The Samba-Bugzilla – Bug 5810
Kerberos working on samba 3.2.3 PDC, but failing when joining the domain
Last modified: 2009-10-21 09:38:35 UTC
Hello. I have a 3.2.3 Samba-LDAP PDC which shares the database with heimdal (so samba passwords are also kerberos passwords). I am able to use kerberos credentials to connect to the PDC shares with "smbclient -k", both on the server and linux workstations.
The problem is that, as soon as I try to join the PDC to its own domain (with "net join"), in order to be able to use winbind on the PDC, then I cannot use kerberos tickets anymore to connect to the PDC's shares, nor from the PDC nor from the workstations.
But if I don't join the PDC to the domain, I can join workstations to the domain, and still use kerberos tickets with "smbclient -k" on them, either these shares are on the PDC or on the workstation itself.
Is it a bug, or is it normal?
This is the [global] section of my smb.conf on the PDC:
workgroup = CFS
realm = CFS.ISST
netbios name = sanmiguel
server string = Servidor principal
use kerberos keytab = yes
use spnego = yes
client ntlmv2 auth = yes
username map = /etc/samba/usermap
debug level = 0
log file = /var/log/samba/%m.log
max log size = 5000
syslog = 0
log level = 0
utmp = Yes
guest account = nobody
map to guest = Never
admin users = root addmachine @"Domain Admins"
enable privileges = yes
security = user
encrypt passwords = yes
os level = 255
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
keepalive = 20
time server = yes
preserve case = yes
short preserve case = yes
case sensitive = no
null passwords = no
bind interfaces only = yes
interfaces = eth0, lo
hosts allow = 10. 127.
wins support = yes
dns proxy = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldapsam:trusted = yes
ldap admin dn = krb5PrincipalName=ldapmaster/admin@CFS.ISST,ou=KerberosPrincipals,dc=cfs,dc=isst
ldap suffix = dc=cfs,dc=isst
ldap group suffix = ou=Grupos
ldap user suffix = ou=KerberosPrincipals
ldap machine suffix = ou=Computadores
ldap idmap suffix = ou=Idmap
ldap ssl = On
ldap delete dn = Yes
idmap backend = ldap:ldap://127.0.0.1/
idmap uid = 10000-15000
idmap gid = 10000-15000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
client use spnego = yes
wins server = 10.1.1.100
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing*for*\nNew password*" %n\n "*Retype new password*" %n\n"
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m -a "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
dos charset = cp850
unix charset = UTF8
display charset = LOCALE
restrict anonymous = 0
Here are the relevant logs for a succesful kerberos connect (i.e., without joining the domain) from the PDC itself:
[2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 528
[2008/10/04 12:44:33, 1] libads/kerberos_verify.c:ads_secrets_verify_ticket(240)
ads_secrets_verify_ticket: failed to fetch machine password
[2008/10/04 12:44:33, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(143)
ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab succeeded for principal cifs/sanmiguel.cfs.isst@CFS.ISST
[2008/10/04 12:44:33, 3] libads/kerberos_verify.c:ads_verify_ticket(500)
ads_verify_ticket: did not retrieve auth data. continuing without PAC
[2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_kerberos(356)
Ticket name is [root@CFS.ISST]
[2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_kerberos(430)
Could not find short name: WBC_ERR_WINBIND_NOT_AVAILABLE
[2008/10/04 12:44:33, 2] lib/smbldap.c:smbldap_open_connection(796)
smbldap_open_connection: connection opened
[2008/10/04 12:44:33, 3] lib/smbldap.c:smbldap_connect_system(1007)
ldap_connect_system: successful connection to the LDAP server
And, for last, here is the log of a failed connect attempt (i.e., once the PDC has joined the domain):
[2008/10/04 12:45:43, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 527
[2008/10/04 12:45:43, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(282)
ads_secrets_verify_ticket: enc type  failed to decrypt with error Decrypt integrity check failed
[2008/10/04 12:45:43, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(171)
ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals
[2008/10/04 12:45:43, 3] libads/kerberos_verify.c:ads_verify_ticket(458)
ads_verify_ticket: krb5_rd_req with auth failed (Conseguido)
[2008/10/04 12:45:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2008/10/04 12:45:43, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2008/10/04 12:45:43, 3] smbd/process.c:smbd_process(2035)
receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2008/10/04 12:45:43, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/10/04 12:45:43, 3] smbd/connection.c:yield_connection(31)
Yielding connection to
[2008/10/04 12:45:43, 3] smbd/server.c:exit_server_common(949)
Server exit (normal exit)
Thank you very much.
I think the problem is the following: It loks like when the machine has not joined the domain as a DC, then the requested encryption type is des-cbc-md5, which is supported by the Heimdal KDC. But when it has joined the domain, then it requests rc4-hmac, which is not supported.
But, why this difference?
I have the same problem, anybody know what might be happening?
It has been SOLVED on 3.4.2. The only thing you need is setting the parameter
"kerberos method = system keytab" on smb.conf.
It looks like samba versions 3.2 and 3.3 were trying to verify the
ticket against secrets database, instead of using the keytab first, and
found wrong data. But 3.4 allows you to restrict the verification to the
system keytab, so it finds the correct key.
Thank you very much. Best regards,