Bug 600 - Samba 3.0.0 Cannot authenticate against 2003 ADS server under redhat linux.
Summary: Samba 3.0.0 Cannot authenticate against 2003 ADS server under redhat linux.
Status: RESOLVED DUPLICATE of bug 433
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Build environment (show other bugs)
Version: 3.0.0preX
Hardware: All other
: P3 major
Target Milestone: none
Assignee: Tim Potter
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-10-10 05:42 UTC by Gavin Davenport
Modified: 2005-11-14 09:28 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gavin Davenport 2003-10-10 05:43:00 UTC
Using the Samba 3.0.0 SRPM.

Samba 3.0.0 requires the heimdal 0.6 libraries to talk to a 2003 ADS server.
Heimdal 0.6 is bundled in the rawhide krb5-1.3.1 SRPM.

Redhat distros (at this date) appear to ship with kerberos5 1.2.x packages.

I built and installed the MIT krb5 libraries to /usr/local/kerberos from:
From http://www.crypto-publish.org/dist/mit-kerberos5/krb5-1.3.1.tar.gz

I then installed the samba 3 SRPM, and edited 
the /usr/src/redhat/SPECs/samba3.spec file to contain:
        --with-krb5=/usr/local/kerberos \

This was ignored during the build process. The samba SRPM build appears to 
search the path and find the system provided krb5 libraries, in /usr/kerberos.

When these 1.2.x libraries are linked during the build, the resultant binary 
cannot talk to a 2003 ADS server with a 'SMB packet signing' problem:
Winbindd -i -vv shows:

client_check_incoming_message: BAD SIG: wanted SMB signature of
[000] 08 CE A3 BF F9 D5 1E 09                           .Σ¿ùÕ..
client_check_incoming_message: BAD SIG: got SMB signature of
[000] 91 F7 B2 53 5B CA EB 3F                           .÷²S[Êë?
signing_good: SMB signature check failed on seq 1!
SMB Signature verification failed on incoming packet!
failed kerberos session setup with NT_STATUS_OK
anonymous connection attempt to BASHFUL from POTATO
failed anonymous session setup with NT_STATUS_OK
trusted_domains: Could not open a connection to MYNETWORK.ISP.CO.UK for 
PIPE_NETLOGON (NT_STATUS_UNSUCCESSFUL)
convert_string_allocate: Conversion error: Illegal multibyte sequence(ˆÌ)
convert_string_allocate: Conversion error: Illegal multibyte sequence(ˆÌ)
rescan_trusted_domains: Can't find my own domain!

I know samba 3.0.0 works, I've got it working on a FreeBSD box.

I guess there are 2 problems.
1. It doesn't work on redhat (yet) because they ship 1.2.x krb5 libraries.
2. The SRPM build process doesn't honour the contents of the spec file when you 
do supply the preferred libraries elsewhere.

Hope that helps
Comment 1 Gavin Davenport 2003-10-11 03:00:04 UTC
Seems its already been lodged.

https://bugzilla.samba.org/show_bug.cgi?id=433
Comment 2 Gavin Davenport 2003-10-11 03:00:23 UTC
Seems its already been lodged.

https://bugzilla.samba.org/show_bug.cgi?id=433
Comment 3 Tim Potter 2003-10-11 17:28:52 UTC

*** This bug has been marked as a duplicate of 433 ***
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:05:45 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:28:41 UTC
database cleanup