[Samba] Different kerberos build than listed in Samba-3 By Example, p. 225
Although I have the correct krb5 (1.3.1 running on a Red Hat Linux 9 system), I get the following result: [EMAIL PROTECTED] root]# smbd -b | grep KRB HAVE_KRB5_H HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_KRB5 HAVE_KRB5_AUTH_CON_SETUSERUSERKEY HAVE_KRB5_ENCRYPT_DATA HAVE_KRB5_FREE_DATA_CONTENTS HAVE_KRB5_FREE_KTYPES HAVE_KRB5_GET_PERMITTED_ENCTYPES HAVE_KRB5_KEYTAB_ENTRY_KEY HAVE_KRB5_LOCATE_KDC HAVE_KRB5_MK_REQ_EXTENDED HAVE_KRB5_PRINCIPAL2SALT HAVE_KRB5_PRINC_COMPONENT HAVE_KRB5_SET_DEFAULT_TGS_KTYPES HAVE_KRB5_SET_REAL_TIME HAVE_KRB5_STRING_TO_KEY HAVE_KRB5_TKT_ENC_PART2 HAVE_KRB5_USE_ENCTYPE HAVE_LIBGSSAPI_KRB5 HAVE_LIBKRB5 Which may explain this: [EMAIL PROTECTED] root]# net ads join -U root root password: [2004/04/27 20:43:14, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: ASN.1 failed call to system time library [EMAIL PROTECTED] root]# kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: kinit(v5): ASN.1 failed call to system time library while getting initial credentials Does anyone know how to rectify this? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 7:40 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Anyone know where I can get Kerberos 1.3.1 RPMs??? Edward W. Ray wrote: From what I have read, the default kerberos (v1.2.7) in Red Hat Linux 9 will not work for Windows 2003 AD authentication/Samba. I have looked and searched and googled for the RPMs. I would even settle for Fedora builds, but I cannot even find those. I anyone has a clue as to where I could find them, it would be appreciated. These were built from the Fedora SRPMS and are what I use for testing (they've been built to support DNS SRV lookups for KDC's as well). http://samba.org/~jerry/RPMS/rh9/ cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ...a hundred billion castaways looking for a home. --- Sting -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Anyone know where I can get Kerberos 1.3.1 RPMs???
From what I have read, the default kerberos (v1.2.7) in Red Hat Linux 9 will not work for Windows 2003 AD authentication/Samba. I have looked and searched and googled for the RPMs. I would even settle for Fedora builds, but I cannot even find those. I anyone has a clue as to where I could find them, it would be appreciated. Thanks in advance -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Help for the Kerberos challenged in the audience, config files
Nsswitch.conf now reads: [EMAIL PROTECTED] root]# more /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the db in front of files for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files ldap winbind shadow: files ldap group: files ldap winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc:files services: files ldap netgroup: files ldap publickey: files automount: files ldap aliases:files However [2004/04/14 21:30:10, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: ASN.1 failed call to system time library [EMAIL PROTECTED] root]# kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: kinit(v5): ASN.1 failed call to system time library while getting initial credentials [EMAIL PROTECTED] root]# -Original Message- From: Brett Stevens [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 7:57 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Samba] Help for the Kerberos challenged in the audience,config files Nsswitch set properly? Check it and make sure there is a passwd files winbind and a group files winbind Also check that your time is synced correctly. From: Edward W. Ray [EMAIL PROTECTED] Organization: MMICMAN, LLC Reply-To: [EMAIL PROTECTED] Date: Tue, 13 Apr 2004 19:27:14 -0700 To: 'Brett Stevens' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: [Samba] Help for the Kerberos challenged in the audience, config files The error has changed since the previous e-mail: [EMAIL PROTECTED] root]# net ads join -U root root password: [2004/04/13 19:23:05, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: ASN.1 failed call to system time library [EMAIL PROTECTED] root]# Below is my smb.conf: [EMAIL PROTECTED] root]# more /etc/samba/smb.conf # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command testparm # to check that you have not made any basic syntactic errors. # #=== Global Settings = [global] dns proxy = no log file = /var/log/samba/log.%m server string = mail socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 password server = 192.168.1.100 192.168.1.102 winbind gid = 1-2 workgroup = mmicmanhomenet username map = /etc/samba/user.map use spnego = yes ldap ssl = yes hosts allow = 192.168.1. encrypt passwords = yes realm = mmicmanhomenet.local security = ADS winbind uid = 1-2 max log size = 50 [netlogon] comment = Network Logon Service path = /home/netlogon read only = yes ; guest ok = yes ; writable = no ; share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory ;[Profiles] ;path = /home/profiles ;browseable = no ;guest ok
RE: [Samba] Help for the Kerberos challenged in the audience, config files
The error has changed since the previous e-mail:
[EMAIL PROTECTED] root]# net ads join -U root
root password:
[2004/04/13 19:23:05, 0] libads/kerberos.c:ads_kinit_password(133)
kerberos_kinit_password [EMAIL PROTECTED] failed: ASN.1 failed
call to system time library
[EMAIL PROTECTED] root]#
Below is my smb.conf:
[EMAIL PROTECTED] root]# more /etc/samba/smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command testparm
# to check that you have not made any basic syntactic errors.
#
#=== Global Settings
=
[global]
dns proxy = no
log file = /var/log/samba/log.%m
server string = mail
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
password server = 192.168.1.100 192.168.1.102
winbind gid = 1-2
workgroup = mmicmanhomenet
username map = /etc/samba/user.map
use spnego = yes
ldap ssl = yes
hosts allow = 192.168.1.
encrypt passwords = yes
realm = mmicmanhomenet.local
security = ADS
winbind uid = 1-2
max log size = 50
[netlogon]
comment = Network Logon Service
path = /home/netlogon
read only = yes
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
;path = /home/profiles
;browseable = no
;guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
; [printers]
; comment = All Printers
; path = /var/spool/samba
; browseable = no
# Set public = yes to allow user 'guest account' to print
; guest ok = no
; writable = no
; printable = yes
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only, except for people in
# the staff group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; read only = yes
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in
fred's
# home directory. Note that fred must have write access to the spool
directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all
files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of
course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In
this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
[EMAIL PROTECTED] root]#
Below is my krb5.conf:
[EMAIL PROTECTED] root]# more /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MMICMANHOMENET.LOCAL
[realms]
MMICMANHOMENET.LOCAL = {
kdc
[Samba] Help for the Kerberos challenged in the audience
I am running Samba v3.0.2a on a fully patched Red Hat Linux 9 machine. Nmbd, smbd and winbindd are all running. I am trying to authenticate to a Windows 2003 native AD domain. I received the following error: net ads join -U root%password [2004/04/06 15:11:10, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password [EMAIL PROTECTED] failed: Decrypt integrity check failed If someone could point me to the solution to this problem, it would be appreciated. Thanks in advance. Edward W. Ray -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Strange syslog error when trying to add Red Hat Linux 9 machine to Windows 2003 native AD
Kerberos authentication seems to work fine; however when I try to initiate the following: [EMAIL PROTECTED] root]# net ads join -U root Linux Mail Server root password: [EMAIL PROTECTED] root]# The machine is not added to the AD. In /var/log/syslog I get the following error: Feb 22 22:21:01 ns2 net: unable to dlopen /usr/lib/sasl/libgssapiv2.so: /usr/lib/sasl/libgssapiv2.so: file too short Not sure what that refers to, but my ethereal logs show something related to authentication. They are enclosed with this e-mail. If anyone can provide some help and/or words of wisdom, I would appreciate it. Regards, Edward W. Ray -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Authenticating a Red Hat Linux 9 machine to a Windows 2003 native AD Domain
The article at http://windows.ittoolbox.com/documents/document.asp?i=1893 is a little dated. Digital signing is also required in my AD, something this article said was not available at time of writing (06/13/03) but would be incorporated into the final release of Samba v3. My machine is a mail server, so the file/print sharing will not be used initially. Would just like to have a way to authenticate this Linux machines into a Windows 2003 native AD. Pointers to documentation and/or steps would be helpful, as I am sure this question has been asked and answered many times before. Regards, Edward W. Ray -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
