[Samba] Samba on Linux + Windows Server 2003 R2 / ADS: Clients can connect using IP but no hostname
in [Samba]
|
From: Bogdan Taru on 7 Jan 2008 12:10 Hello everyone, I'm trying to make Samba authenticate clients against an Active Directory Server running on W2k3 R2. Samba is running on a Debian Linux: virtual-101:~# dpkg -l | egrep -i '(samba|kerb)' ii krb5-config 1.17 Configuration files for Kerberos Version 5 ii krb5-user 1.6.dfsg.3~beta1-2 Basic programs to authenticate using MIT Kerberos ii libkadm55 1.6.dfsg.3~beta1-2 MIT Kerberos administration runtime libraries ii libkrb53 1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries ii samba 3.0.28-1 a LanManager- like file and printer server for Unix ii samba-common 3.0.28-1 Samba common files used by both the server and the client This is the Samba and Kerberos configuration: virtual-101:~# egrep -v '^(#|;|$)' /etc/samba/smb.conf [global] workgroup = INTERNAL realm = INTERNAL.TESTLABOR.XX.COM preferred master = no server string = Samba Public Server include = /etc/samba/dhcp.conf dns proxy = no log file = /var/log/samba/log.%m log level = 5 max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = ADS encrypt passwords = yes passdb backend = tdbsam obey pam restrictions = yes invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX \spassword:* %n\n *password\supdated\ssuccessfully* . printcap name = cups printing = cups socket options = TCP_NODELAY idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum groups = yes winbind enum users = yes winbind separator = + [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes public = no writable = no create mode = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no [ftp] comment = Public FTP Resource writable = no locking = no path = /home/ftp public = yes guest ok = no virtual-101:~# egrep -v '^$' /etc/krb5.conf [libdefaults] default_realm = INTERNAL.TESTLABOR.XX.COM default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 permitted_enctypes = des-cbc-crc des-cbc-md5 [realms] INTERNAL.TESTLABOR.XX.COM = { kdc = virtual-100.internal.testlabor.xx.com #admin_server = virtual-100.internal.testlabor.xx.com } [domain_realms] .kerberos.server = INTERNAL.TESTLABOR.XX.COM From the Samba Server, I was able to get a Kerberos ticket from the AD: virtual-101:~# kinit Administrator(a)INTERNAL.TESTLABOR.XX.COM Password for Administrator(a)INTERNAL.TESTLABOR.XX.COM: virtual-101:~# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator(a)INTERNAL.TESTLABOR.XX.COM Valid starting Expires Service principal 01/07/08 17:06:58 01/08/08 03:07:00 krbtgt/INTERNAL.TESTLABOR.XX.COM(a)INTERNAL.TESTLABOR.XX.COM renew until 01/08/08 17:06:58, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached From the Samba Server I am able to mount a local resource, either by using the Kerberos ticket or by authentication with a Domain User: virtual-101:~# smbclient -k //virtual-101/ftp OS=[Unix] Server=[Samba 3.0.28] smb: \> virtual-101:~# smbclient -U INTERNAL+test1 //virtual-101/ftp Password: Domain=[INTERNAL] OS=[Unix] Server=[Samba 3.0.28] smb: \> The problem is that from a Windows 2k workstation (also part of the Domain), the mapping of the Samba resource is possible only when using the IP adress of the Samba server ("net use y: \\10.10.0.101\ftp / USER:INTERNAL\test1") but not when using the Hostname of the Samba server ("net use y: \\virtual-101\ftp /USER:INTERNAL\test1"). When using the Hostname of the Samba server, this is what Samba is logging: ................... [2008/01/07 17:46:37, 2] smbd/sesssetup.c:setup_new_vc_session(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2008/01/07 17:46:37, 3] smbd/ sesssetup.c:reply_sesssetup_and_X_spnego(1029) Doing spnego session setup [2008/01/07 17:46:37, 3] smbd/ sesssetup.c:reply_sesssetup_and_X_spnego(1060) NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[] [2008/01/07 17:46:37, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667) parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2 [2008/01/07 17:46:37, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667) parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10 [2008/01/07 17:46:37, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) reply_spnego_negotiate: Got secblob of size 1236 [2008/01/07 17:46:37, 3] libads/ kerberos_verify.c:ads_secrets_verify_ticket(279) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Encryption type not permitted [2008/01/07 17:46:37, 3] libads/kerberos_verify.c:ads_verify_ticket(427) ads_verify_ticket: krb5_rd_req with auth failed (Encryption type not permitted) [2008/01/07 17:46:37, 1] smbd/sesssetup.c:reply_spnego_kerberos(316) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2008/01/07 17:46:37, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2008/01/07 17:46:37, 5] lib/util.c:show_msg(484) [2008/01/07 17:46:37, 5] lib/util.c:show_msg(494) ................... [2008/01/07 17:46:42, 3] smbd/ sesssetup.c:reply_sesssetup_and_X_spnego(1029) Doing spnego session setup [2008/01/07 17:46:42, 3] smbd/ sesssetup.c:reply_sesssetup_and_X_spnego(1060) NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[] [2008/01/07 17:46:42, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667) parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2 [2008/01/07 17:46:42, 5] smbd/sesssetup.c:parse_spnego_mechanisms(667) parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10 [2008/01/07 17:46:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) reply_spnego_negotiate: Got secblob of size 1206 [2008/01/07 17:46:42, 3] libads/ kerberos_verify.c:ads_secrets_verify_ticket(279) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Encryption type not permitted [2008/01/07 17:46:42, 3] libads/kerberos_verify.c:ads_verify_ticket(427) ads_verify_ticket: krb5_rd_req with auth failed (Encryption type not permitted) [2008/01/07 17:46:42, 1] smbd/sesssetup.c:reply_spnego_kerberos(316) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2008/01/07 17:46:42, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2008/01/07 17:46:42, 5] lib/util.c:show_msg(484) [2008/01/07 17:46:42, 5] lib/util.c:show_msg(494) ................... What could be the problem? I have tried more Kerberos settings (playing with default_tgs_enctypes/default_tkt_enctypes in /etc/ krb5.conf, trying to comment them, etc.), but nothing seems to work -- and the error messages in Samba are the same. Any ideas would be appreciated! Thank you, Bogdan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Pages: 1 Prev: [Samba] Problem with samba 3.0.25b-33 Next: Need help with SWAT |