RE: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
Hi Jochen, on another security issue, how do your samba servers authenticate to your idmap ldap backend server? Do you have to allow anonymous write access? I certinly would feel this was poor if that's the case. And you have listed only one LDAP server as your backend, will this not cause a big problem if it falls over? Can you specify more than one LDAP backend server? thanks Andy Smith. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jochen Schmidt Posted At: 31 October 2003 11:59 Posted To: Samba Conversation: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though) Subject: Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though) Hi Christoph On 31 Oct 2003, Andrew Bartlett wrote: > On Fri, 2003-10-31 at 21:41, [EMAIL PROTECTED] wrote: > > Hi Jochen et al, > > > > that worked fine, though if I get it right everyone can now read the > > active directory structure (?) > > No, you still need to authenticate, but nothing stops an attacker from > 'stealing' the TCP/IP connection, if they control the network. If you want see what *everybody* can see try an "ldapsearch -x -b "dc=MYDOMAIN,dc=DE" -h adscontroller -p 389" on a UNIX-Box. > > Connecting to the samba machine results still in errors, but that may be > > something stupid on my behalf too... > > > > thanks for helping > > ~christoph > > > > > > connect_to_domain_password_server: unable to setup the NETLOGON > > credentials to machine ADC1. Error was : NT_STATUS_UNSUCCESSFUL. > > You will need to turn up the debug level - it will probably be something > simple... I've attcht my own configuration I use on an ADS Domain Member. The Winbind-Stuff comes from an other LDAP-Server and has no relation to the ADS-LDAP. If you don't use winbind you won't need the winbind section. You should first do the "kinit [EMAIL PROTECTED]" and then a "net ads join". Greetings Jochen -- Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
Hi Christoph On 31 Oct 2003, Andrew Bartlett wrote: > On Fri, 2003-10-31 at 21:41, [EMAIL PROTECTED] wrote: > > Hi Jochen et al, > > > > that worked fine, though if I get it right everyone can now read the > > active directory structure (?) > > No, you still need to authenticate, but nothing stops an attacker from > 'stealing' the TCP/IP connection, if they control the network. If you want see what *everybody* can see try an "ldapsearch -x -b "dc=MYDOMAIN,dc=DE" -h adscontroller -p 389" on a UNIX-Box. > > Connecting to the samba machine results still in errors, but that may be > > something stupid on my behalf too... > > > > thanks for helping > > ~christoph > > > > > > connect_to_domain_password_server: unable to setup the NETLOGON > > credentials to machine ADC1. Error was : NT_STATUS_UNSUCCESSFUL. > > You will need to turn up the debug level - it will probably be something > simple... I've attcht my own configuration I use on an ADS Domain Member. The Winbind-Stuff comes from an other LDAP-Server and has no relation to the ADS-LDAP. If you don't use winbind you won't need the winbind section. You should first do the "kinit [EMAIL PROTECTED]" and then a "net ads join". Greetings Jochen -- Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 # smb.conf # # Samba ADS-Member Konfiguration # # # (C) 2003 Thinking Objects Software GmbH # Lilienthalstrasse 2/1 # 70825 Stuttgart-Korntal # DE # Web: http://www.to.com/ # Email : [EMAIL PROTECTED] # Phone : +49.711.88770.400 # Fax: +49.711.88770.449 # Hotline: +49.711.88770.444 [EMAIL PROTECTED] # # Author: Jochen Schmidt # $Id: smb.conf,v 1.3 2003/10/16 15:54:38 root Exp $ # # Global parameters [global] # Allgemein workgroup = TOPALIS-GROUP realm = TOPALIS-GROUP.TO.COM netbios name = saaac000 server string = Thinking Primary Domain Server comment = by Thinking Objects Hotline debuglevel = 3 unix charset = "CP850" load printers = no disable spoolss = no # Pfade/Interfaces lock directory = /var/cache/samba/saaac000 pid directory = /var/cache/samba/saaac000 private dir = /var/cache/samba/saaac000/private log file = /var/log/samba/%m.c000 log level = 1 bind interfaces only = yes interfaces = 3.8.8.107/255.255.255.0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins support = No name resolve order = host lmhosts # Winbind idmap backend = ldap:ldap://3.8.8.103/ idmap uid = 4-5 idmap gid = 4-5 ldap idmap suffix = ou=idmap,o=topalis-group ldap admin dn = cn=admin,o=topalis-group winbind use default domain = no # Security security = ADS use spnego = Yes client signing = Yes client use spnego = Yes encrypt passwords = Yes guest account = nobody # Domain stuff domain master = no domain logons = no preferred master = no # EOF -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
On Fri, 2003-10-31 at 21:41, [EMAIL PROTECTED] wrote: > Hi Jochen et al, > > that worked fine, though if I get it right everyone can now read the > active directory structure (?) No, you still need to authenticate, but nothing stops an attacker from 'stealing' the TCP/IP connection, if they control the network. > Connecting to the samba machine results still in errors, but that may be > something stupid on my behalf too... > > thanks for helping > ~christoph > > > connect_to_domain_password_server: unable to setup the NETLOGON > credentials to machine ADC1. Error was : NT_STATUS_UNSUCCESSFUL. You will need to turn up the debug level - it will probably be something simple... Andrew Bartlett > > best regards > ~christoph -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
Hi Jochen et al, that worked fine, though if I get it right everyone can now read the active directory structure (?) Connecting to the samba machine results still in errors, but that may be something stupid on my behalf too... thanks for helping ~christoph connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine ADC1. Error was : NT_STATUS_UNSUCCESSFUL. best regards ~christoph -- /* Christoph Beyer | Office: Building 2b / 23 *\ * DESY|Phone: 040-8998-2317* * - IT - | Fax: 040-8998-4060* \* 22603 Hamburg | http://www.desy.de */ On Thu, 30 Oct 2003, Jochen Schmidt wrote: > Hi Christoph, > > please try the following: > > - Open "dsa.msc" as Domain Administrator. > - Right-Click your AD-Domain and select "properties" > - Select the "Group Policy" Tab and "Edit" your Policy (or the "Default Domain > Policy") > - Select "Computer Configuration\Windows Settings\Security Settings\Local > Policies\Security Options" > - Define the policy "Network security: LDAP client signing requirements" to "none" > > Please respond if this helps or not! > > Jochen > > > On Thu, 30 Oct 2003, Christoph Beyer wrote: > > > Hi Andrew et al, > > > > thank you for the tip, is there any way to get around this, my windows > > admins don't know how to disable this feature. Is it possible to set it on > > a 'per host base' on the windows side, if yes: where ? > > > > Are there plans to realize the feature in an upcoming release in the near > > future ? > > > > thanks again for any advice ! > > ~christoph > > > > > > > > -- > mit freundlichen Grüßen > > Jochen Schmidt > > > Jochen Schmidt [EMAIL PROTECTED] > Mi||enux GmbHmobile: +49.175.5752483 > Lilienthalstraße 2 phone: +49.711.88770.300 > 70825 Stuttgart-Korntal fax: +49.711.88770.349 > -= linux without limits -=- http://linux.zSeries.org/ =- > PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
Hi Christoph, please try the following: - Open "dsa.msc" as Domain Administrator. - Right-Click your AD-Domain and select "properties" - Select the "Group Policy" Tab and "Edit" your Policy (or the "Default Domain Policy") - Select "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options" - Define the policy "Network security: LDAP client signing requirements" to "none" Please respond if this helps or not! Jochen On Thu, 30 Oct 2003, Christoph Beyer wrote: > Hi Andrew et al, > > thank you for the tip, is there any way to get around this, my windows > admins don't know how to disable this feature. Is it possible to set it on > a 'per host base' on the windows side, if yes: where ? > > Are there plans to realize the feature in an upcoming release in the near > future ? > > thanks again for any advice ! > ~christoph > > > -- mit freundlichen Grüßen Jochen Schmidt Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
Hi Andrew et al, thank you for the tip, is there any way to get around this, my windows admins don't know how to disable this feature. Is it possible to set it on a 'per host base' on the windows side, if yes: where ? Are there plans to realize the feature in an upcoming release in the near future ? thanks again for any advice ! ~christoph -- /* Christoph Beyer | Office: Building 2b / 23 *\ * DESY|Phone: 040-8998-2317* * - IT - | Fax: 040-8998-4060* \* 22603 Hamburg | http://www.desy.de */ On 30 Oct 2003, Andrew Bartlett wrote: > On Thu, 2003-10-30 at 20:34, Jochen Schmidt wrote: > > Hi Christoph, > > > > On Wed, 29 Oct 2003 [EMAIL PROTECTED] wrote: > > > I'm using the production release of 3.0.0 and can not join a W2003 domain: > > > > > > [printsrv4] /spool/samba-3.0.0/bin $ ./net -d 10 ads join -Uhumpty_dumpty > > > [2003/10/29 15:35:39, 3] libads/sasl.c:ads_sasl_spnego_bind(191) > > > got [EMAIL PROTECTED] > > > [2003/10/29 15:35:39, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) > > > krb5_cc_get_principal failed (No credentials cache found) > > > [2003/10/29 15:35:40, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385) > > > Got KRB5 session key of length 16 > > > [2003/10/29 15:35:40, 1] utils/net_ads.c:ads_startup(181) > > > ads_connect: Strong authentication required > > > > Maybe your