FW: [Samba] Samba requesting nonexistent keytab type?

[Brian Spiegel]

Hi all,

I've downloaded and installed the 3.0.2pre1 package.  However, I've not
managed to get winbindd working.  I've run into a credentials cache problem
(so I haven't been able to even get to the point I was at before).

My krb5.conf and pam settings haven't changed and I'm using the same
smb.conf as before.  I'm using MIT Kerberos 1.3.1 (in /usr/kerberos/).  Here
are some excerpts from the winbindd log file (at debug level 10).


[2004/01/07 16:15:34, 3] libsmb/cliconnect.c:cli_session_setup_spnego(705)
  got [EMAIL PROTECTED]
[2004/01/07 16:15:34, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(509)
  Doing kerberos session setup
[2004/01/07 16:15:34, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
[2004/01/07 16:15:34, 4] nsswitch/winbindd_cm.c:cm_open_connection(186)
  failed kerberos session setup with NT_STATUS_UNSUCCESSFUL
[2004/01/07 16:15:34, 5] nsswitch/winbindd_cm.c:cm_open_connection(218)
  anonymous connection attempt to DC01 from SOME-SERVER

... a bunch of data for pipe/connection (I think)...

[2004/01/07 16:15:34, 3] nsswitch/winbindd_util.c:add_trusted_domain(142)
  add_trusted_domain: DOMAIN is a native mode domain
[2004/01/07 16:15:34, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
  Added domain DOMAIN DOMAIN.COM
[2004/01/07 16:15:34, 10] nsswitch/winbindd_cache.c:wcache_flush_cache(66)
  wcache_flush_cache success
[2004/01/07 16:15:34, 10] nsswitch/winbindd_cache.c:alternate_name(1306)
  alternate_name: [Cached] - doing backend query for info for domain DOMAIN
[2004/01/07 16:15:34, 3] nsswitch/winbindd_ads.c:alternate_name(952)
  ads: alternate_name
[2004/01/07 16:15:34, 6] libads/ldap.c:ads_find_dc(147)
  ads_find_dc: looking for realm 'DOMAIN.COM'
[2004/01/07 16:15:34, 8] libsmb/namequery.c:get_sorted_dc_list(1215)
  get_sorted_dc_list: attempting lookup using [hosts]
[2004/01/07 16:15:34, 10] libsmb/namequery.c:remove_duplicate_addrs2(312)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2004/01/07 16:15:34, 4] libsmb/namequery.c:get_dc_list(1350)
  get_dc_list: returning 1 ip addresses in an ordered list
[2004/01/07 16:15:34, 4] libsmb/namequery.c:get_dc_list(1351)
  get_dc_list: 192.168.3.2:389
[2004/01/07 16:15:34, 5] libads/ldap.c:ads_try_connect(56)
  ads_try_connect: trying ldap server '192.168.3.2' port 389
[2004/01/07 16:15:34, 3] libads/ldap.c:ads_connect(218)
  Connected to LDAP server 192.168.3.2
[2004/01/07 16:15:34, 3] libads/ldap.c:ads_server_info(2030)
  got ldap server name [EMAIL PROTECTED], using bind path: dc=DOMAIN,dc=COM

... some more junk...

[2004/01/07 16:15:34, 3] libads/sasl.c:ads_sasl_spnego_bind(191)
  got [EMAIL PROTECTED]
[2004/01/07 16:15:34, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
[2004/01/07 16:15:34, 1] nsswitch/winbindd_ads.c:ads_cached_connection(65)
  ads_connect for domain DOMAIN failed: Operations error
[2004/01/07 16:15:34, 1] nsswitch/winbindd_util.c:init_domain_list(284)
  Could not fetch sid for our domain DOMAIN
[2004/01/07 16:15:34, 0]
nsswitch/winbindd_util.c:rescan_trusted_domains(170)
  rescan_trusted_domains: Can't find my own domain!

The machine had been joined to the AD domain some time back (IP share access
was working yesterday) and a kinit gets my principal.

  $ klist -e
  Ticket cache: FILE:/tmp/krb5cc_501
  Default principal: [EMAIL PROTECTED]
 
  Valid starting ExpiresService principal
  01/07/04 15:47:17  01/08/04 01:45:18  krbtgt/[EMAIL PROTECTED]
renew until 01/08/04 15:47:17, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
  01/07/04 15:50:02  01/08/04 01:45:18  [EMAIL PROTECTED]
renew until 01/08/04 15:47:17, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5


Is there something I'm missing with my setup?  Where does winbindd look for
the credentials cache by default?  

Below is my smb.conf.  The pam settings for samba and login are identical to
that in the HOW-TO at samba.org.  Same with the krb5.conf file.

Any ideas?  I've got a deadline approaching and I'm really in a crunch.  Any
help is appreciated.

Thanks,
Brian


smb.conf:
[global]
; smbd settings
log level = 3
log file = /var/log/samba/log.%m
server string = %u [Samba Server %v]
; Active Directory settings
workgroup = DOMAIN
security = ADS
realm = DOMAIN.COM
client use spnego = yes
use spnego = yes
local master = no
domain master = no
preferred master = no
domain logons = no
os level = 0
; winbind stuff
winbind separator = +
allow trusted domains = no
obey pam restrictions = yes
winbind enum users = yes
idmap uid = 1-2
winbind enum groups = yes
idmap gid = 1-2
password server = 192.168.3.2
encrypt passwords = yes
template homedir = /home/%D/%U
template shell = /bin/bash
-- 
To unsubscribe from this list go to the following URL and read the

Re: [Samba] Samba requesting nonexistent keytab type?

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 5 Jan 2004, Justin Baugh wrote:

 Hello,
 
 I have been working diligently since my last post to solve the error 
 I've been receiving. I did manage to fix the credentials problem, but 
 now I am at the same point where many others are, mainly, when doing 
 hostname mapping (net use X: \\foo\bar), Samba prompts for a username 
 and password and does not use Kerberos.
 
 In my error logs:
 
 [2004/01/05 15:51:59, 10] libads/kerberos_verify.c:create_keytab(56)
creating keytab: MEMORY:
 [2004/01/05 15:51:59, 10] libads/kerberos_verify.c:create_keytab(59)
going to krb5_kt_resolveunable to create MEMORY: keytab (Unknown Key 
 table type)

This should be fixed in the latest Samba 3.0 cvs tree.  Please test
the 3.0.2pre1 release which is due out tomorrow.



cheers, jerry
 --
 Hewlett-Packard- http://www.hp.com
 SAMBA Team -- http://www.samba.org
 GnuPG Key   http://www.plainjoe.org/gpg_public.asc
 If we're adding to the noise, turn off this song --Switchfoot (2003)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/+jzUIR7qMdg1EfYRAqP/AJ9vkLNFzSL121mLUS3s+NxUY3aWHACfT+/B
12DpLfvaE3Kgq/BCfFdU9oc=
=7odd
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba requesting nonexistent keytab type?

[Justin Baugh]

Hello,

I have been working diligently since my last post to solve the error 
I've been receiving. I did manage to fix the credentials problem, but 
now I am at the same point where many others are, mainly, when doing 
hostname mapping (net use X: \\foo\bar), Samba prompts for a username 
and password and does not use Kerberos.

In my error logs:

[2004/01/05 15:51:59, 10] libads/kerberos_verify.c:create_keytab(56)
  creating keytab: MEMORY:
[2004/01/05 15:51:59, 10] libads/kerberos_verify.c:create_keytab(59)
  going to krb5_kt_resolveunable to create MEMORY: keytab (Unknown Key 
table type)
[2004/01/05 15:51:59, 3] libads/kerberos_verify.c:ads_verify_ticket(283)
  ads_verify_ticket: unable to setup keytab
[2004/01/05 15:51:59, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!
[2004/01/05 15:51:59, 3] smbd/error.c:error_packet(118)
  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE

After looking at kerberos_verify.c and doing some debugging, I found 
exactly where the problem is occuring (I think).  The krb5_kt_resolve 
immediately before is returning KRB5_KT_UNKNOWN_TYPE. Doing some looking 
at the source for MIT krb5, and a bit of reading, it looks like there 
are two key table types defined: FILE and WRFILE. Specifically, in 
lib/krb5/keytab/ktbase.c:krb5_kt_resolve(112), it cycles through a list 
of registered key table types, and MEMORY is definitely not one of them. 
It has no associated krb5_kt_ops struct, at least not one that I can 
locate.

However, this definition _does_ exist in Heimdal Kerberos 0.6 
(keytab_memory.c), along with a corresponding krb5_kt_ops struct.

What gives? Am I just making this up, or does this seem slightly 
reasonable?

I'm using FreeBSD 5.1; when I compiled Samba 3.0 with Heimdal (the 
system krb5 libs) I couldn't even get Samba to join a Windows 2003 
domain, no matter what the krb5.conf said. Only after I went to MIT and 
recompiled was I able to join and do queries on the domain.

Does anyone have Samba 3.0 + FreeBSD 5 + Heimdal working? If so, please 
let me know? :)

Thoughts, questions, flames? Any errors are a result of my ignorance.

-Justin

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba