Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
Finally SOLVED! It works with 3.4.2. The only thing you need is setting the parameter kerberos method = system keytab on smb.conf. It looks like samba versions 3.2 and 3.3 were trying to verify the ticket against secrets database, instead of using the keytab first, and found wrong data. But 3.4 allows you to restrict the verification to the system keytab, so it finds the correct key. So now it is possible to make a SSO samba server on lenny, following Eduardo's howto. Great! Thank you very much. Best regards, Juan. [2009/10/21 12:44:32, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X) wct=12 flg2=0xc801 [2009/10/21 12:44:32, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego) Doing spnego session setup [2009/10/21 12:44:32, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2009/10/21 12:44:32, 10] smbd/password.c:172(register_initial_vuid) register_initial_vuid: allocated vuid = 100 [2009/10/21 12:44:32, 10] smbd/sesssetup.c:1106(check_spnego_blob_complete) check_spnego_blob_complete: needed_len = 604, pblob-length = 604 [2009/10/21 12:44:32, 5] smbd/sesssetup.c:735(parse_spnego_mechanisms) parse_spnego_mechanisms: Got OID 1.2.840.48018.1.2.2 [2009/10/21 12:44:32, 5] smbd/sesssetup.c:735(parse_spnego_mechanisms) parse_spnego_mechanisms: Got OID 1.2.840.113554.1.2.2 [2009/10/21 12:44:32, 5] smbd/sesssetup.c:735(parse_spnego_mechanisms) parse_spnego_mechanisms: Got OID 1.3.6.1.4.1.311.2.2.10 [2009/10/21 12:44:32, 3] smbd/sesssetup.c:786(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 538 [2009/10/21 12:44:32, 10] lib/util.c:2626(name_to_fqdn) name_to_fqdn: lookup for SANATANASIO - sanatanasio.cfs.isst. [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/sanatanasio.cfs.i...@cfs.isst) failed: Wrong principal in request [2009/10/21 12:44:32, 10] libsmb/clikrb5.c:1087(get_key_from_keytab) get_key_from_keytab: will look for kvno 2, enctype 23 and name: cifs/sanatanasio.cfs.i...@cfs.isst [2009/10/21 12:44:32, 3] libads/kerberos_verify.c:238(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab succeeded for principal cifs/sanatanasio.cfs.i...@cfs.isst [2009/10/21 12:44:32, 10] libsmb/clikrb5.c:897(get_krb5_smb_session_key) Got KRB5 session key of length 16
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
Hello. I have also tested the newest backports of 3.4.2, with the same results. I attach log files of a succesful and a failing login, the former from a non-joined PDC running 3.2.5 and the latter from a joined file server running 3.4.2. Best regards, Juan. BTW, thanks for the great job you are doing with the backports. logs.tar.gz Description: GNU Zip compressed data
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
Quoting Eduardo Sachs (edu.sa...@terra.com.br): Package: samba Version: 2:3.2.5-4 Severity: serious Hello. I have a 3.2.5 Samba-LDAP PDC which shares the database with heimdal (so samba passwords are also kerberos passwords). I am able to use kerberos credentials to connect to the PDC shares with smbclient -k, both on the server and linux workstations. The problem is that, as soon as I try to join the PDC to its own domain (with net join), in order to be able to use winbind on the PDC, then I cannot use kerberos tickets anymore to connect to the PDC's shares, nor from the PDC nor from the workstations. But if I don't join the PDC to the domain, I can join workstations to the domain, and still use kerberos tickets with smbclient -k on them, either these shares are on the PDC or on the workstation itself. The Samba 3.0.x does not cause this problem, only in Samba 3.2.x and 3.3.X. Hell Eduardo, Since you reported that bug, we managed to publish backported packages of samba 3.3.6: http://packages.debian.org/lenny-backports/samba To narrow this down, would it be possible for you to try these package? signature.asc Description: Digital signature
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5, PDC, but failing when joining the domain
Hello. I am using a setup as described on this bug report, and I am experiencing the bug Eduardo reported. The point is that Samba 3.2/3.3 file server (no matter if it's a PDC, BDC or workstation acting as a file server) requests a different kerberos ticket to the KDC, depending whether the PDC has joined the domain itself serves, or not. Maybe Samba developers have done it on purpose, or maybe it is a bug. The problem is that one enctype is supported by Heimdal, and the other is not. I tried to report this to Samba team, but I got no reply, maybe because I was not able to explain the bug properly. If you are going to make a proper bug report, could you please post the link here, so we can follow it? Thank you very much. Best regards, Juan. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
More generally speaking, about this bug, I think that our best option is reporting it upstream ith all information passed by Eduardo along his various exchanges with us. For such bugs, I thinnk that having us (package maintainers in Debian) as proxies hasn't much added value... I will open a bug report in Bugzilla as soon as I have time for that (that needs time as it needs collecting all what we have in Debian BTSplus sending pointers to network capture made by Eduardo, etc. signature.asc Description: Digital signature
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
unmerge 519570 thanks Quoting Eduardo Sachs (edu.sa...@terra.com.br): The bug #5810 is a little confusing, is the best guide by the Debian bug report #519570. By the way, isn't this bug the same than #515767 ? Christian, I so sorry, but, the bug #515767 is not same of #519570. When I said this, I was going to sleep and tired. Thanks, again, sorry for confusion... OK... -- signature.asc Description: Digital signature
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
Quoting Steve Langasek (vor...@debian.org): http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Lenny_(em_construção_-_NÃO_USAR_-_COM_BUG)#.2A.2A.2A_ATEN.C3.87.C3.83O.21.21.21_AVISO_IMPORTANTE.21.21.21_.2A.2A.2A I'll try to reproduce the bug based on this description. It's good to have a polyglot in the package maintenance team..:-) (Eduardo: I have less knowledge of pt_BR than Steve has, but the page you mention seems to point to upstream's bug #5810however I can't understand if what's described in upstream bug 5810 is also what you report in this Debian bug report #519570) ...and congratulations for that nice documentation...from what I can understand this is a very comprehensive description of your setup. I wish I find the same in French..:) signature.asc Description: Digital signature
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
It's good to have a polyglot in the package maintenance team..:-) (Eduardo: I have less knowledge of pt_BR than Steve has, but the page you mention seems to point to upstream's bug #5810however I can't understand if what's described in upstream bug 5810 is also what you report in this Debian bug report #519570) The bug #5810 is a little confusing, is the best guide by the Debian bug report #519570. ...and congratulations for that nice documentation...from what I can understand this is a very comprehensive description of your setup. I wish I find the same in French..:) My documentation for Debian Etch is ready, but, for Debian Lenny is still not completed. Indeed, has no documentation about Samba PDC Kerberized in the Internet, I think only my, but, for Active Directory have many documentations. Thanks!! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
Quoting Eduardo Sachs (edu.sa...@terra.com.br): It's good to have a polyglot in the package maintenance team..:-) (Eduardo: I have less knowledge of pt_BR than Steve has, but the page you mention seems to point to upstream's bug #5810however I can't understand if what's described in upstream bug 5810 is also what you report in this Debian bug report #519570) The bug #5810 is a little confusing, is the best guide by the Debian bug report #519570. By the way, isn't this bug the same than #515767 ? signature.asc Description: Digital signature
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
Christian Perrier escreveu: The bug #5810 is a little confusing, is the best guide by the Debian bug report #519570. By the way, isn't this bug the same than #515767 ? Yes, it is the same... but, is more detailed in #515767. Thanks! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
forcemerge 519570 515767 thanks Quoting Eduardo Sachs (edu.sa...@terra.com.br): Christian Perrier escreveu: The bug #5810 is a little confusing, is the best guide by the Debian bug report #519570. By the way, isn't this bug the same than #515767 ? Yes, it is the same... but, is more detailed in #515767. Thanks! OK, thanks for the followup. -- signature.asc Description: Digital signature
Bug#519570: [Pkg-samba-maint] Bug#519570: Kerberos working on samba 3.2.5 PDC, but failing when joining the domain
The bug #5810 is a little confusing, is the best guide by the Debian bug report #519570. By the way, isn't this bug the same than #515767 ? Christian, I so sorry, but, the bug #515767 is not same of #519570. When I said this, I was going to sleep and tired. Thanks, again, sorry for confusion... -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org