Domain only allows NTLMv2. See smb.conf Manpage about "client > > ntlmv2 auth" (and maybe also about "client schannel", "client signing", > > "client use spnego") > > No, it's not related to NTLMv2. The issue is that we do not support AD > servers that require signing of the LDAP connection. I'm not sure if > mkaplan has logged it in bugzilla yet, but we have seen it. > > (We also know how to fix it, it's mainly a matter of implementation). > > Andrew Bartlett > > -- > Andrew Bartlett [EMAIL PROTECTED] > Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] > Student Network Administrator, Hawker College [EMAIL PROTECTED] > http://samba.org http://build.samba.org http://hawkerc.net > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
On Thu, 2003-10-30 at 20:34, Jochen Schmidt wrote: > Hi Christoph, > > On Wed, 29 Oct 2003 [EMAIL PROTECTED] wrote: > > I'm using the production release of 3.0.0 and can not join a W2003 domain: > > > > [printsrv4] /spool/samba-3.0.0/bin $ ./net -d 10 ads join -Uhumpty_dumpty > > [2003/10/29 15:35:39, 3] libads/sasl.c:ads_sasl_spnego_bind(191) > > got [EMAIL PROTECTED] > > [2003/10/29 15:35:39, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) > > krb5_cc_get_principal failed (No credentials cache found) > > [2003/10/29 15:35:40, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385) > > Got KRB5 session key of length 16 > > [2003/10/29 15:35:40, 1] utils/net_ads.c:ads_startup(181) > > ads_connect: Strong authentication required > > Maybe your Domain only allows NTLMv2. See smb.conf Manpage about "client > ntlmv2 auth" (and maybe also about "client schannel", "client signing", > "client use spnego") No, it's not related to NTLMv2. The issue is that we do not support AD servers that require signing of the LDAP connection. I'm not sure if mkaplan has logged it in bugzilla yet, but we have seen it. (We also know how to fix it, it's mainly a matter of implementation). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
Hi Christoph, On Wed, 29 Oct 2003 [EMAIL PROTECTED] wrote: > I'm using the production release of 3.0.0 and can not join a W2003 domain: > > [printsrv4] /spool/samba-3.0.0/bin $ ./net -d 10 ads join -Uhumpty_dumpty > [2003/10/29 15:35:39, 3] libads/sasl.c:ads_sasl_spnego_bind(191) > got [EMAIL PROTECTED] > [2003/10/29 15:35:39, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) > krb5_cc_get_principal failed (No credentials cache found) > [2003/10/29 15:35:40, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385) > Got KRB5 session key of length 16 > [2003/10/29 15:35:40, 1] utils/net_ads.c:ads_startup(181) > ads_connect: Strong authentication required Maybe your Domain only allows NTLMv2. See smb.conf Manpage about "client ntlmv2 auth" (and maybe also about "client schannel", "client signing", "client use spnego") Greetings Jochen > [2003/10/29 15:35:40, 2] utils/net.c:main(758) > return code = -1 > > The krb5 token looks OK: > > [printsrv4] /spool/samba-3.0.0/bin $ klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [EMAIL PROTECTED] > > Valid starting ExpiresService principal > 10/29/03 13:48:09 10/29/03 23:48:18 krbtgt/[EMAIL PROTECTED] > renew until 10/30/03 13:48:09 > > > Kerberos 4 ticket cache: /tmp/tkt0 > Principal: [EMAIL PROTECTED] > > Issued Expires Principal > 10/21/03 15:42:14 10/22/03 17:08:35 [EMAIL PROTECTED] > 10/21/03 15:42:14 10/22/03 17:08:35 [EMAIL PROTECTED] > 10/22/03 15:18:13 10/22/03 17:13:13 [EMAIL PROTECTED] -- Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
Hi everyone, I'm using the production release of 3.0.0 and can not join a W2003 domain: [printsrv4] /spool/samba-3.0.0/bin $ ./net -d 10 ads join -Uhumpty_dumpty [2003/10/29 15:35:39, 3] libads/sasl.c:ads_sasl_spnego_bind(191) got [EMAIL PROTECTED] [2003/10/29 15:35:39, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found) [2003/10/29 15:35:40, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385) Got KRB5 session key of length 16 [2003/10/29 15:35:40, 1] utils/net_ads.c:ads_startup(181) ads_connect: Strong authentication required [2003/10/29 15:35:40, 2] utils/net.c:main(758) return code = -1 The krb5 token looks OK: [printsrv4] /spool/samba-3.0.0/bin $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/29/03 13:48:09 10/29/03 23:48:18 krbtgt/[EMAIL PROTECTED] renew until 10/30/03 13:48:09 Kerberos 4 ticket cache: /tmp/tkt0 Principal: [EMAIL PROTECTED] Issued Expires Principal 10/21/03 15:42:14 10/22/03 17:08:35 [EMAIL PROTECTED] 10/21/03 15:42:14 10/22/03 17:08:35 [EMAIL PROTECTED] 10/22/03 15:18:13 10/22/03 17:13:13 [EMAIL PROTECTED] any hints anyone ??? ~christoph -- /* Christoph Beyer | Office: Building 2b / 23 *\ * DESY|Phone: 040-8998-2317* * - IT - | Fax: 040-8998-4060* \* 22603 Hamburg | http://www.desy.de */ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba