RE: 2003 KDC and Samba

[Tran Charles A Civ OC-ALC/ITMA <charles tran tinker af mil>]

Update...

Per the Samba Team...(actually a list member..)

Looks like Windows 2003 has changed something again..

<snip>
First off, you need to use MIT kerberos v1.3.x, install it (I had to use
source to do this. v1.3.4 works nice. I just left the RHES krb5 stuff
inplace. as then it feels just like it was compiled for it.

I used a fugly configure line, for kerberos. You will prolly have to do
the same for krbafs. I also updated the pam_smb and pam_krb5 packages
from Fedora Core (got the src rpm and did a rpmbuild --rebuild on it)

Your samba should be okay, but given that 3.0.5 was just release last
week Wednesday as a security release... dunno.

I had many little problems at MIT krb5 v1.2.7. Why I went to v1.3.4.

You might also try the "currently broken" option called: spnego = Yes

It may or may not work.

If you want to know the configure options I used... let me know.
-- 
greg,


<end snip>

This being said.. I wonder if Redhat is going to make an rpm for
the MIT version.. v1.34 ???  Of course this could be a learning 
experience for me.. 

Charles

-----Original Message-----
From: taroon-list-bounces redhat com [mailto:taroon-list-bounces redhat com]
On Behalf Of Tran Charles A Civ OC-ALC/ITMA
Sent: Wednesday, July 28, 2004 4:40 PM
To: 'Discussion of Red Hat Enterprise Linux 3 (Taroon)'
Subject: 2003 KDC and Samba

We have serveral RHEL 3.0 Update 2 servers running Samba.
These have been working flawlessly for several months..

Recently, the base upgraded all the Windows 2000 servers
to Windows 2003.. 
NOTE: we don't have admin rights to the Domain Controllers.. (wish we did..)

Previous to the Domain (and kdc) controllers to 2003 we had
no issues joining a new Samba Sever to the ADS..

Using the same krb5.conf and kdc.conf and smb.conf file.. it 
is no longer possible to join a Samba 3.0 server to the domain..

I will also post this to linux.samba usenet group..

Any help direction is appreciated..
VR
Charles

Samba packages
-------------
samba-common-3.0.4-6.3E
samba-3.0.4-6.3E
samba-client-3.0.4-6.3E

Kerberos Packages..
-----------------
pam_krb5-1.73-1
krb5-libs-1.2.7-24
krb5-workstation-1.2.7-24
krbafs-1.1.1-11
krbafs-utils-1.1.1-11
krb5-server-1.2.7-24
krbafs-devel-1.1.1-11
krb5-devel-1.2.7-24


Things tried..(per the samba docs. this is the first step..)

kinit USERNAME REALM	
error..
kinit(v5): KRB5 error code 52 while getting initial credentials

net ads join "/IT/Computers/Servers-2" -U adminOFthisOU
error..
kerberos_kinit_password ADMINOFTHISOU USAF AFMC DS AF MIL failed: KRB5 error
code 52

Not much on google about this error.. 

krb5.conf
**************
logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = USAF.AFMC.DS.AF.MIL
#  default_tgs_enctypes = rc4-hmac
#  default_tkt_enctypes = rc4-hmac
  dns_lookup_realm = false
  dns_lookup_kdc = false

[realms]
 USAF.AFMC.DS.AF.MIL = {
  kdc = xxx.xxx.xxx.241:88
  admin_server = xxx.xxx.xxx.241:749
  default_domain = usaf.af.mil
 }

[domain_realm]
 .usaf.af.mil = USAF.AFMC.DS.AF.MIL
 usaf.af.mil = USAF.AFMC.DS.AF.MIL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
*****************************
kdc.conf
*********
[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
 USAF.AFMC.DS.AF.MIL = {
  master_key_type = des-cbc-crc
  supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal
des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3
des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4
des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm
des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
 }
*********
smb.conf
*****[global]
        workgroup = USAF-2K
        realm = USAF.AFMC.DS.AF.MIL
        server string = 
        security = ADS
        obey pam restrictions = Yes
        password server = xxx.xxx.xxx.241
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
        log file = /var/log/samba/%m.log
        max log size = 0
        announce version = 5.0
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        preferred master = No
        local master = No
        domain master = No
        wins server = 10.50.1.52
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
#       winbind separator = +
#       valid users = @oracle
        printing = cups

[testshare]
        comment = System Share
        path = /home2/share
        force group = share
        writeable = yes
        case sensitive = Yes
        hide dot files = No



--
Taroon-list mailing list
Taroon-list redhat com
http://www.redhat.com/mailman/listinfo/taroon-list