Re: [Samba] Samba 3.020 and Win2K with Kerberos 5
Igor- I have tried this type of setup and it does not work. If the user logs in to the REALMNAME (Kerberos Realm) on the Windows 2000 workstation, the kerberos tickets he has are slightly different from the ones he gets when he logs into the Windows 2000 domain. These tickets aren't authenticated by the Samba server and the user gets prompted for a password (which would then be compared against the one in the Windows 2000 domain and unless it matches the one in your UNIX kerberos, it'll fail.). Apparently this isn't a popular architecture yet and so it's not being worked on currently. I haven't had time to get more information to the developers that would help in solving the problem. Donald On Thu, 2002-10-17 at 02:00, Igor Korzinek wrote: Hi, I've posted this one also to comp.protocols.smb, but the list seems to be more hacky :-) I have M$ Win2K PDC with Kerberos authentication system. PDC Win2K--SAMBA-3.020-LINUX Kerberos5 It was somewhere told (Samba 3.0 prealpha guide to Kerberos authentication)that this should work. I'm using RedHat 7.2 with latest patches (obtained via net from redhat site). Kerberos is 1.2.2-14 klist showes after kinit: --- [root@pan log]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/16/02 17:58:48 10/17/02 03:58:48 [EMAIL PROTECTED] CROTEC.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached So I assume that kerberos client is running fine. I've tryed with wrong passwd, and it complains, so this should be fine. I did change execution path so that the Samba 3.0.20 is started and log files said that everything is fine. When I did net ads join, then I've got Segmentation fault Any hint ? (oh, yes, gcc is 2.96) If someone has succeeded with such a connection, please let me know. Yes, there is an additional info... instead of net ads join, I've used should use net ads join -Uadministrator because, default is a logged user, which is allmost never administrator on UNIXes, but can be root or some local user... (I've discovered that with kdbg and 1 hour session :-)). And when I execute: [root@pan root]# net ads status -Uadministrator I've got the following: administrator password: accountExpires: 9223372036854775807 badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: pan countryCode: 0 dNSHostName: pan instanceType: 4 isCriticalSystemObject: FALSE lastLogoff: 0 lastLogon: 0 logonCount: 0 -- Security Descriptor (revision: 1, type: 0x8c14) owner SID: S-1-5-21-353111985-644491385-32730383-512 group SID: S-1-5-21-353111985-644491385-32730383-513 --- (system) ACL (revision: 2, size: 28, number of ACEs: 1) --- ACE (type: 0x02, flags: 0xd2, size: 0x14, mask: 0xd016b) access SID: S-1-1-0 access type: SYSTEM AUDIT Permissions: [Create All Child Objects] [Delete All Child Objects] [All validate writes] [Write All Properties] [Delete Subtree] [Change Password] [Reset Password] [Delete] [Modify Permissions] [Modify Owner] --- (user) ACL (revision: 4, size: 1284, number of ACEs: 30) --- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff) access SID: S-1-5-21-353111985-644491385-32730383-512 access type: ALLOWED Permissions: [Full Control] --- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff) access SID: S-1-5-32-548 access type: ALLOWED Permissions: [Full Control] --- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff) access SID: S-1-5-18 access type: ALLOWED Permissions: [Full Control] --- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4) access SID: S-1-5-21-353111985-644491385-32730383-512 access type: ALLOWED Permissions: [List Contents] [Read All Properties] [Delete Subtree] [List Object] [Change Password] [Reset Password] [Delete] [Read Permissions] --- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags: 0x1) access SID: S-1-5-21-353111985-644491385-32730383-512 access type: ALLOWED OBJECT Permissions: [Write All Properties] --- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094) access SID: S-1-5-11 access type: ALLOWED Permissions: [List Contents] [Read All Properties] [List Object] [Read Permissions] --- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object flags: 0x1) access SID: S-1-1-0 access type: ALLOWED OBJECT Permissions: [Change Password] [Reset Password] --- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3) access SID: S-1-5-10 access type: ALLOWED Permissions: [Create All Child Objects] [Delete
[Samba] Samba 3.020 and Win2K with Kerberos 5
Hi, I've posted this one also to comp.protocols.smb, but the list seems to be more hacky :-) I have M$ Win2K PDC with Kerberos authentication system. PDC Win2K--SAMBA-3.020-LINUX Kerberos5 It was somewhere told (Samba 3.0 prealpha guide to Kerberos authentication)that this should work. I'm using RedHat 7.2 with latest patches (obtained via net from redhat site). Kerberos is 1.2.2-14 klist showes after kinit: --- [root@pan log]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/16/02 17:58:48 10/17/02 03:58:48 [EMAIL PROTECTED] CROTEC.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached So I assume that kerberos client is running fine. I've tryed with wrong passwd, and it complains, so this should be fine. I did change execution path so that the Samba 3.0.20 is started and log files said that everything is fine. When I did net ads join, then I've got Segmentation fault Any hint ? (oh, yes, gcc is 2.96) If someone has succeeded with such a connection, please let me know. Yes, there is an additional info... instead of net ads join, I've used should use net ads join -Uadministrator because, default is a logged user, which is allmost never administrator on UNIXes, but can be root or some local user... (I've discovered that with kdbg and 1 hour session :-)). And when I execute: [root@pan root]# net ads status -Uadministrator I've got the following: administrator password: accountExpires: 9223372036854775807 badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: pan countryCode: 0 dNSHostName: pan instanceType: 4 isCriticalSystemObject: FALSE lastLogoff: 0 lastLogon: 0 logonCount: 0 -- Security Descriptor (revision: 1, type: 0x8c14) owner SID: S-1-5-21-353111985-644491385-32730383-512 group SID: S-1-5-21-353111985-644491385-32730383-513 --- (system) ACL (revision: 2, size: 28, number of ACEs: 1) --- ACE (type: 0x02, flags: 0xd2, size: 0x14, mask: 0xd016b) access SID: S-1-1-0 access type: SYSTEM AUDIT Permissions: [Create All Child Objects] [Delete All Child Objects] [All validate writes] [Write All Properties] [Delete Subtree] [Change Password] [Reset Password] [Delete] [Modify Permissions] [Modify Owner] --- (user) ACL (revision: 4, size: 1284, number of ACEs: 30) --- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff) access SID: S-1-5-21-353111985-644491385-32730383-512 access type: ALLOWED Permissions: [Full Control] --- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff) access SID: S-1-5-32-548 access type: ALLOWED Permissions: [Full Control] --- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff) access SID: S-1-5-18 access type: ALLOWED Permissions: [Full Control] --- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4) access SID: S-1-5-21-353111985-644491385-32730383-512 access type: ALLOWED Permissions: [List Contents] [Read All Properties] [Delete Subtree] [List Object] [Change Password] [Reset Password] [Delete] [Read Permissions] --- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags: 0x1) access SID: S-1-5-21-353111985-644491385-32730383-512 access type: ALLOWED OBJECT Permissions: [Write All Properties] --- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094) access SID: S-1-5-11 access type: ALLOWED Permissions: [List Contents] [Read All Properties] [List Object] [Read Permissions] --- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object flags: 0x1) access SID: S-1-1-0 access type: ALLOWED OBJECT Permissions: [Change Password] [Reset Password] --- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3) access SID: S-1-5-10 access type: ALLOWED Permissions: [Create All Child Objects] [Delete All Child Objects] --- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x3, object flags: 0x1) access SID: S-1-5-32-550 access type: ALLOWED OBJPermissions: [Create All Child Objects] [Delete All Child Objects] --- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x30, object flags: 0x1) access SID: S-1-5-21-353111985-644491385-32730383-517 access type: ALLOWED OBJECT Permissions: [Read All Properties] [Write All Properties] --- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags: 0x1) access SID: S-1-5-10 access type: ALLOWED OBJECT Permissions: [All validate writes] --- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x30, object flags: 0x1) access SID: S-1-5-10 access type: ALLOWED OBJECT Permissions: [Read All Properties] [Write All Properties] --- ACE (type: 0x05, flags: 0x00, size: 0x28,
