.3.1 RPMs??? Edward W. Ray wrote: From what I have read, the default kerberos (v1.2.7) in Red Hat Linux 9 will not work for Windows 2003 AD authentication/Samba. I have looked and searched and googled for the RPMs. I would even settle for Fedora builds, but I cannot even find those. I anyone has a clue as to where I could find them, it would be appreciated. These were built from the Fedora SRPMS and are what I use for testing (they've been built to support DNS SRV lookups for KDC's as well). http://samba.org/~jerry/RPMS/rh9/ cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ...a hundred billion castaways looking for a home. --- Sting -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Anyone know where I can get Kerberos 1.3.1 RPMs???
From what I have read, the default kerberos (v1.2.7) in Red Hat Linux 9 will not work for Windows 2003 AD authentication/Samba. I have looked and searched and googled for the RPMs. I would even settle for Fedora builds, but I cannot even find those. I anyone has a clue as to where I could find them, it would be appreciated. Thanks in advance -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Help for the Kerberos challenged in the audience, config files
Nsswitch.conf now reads: [EMAIL PROTECTED] root]# more /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the db in front of files for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files ldap winbind shadow: files ldap group: files ldap winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc:files services: files ldap netgroup: files ldap publickey: files automount: files ldap aliases:files However [2004/04/14 21:30:10, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: ASN.1 failed call to system time library [EMAIL PROTECTED] root]# kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: kinit(v5): ASN.1 failed call to system time library while getting initial credentials [EMAIL PROTECTED] root]# -Original Message- From: Brett Stevens [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 7:57 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Samba] Help for the Kerberos challenged in the audience,config files Nsswitch set properly? Check it and make sure there is a passwd files winbind and a group files winbind Also check that your time is synced correctly. From: Edward W. Ray [EMAIL PROTECTED] Organization: MMICMAN, LLC Reply-To: [EMAIL PROTECTED] Date: Tue, 13 Apr 2004 19:27:14 -0700 To: 'Brett Stevens' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: [Samba] Help for the Kerberos challenged in the audience, config files The error has changed since the previous e-mail: [EMAIL PROTECTED] root]# net ads join -U root root password: [2004/04/13 19:23:05, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: ASN.1 failed call to system time library [EMAIL PROTECTED] root]# Below is my smb.conf: [EMAIL PROTECTED] root]# more /etc/samba/smb.conf # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command testparm # to check that you have not made any basic syntactic errors. # #=== Global Settings = [global] dns proxy = no log file = /var/log/samba/log.%m server string = mail socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 password server = 192.168.1.100 192.168.1.102 winbind gid = 1-2 workgroup = mmicmanhomenet username map = /etc/samba/user.map use spnego = yes ldap ssl = yes hosts allow = 192.168.1. encrypt passwords = yes realm = mmicmanhomenet.local security = ADS winbind uid = 1-2 max log size = 50 [netlogon] comment = Network Logon Service path = /home/netlogon read only = yes ; guest ok = yes ; writable = no ; share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory ;[Profiles] ;path = /home/profiles ;browseable = no ;guest ok
RE: [Samba] Help for the Kerberos challenged in the audience, config files
The error has changed since the previous e-mail: [EMAIL PROTECTED] root]# net ads join -U root root password: [2004/04/13 19:23:05, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: ASN.1 failed call to system time library [EMAIL PROTECTED] root]# Below is my smb.conf: [EMAIL PROTECTED] root]# more /etc/samba/smb.conf # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command testparm # to check that you have not made any basic syntactic errors. # #=== Global Settings = [global] dns proxy = no log file = /var/log/samba/log.%m server string = mail socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 password server = 192.168.1.100 192.168.1.102 winbind gid = 1-2 workgroup = mmicmanhomenet username map = /etc/samba/user.map use spnego = yes ldap ssl = yes hosts allow = 192.168.1. encrypt passwords = yes realm = mmicmanhomenet.local security = ADS winbind uid = 1-2 max log size = 50 [netlogon] comment = Network Logon Service path = /home/netlogon read only = yes ; guest ok = yes ; writable = no ; share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory ;[Profiles] ;path = /home/profiles ;browseable = no ;guest ok = yes # NOTE: If you have a BSD-style print system there is no need to # specifically define each individual printer ; [printers] ; comment = All Printers ; path = /var/spool/samba ; browseable = no # Set public = yes to allow user 'guest account' to print ; guest ok = no ; writable = no ; printable = yes # This one is useful for people to share files ;[tmp] ; comment = Temporary file space ; path = /tmp ; read only = no ; public = yes # A publicly accessible directory, but read only, except for people in # the staff group ;[public] ; comment = Public Stuff ; path = /home/samba ; public = yes ; read only = yes ; write list = @staff # Other examples. # # A private printer, usable only by fred. Spool data will be placed in fred's # home directory. Note that fred must have write access to the spool directory, # wherever it is. ;[fredsprn] ; comment = Fred's Printer ; valid users = fred ; path = /homes/fred ; printer = freds_printer ; public = no ; writable = no ; printable = yes # A private directory, usable only by fred. Note that fred requires write # access to the directory. ;[fredsdir] ; comment = Fred's Service ; path = /usr/somewhere/private ; valid users = fred ; public = no ; writable = yes ; printable = no # a service which has a different directory for each machine that connects # this allows you to tailor configurations to incoming machines. You could # also use the %u option to tailor it by user name. # The %m gets replaced with the machine name that is connecting. ;[pchome] ; comment = PC Directories ; path = /usr/pc/%m ; public = no ; writable = yes # A publicly accessible directory, read/write to all users. Note that all files # created in the directory by users will be owned by the default user, so # any user with access can delete any other user's files. Obviously this # directory must be writable by the default user. Another user could of course # be specified, in which case all files would be owned by that user instead. ;[public] ; path = /usr/somewhere/else/public ; public = yes ; only guest = yes ; writable = yes ; printable = no # The following two entries demonstrate how to share a directory so that two # users can place files there that will be owned by the specific users. In this # setup, the directory should be writable by both users and should have the # sticky bit set on it to prevent abuse. Obviously this could be extended to # as many users as required. ;[myshare] ; comment = Mary's and Fred's stuff ; path = /usr/somewhere/shared ; valid users = mary fred ; public = no ; writable = yes ; printable = no ; create mask = 0765 [EMAIL PROTECTED] root]# Below is my krb5.conf: [EMAIL PROTECTED] root]# more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MMICMANHOMENET.LOCAL [realms] MMICMANHOMENET.LOCAL = { kdc
[Samba] Help for the Kerberos challenged in the audience
I am running Samba v3.0.2a on a fully patched Red Hat Linux 9 machine. Nmbd, smbd and winbindd are all running. I am trying to authenticate to a Windows 2003 native AD domain. I received the following error: net ads join -U root%password [2004/04/06 15:11:10, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: Decrypt integrity check failed If someone could point me to the solution to this problem, it would be appreciated. Thanks in advance. Edward W. Ray -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Strange syslog error when trying to add Red Hat Linux 9 machine to Windows 2003 native AD
Kerberos authentication seems to work fine; however when I try to initiate the following: [EMAIL PROTECTED] root]# net ads join -U root Linux Mail Server root password: [EMAIL PROTECTED] root]# The machine is not added to the AD. In /var/log/syslog I get the following error: Feb 22 22:21:01 ns2 net: unable to dlopen /usr/lib/sasl/libgssapiv2.so: /usr/lib/sasl/libgssapiv2.so: file too short Not sure what that refers to, but my ethereal logs show something related to authentication. They are enclosed with this e-mail. If anyone can provide some help and/or words of wisdom, I would appreciate it. Regards, Edward W. Ray -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Authenticating a Red Hat Linux 9 machine to a Windows 2003 native AD Domain
The article at http://windows.ittoolbox.com/documents/document.asp?i=1893 is a little dated. Digital signing is also required in my AD, something this article said was not available at time of writing (06/13/03) but would be incorporated into the final release of Samba v3. My machine is a mail server, so the file/print sharing will not be used initially. Would just like to have a way to authenticate this Linux machines into a Windows 2003 native AD. Pointers to documentation and/or steps would be helpful, as I am sure this question has been asked and answered many times before. Regards, Edward W. Ray -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba