Hello. I have a 3.2.3 Samba-LDAP PDC which shares the database with heimdal (so samba passwords are also kerberos passwords). I am able to use kerberos credentials to connect to the PDC shares with "smbclient -k", both on the server and linux workstations. The problem is that, as soon as I try to join the PDC to its own domain (with "net join"), in order to be able to use winbind on the PDC, then I cannot use kerberos tickets anymore to connect to the PDC's shares, nor from the PDC nor from the workstations. But if I don't join the PDC to the domain, I can join workstations to the domain, and still use kerberos tickets with "smbclient -k" on them, either these shares are on the PDC or on the workstation itself. Is it a bug, or is it normal? This is the [global] section of my smb.conf on the PDC: workgroup = CFS realm = CFS.ISST netbios name = sanmiguel server string = Servidor principal use kerberos keytab = yes use spnego = yes client ntlmv2 auth = yes username map = /etc/samba/usermap debug level = 0 log file = /var/log/samba/%m.log max log size = 5000 syslog = 0 log level = 0 utmp = Yes guest account = nobody map to guest = Never admin users = root addmachine @"Domain Admins" enable privileges = yes security = user encrypt passwords = yes os level = 255 local master = yes domain master = yes preferred master = yes domain logons = yes keepalive = 20 time server = yes preserve case = yes short preserve case = yes case sensitive = no null passwords = no bind interfaces only = yes interfaces = eth0, lo hosts allow = 10. 127. wins support = yes dns proxy = yes passdb backend = ldapsam:ldap://127.0.0.1/ ldapsam:trusted = yes ldap admin dn = krb5PrincipalName=ldapmaster/admin@CFS.ISST,ou=KerberosPrincipals,dc=cfs,dc=isst ldap suffix = dc=cfs,dc=isst ldap group suffix = ou=Grupos ldap user suffix = ou=KerberosPrincipals ldap machine suffix = ou=Computadores ldap idmap suffix = ou=Idmap ldap ssl = On ldap delete dn = Yes idmap backend = ldap:ldap://127.0.0.1/ idmap uid = 10000-15000 idmap gid = 10000-15000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes client use spnego = yes wins server = 10.1.1.100 unix password sync = yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing*for*\nNew password*" %n\n "*Retype new password*" %n\n" socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/sbin/smbldap-useradd -w "%u" add user script = /usr/sbin/smbldap-useradd -m -a "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" dos charset = cp850 unix charset = UTF8 display charset = LOCALE restrict anonymous = 0 Here are the relevant logs for a succesful kerberos connect (i.e., without joining the domain) from the PDC itself: [2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 528 [2008/10/04 12:44:33, 1] libads/kerberos_verify.c:ads_secrets_verify_ticket(240) ads_secrets_verify_ticket: failed to fetch machine password [2008/10/04 12:44:33, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(143) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab succeeded for principal cifs/sanmiguel.cfs.isst@CFS.ISST [2008/10/04 12:44:33, 3] libads/kerberos_verify.c:ads_verify_ticket(500) ads_verify_ticket: did not retrieve auth data. continuing without PAC [2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_kerberos(356) Ticket name is [root@CFS.ISST] [2008/10/04 12:44:33, 3] smbd/sesssetup.c:reply_spnego_kerberos(430) Could not find short name: WBC_ERR_WINBIND_NOT_AVAILABLE [2008/10/04 12:44:33, 2] lib/smbldap.c:smbldap_open_connection(796) smbldap_open_connection: connection opened [2008/10/04 12:44:33, 3] lib/smbldap.c:smbldap_connect_system(1007) ldap_connect_system: successful connection to the LDAP server And, for last, here is the log of a failed connect attempt (i.e., once the PDC has joined the domain): [2008/10/04 12:45:43, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 527 [2008/10/04 12:45:43, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(282) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2008/10/04 12:45:43, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(171) ads_keytab_verify_ticket: krb5_rd_req failed for all 36 matched keytab principals [2008/10/04 12:45:43, 3] libads/kerberos_verify.c:ads_verify_ticket(458) ads_verify_ticket: krb5_rd_req with auth failed (Conseguido) [2008/10/04 12:45:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2008/10/04 12:45:43, 3] smbd/error.c:error_packet_set(61) error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2008/10/04 12:45:43, 3] smbd/process.c:smbd_process(2035) receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting [2008/10/04 12:45:43, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/10/04 12:45:43, 3] smbd/connection.c:yield_connection(31) Yielding connection to [2008/10/04 12:45:43, 3] smbd/server.c:exit_server_common(949) Server exit (normal exit) Thank you very much.
I think the problem is the following: It loks like when the machine has not joined the domain as a DC, then the requested encryption type is des-cbc-md5, which is supported by the Heimdal KDC. But when it has joined the domain, then it requests rc4-hmac, which is not supported. But, why this difference?
I have the same problem, anybody know what might be happening? Thank you!
It has been SOLVED on 3.4.2. The only thing you need is setting the parameter "kerberos method = system keytab" on smb.conf. It looks like samba versions 3.2 and 3.3 were trying to verify the ticket against secrets database, instead of using the keytab first, and found wrong data. But 3.4 allows you to restrict the verification to the system keytab, so it finds the correct key. Thank you very much. Best regards, Juan.