From: Rob Townley on 14 Dec 2009 12:20 i am in a mixed win2000 and win2003 R1 ActiveDirectory environment. Have always had ntlmv2 server and client required. LM and NTLM have always been rejected. That is how it has been for 10 years. Mounting from CentOS 5 to the windows servers has not been an issue for years. However, using ADS credentials for Linux workstation logons has always been a issue. If using ADS credentials to logon to a Linux workstation worked once, it would stop working for no apparent reason very quickly. The problem seems to be that samba kerberos wants to revert to using very old encryption technology that is probably on par with plain LM. How can i force samba to use and _KEEP_USING_ the better security enctypes? i am no expert, but you don't have to be an expert to know that aes is better than des-cbc-crc . des was broken in 1998, why is samba kerberos trying to use it? Win 95 LM uses DES -- look at lmHash() documented at http://davenport.sourceforge.net/ntlm.html. We have been using our CentOS clients to mount with ntlmv2i so why would attempts at joining the ADS domain fail with "stronger authentication required"? mount -t cifs //ADScontroller/share /mnt/ntlmv2iprotected --verbose -o username=user(a)dnsdomainname.com,sec=ntlmv2i Success with "kinit admin(a)dnsdomainname.com" But then "net -d 10 ads join -U admin(a)dnsdomainname.com" would fail with "stronger authentication required." I wondering why stronger auth would be needed by ADS when i am already mounting a file share on the ADS domain controller using ntlmv2i? The answer is in "klist -e" and /var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME: default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 Deleted the samba cache and added the following to /etc/krb5.conf and it worked once to join the domain and logon a CentOS box with ADS credentials. i could even map a drive letter from our Win2003 box to the CentOS share using ADS credentials. default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 The samba cached krb5.conf.NETBIOSDOMAINNAME would come back populated with weak and incompatible encryption types while /etc/krb5.conf would still have decent enctypes. Then my account is locked out in ADS. So how can i permanently force samba to use the better enctypes? Disable it from ever using weak encryption such as DES? Triple DES des3-hmac-sha1 would be ok. How does one find the exact enctypes ADS will accept? There must be a command or ldap location but i had many problems finding it. The following are all previously documented problems related to this. Symptoms left here for when others search. kinit succeeded but ads_sasl_spnego_krb5_bind failed [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS http://lists.samba.org/archive/samba/2009-October/150849.html From a debug level 10 using smbclient, lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory tree connect failed: NT_STATUS_ACCESS_DENIED CentOS 5 samba-common 3.0.33-3.15.el5_4 A HPUX guy reverted his net binary to an older version. Sorry for the long post, but blogger is giving me some issues and i will need this as reference material. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: Vista clients having Issues Copying files from Samba Server Next: [Samba] Samba for iPhone |