We have been using samba 3.4/solaris10/x64 authenticated against Win2K3 R2 for more than a year. Ever since we upgrade all our AD server from Win2K3 R2 to Win2K8 R2, and then restart the samba daemon, the share access from Windows client starts to prompt for password, and all the krb5 setting are not working. Eventually, we find a temporary work around: configure a Win2K3 R2 server as AD replica server in our 2008 domain, and use the `net ads join` toward the Win2K3! Currently, I am not using the sunfreeware.org's 3.4.2 binary anymore, just compile it myself using the stable 3.5.6 source tree. 1) krb5.conf -bash-3.00# cat /etc/krb5/krb5.conf [libdefaults] default_realm = GTISOFT.COM default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc [realms] GTISOFT.COM = { kdc = gamma-master.gtisoft.com admin_server = gamma-master.gtisoft.com default_domain = gtisoft.com } [domain_realm] gtisoft.com = GTISOFT.COM .gtisoft.com = GTISOFT.COM [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { # How often to rotate kdc.log. Logs will get rotated no more # often than the period, and less often if the KDC is not used# frequently. period = 1d # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...) version = 10 } [appdefaults] kinit = { renewable = true forwardable= true } gkadmin = { help_url = http://docs.sun.com/app/docs/doc/816-4557/6maosrjk8?a=view } 2) Global setting of smb.conf -bash-3.00# cat /usr/local/samba/lib/smb.conf # Samba config file created using SWAT # from UNKNOWN (192.168.100.68) # Date: 2011/01/04 11:37:36 [global] workgroup = GTISOFT realm = GTISOFT.COM server string = Gamma File Server security = ADS password server = wolfgang username map = /usr/local/samba/lib/smbusers kerberos method = system keytab wins server = wolfgang ldap ssl = no ldap debug level = 1 create krb5 conf = No dos filemode = Yes [homes] comment = Home Directories valid users = %S read only = No create mask = 0644 browseable = No 3) Using krb5.keytab created by `net ads join` * the `net ads join` to targeting the only W2K3 AD server, the samba will function ok * if the `net ads join` is targeting any of teh W2K8 AD server(s), the smbd restart will show in syslog: [2011/01/04 11:37:12, 0] smbd/server.c:1119(main) smbd version 3.5.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 [2011/01/04 11:37:12.271311, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password BERNSTEIN$@GTISOFT.COM failed: KDC has no support forencryption type [2011/01/04 11:37:12.271534, 0] printing/nt_printing.c:629(nt_printing_init) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED and browsing from Windows client will show following error: [2011/01/04 15:05:19.404262, 1] smbd/sesssetup.c:332(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! What is strange about this is: the kerberos setting is tested with kinit and klist ok.
Some other related observations: 1) Sun's own sshd depends on /etc/krb5/krb5.keytab for Kerberos 5 auth on Solaris 10, and samba is using /etc/krb5.keytab (it will be updated whenever `net ads join` is run and reset the servicePrincipal's keys. 2) Everytime `net ads join` is used, the krb5 keys will be forced to change. This is different from the ktpass.exe behavior on Win2K8: ktpass.exe, when run multiple times, does not change keys. ktpass.exe will change keys only when and after `net ads join` is run. This seems to indicate some issues with keys compatibility issues (have more later on this). 3) Right after `net ads join` is executed, user ssh access will not work anymore (obvious because net changes key on the server side). 3) If I use ktpass.exe to create keys for HOST/fqdn@GTISOFT.COM, HOST/hostname@GTISOFT.COM and hostname$@GTISOFT.COM (basically mimicing key structures generated by `net ads join`) and then use ktutil to combine all the principal keys to a single krb5.keytab (only keep the DES-CBC-CRC/DES-CBC-MD5 keys), the ssh user access can be fixed, but the same krb5.keytab will fail the samba restart as reported earlier (KDC has no support for encryption type). 4) If I use `net ads join` to create /etc/krb5.keytab, surely it will break Sun's sshd auth, but smbd restart will have no error anymore, though the Windows client browse will still prompt for password (only if the `net ads join` is run targeting a Win2K8 server). I know all these reports are confusing, but am I missing something here?
The issue here is DES encryption in Kerberos. This old and insecure encryption type is being phased out. Is the 'use DES key only' set on your machine account? A bug causing this to be set when not required was fixed for 3.6. Also, remove the default_tkt_enctypes line from your krb5.conf, as this is forcing you to use DES when Windows 2008 has banned it's use as insecure.
Reducing severity as you have a workaround and this appears to be either a client configuration issue, or an issue with the specific kerberos libraries on this system.
Some progress: If I used -bash-3.00# cat /etc/krb5/krb5.conf [libdefaults] default_realm = GTISOFT.COM default_tgs_enctypes = aes256-hmac-md5 default_tkt_enctypes = aes256-hmac-md5 The krb5/smbd auth against Windows 2008R2 will be ok. As an alternative, following also works: [libdefaults] default_realm = GTISOFT.COM default_tgs_enctypes = arcfour-hmac-md5 default_tkt_enctypes = arcfour-hmac-md5 Following are the key content as created by `net ads join` -bash-3.00# klist -k -t -K /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 15 07/13/11 07:05:43 host/bernstein.gtisoft.com@GTISOFT.COM (0x9dc4ce2c79917cc8) 15 07/13/11 07:05:43 host/bernstein.gtisoft.com@GTISOFT.COM (0x9dc4ce2c79917cc8) 15 07/13/11 07:05:43 host/bernstein.gtisoft.com@GTISOFT.COM (0x6f30d6e8c7ad797fa602178fb1eb7a38) 15 07/13/11 07:05:43 host/BERNSTEIN@GTISOFT.COM (0x9dc4ce2c79917cc8) 15 07/13/11 07:05:43 host/BERNSTEIN@GTISOFT.COM (0x9dc4ce2c79917cc8) 15 07/13/11 07:05:43 host/BERNSTEIN@GTISOFT.COM (0x6f30d6e8c7ad797fa602178fb1eb7a38) 15 07/13/11 07:05:43 BERNSTEIN$@GTISOFT.COM (0x9dc4ce2c79917cc8) 15 07/13/11 07:05:43 BERNSTEIN$@GTISOFT.COM (0x9dc4ce2c79917cc8) 15 07/13/11 07:05:43 BERNSTEIN$@GTISOFT.COM (0x6f30d6e8c7ad797fa602178fb1eb7a38)
We finally resolve the issue: The real issue is the HOST\copland account I have to create in AD's Users section. The account was added so that ktpass can be used to create the keytab. This works fine in Win2k3, but when we move to Win2k8, the reported issue started to bug me. Once I removed HOST\copland account from Users on domain controller, and then remove the /etc/krb5.keytab, and then use `net ads join` to create the copland in Computers section in AD, all problem is gone.