Win 2003 AD and Samba 3.0.2

[ManicAJK]

I am in the middle of implementing a windows 2003 active directory domain. The windows side of it is going fine but we are struggling to get samba working with the new domain properly.
I have 4 AD domain controllers all running integrated DNS and WINS. We joined one of our test Unix boxes running true64 and samba 3.0.2 to the new domain with no problems at all and set it's host domain to be that of the new domain. I can ping the unix box with no trouble as well as perform reverse lookups on it's IP address
The problem is that I can browse to the unix server and access the samba shares fine if I use \\xxx.xxx.xxx.xxx but if i try and browse to the machine using \\servername format i get numerous errors. If browsing via windows explorer i get prompted for a username and password and no matter what combination I use nothing works. If browsing via a net view command from the command prompt I get a system error 5 access is denied message.
The new win2k3 domain has a 2 way trust to our present live NT4 domain and any client on the NT4 domain has no trouble in browsing to the machine via \\servername or \\xxx.xxx.xxx.xxx.
The unix machine has joined the win2k3 domain with no trouble as I can see the machine account in the AD admin tool. I am ut of ideas, can anybody help????

 

[xmsre]

NT4 does not use kerberos. \\xxx.xxx.xxx.xxx in a W2K/W2K3 environment does not use kerberos, it uses NTLM. \\servername in a W2K/W2K3 environment does use kerberos.

With that said, I'd say you have a kerberos interoperability issue. What do you see in a trace?

 

[ManicAJK]

does it make any difference that I was running the AD domain in windows 2003 server mode as opposed to windows 2000 native mode? Just in case it does I uninstalled AD last night and re-installed the domain in windows 2000 native mode.
I will have to get one of our unix engineers to perform a trace as I can only test from the windows side.
What exactly should I ask them to do?

 

[ManicAJK]

Here are a few of my config files that I have managed to get hold of from the unix machine.

krb5.conf
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log

[libdefaults]
ticket_lifetime = 24000
default_realm = IM-SERV.COM
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
IM-SERV.COM = {
kdc = imserv-dc1-sc.im-serv.com
default_domain = im-serv.com
}

[domain_realm]
.im-serv.com = IM-SERV.COM
im-serv.com = IM-SERV.COM


smb.conf
#======================= Global Settings =====================================
[global]
workgroup = IM-SERV
realm = IM-SERV.COM
server string = Test Server - Bernie
security = ADS
password server = imserv-dc1-sc.im-serv.com
encrypt passwords = yes
username map = /etc/samba/smbusers
log file = /var/log/samba/log.%m
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
idmap uid = 10000-20000
idmap gid = 10000-20000
guest ok = yes
auth methods = guest winbind
map to guest = Bad User

============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
guest ok = no

[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
guest ok = yes
comment = Home Directories
browseable = no
writable = yes
guest ok = no

[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
guest ok = yes
guest only = no

 

[ManicAJK]

I have also tested the kerberos config using kinit and klist commands on the unix box.

bernie.im-serv.com> kinit ADMINISTRATOR@IM-SERV.COM
Password for ADMINISTRATOR@IM-SERV.COM:
bernie.im-serv.com> klist
Ticket cache: FILE:/tmp/krb5cc_p141667
Default principal: ADMINISTRATOR@IM-SERV.COM

Valid starting Expires Service principal
01/13/04 11:51:30 01/13/04 21:51:35 krbtgt/IM-SERV.COM@IM-SERV.COM
renew until 01/14/04 11:51:30


Kerberos 4 ticket cache: /tmp/tkt208
klist: You have no tickets cached

what else can i try?????

 

[ManicAJK]

i have just discovered that if i try and browse to the samba share and it asks me for a user name and password it will allow me to authenticate if i just enter a valid username and password without using a domain name, i.e. administrator instead of im-serv\administrator.

I'm now even more confused!

 

[ManicAJK]

dam, false alarm, because I had the administrator password the same for our NT4 administartor and the new AD administrator it was using the NT4 account to authenticate with which we know has no problems as it uses NTLM.

 

[xmsre]

I was looking for the tickets in the trace. Specifically I wanted to see if the following conditions exist:

1. No Krbtgt DES key
2. No DES key for the Admin account
3. Invalid or missing SPN
4. Invalid UPN on the machine account

an LDAP dump of the user object would be nice so we could see the useraccountcontrol settings. Are you requiring DES? Kerberos interop doesnt work with RC4-HMAC.

 

[ManicAJK]

yeah i did notice that all my tickets granted from the AD domain are RC4, how can I make them DES (even though the encryption is not as strong!)? Is it something I have to change from the AD side or unix side?
As you can tell I don't know alot about unix!

I have added a line into the krb5.conf file
permitted_enctypes = des-cbc-crc des-cbc-md5

This has no made no difference at all.

If you can tell me what commands to execute to get more info I will do so and post the results back here.

 

[ManicAJK]

I have just run a klist -e and this is what has been returned

bernie.im-serv.com> klist -e
Ticket cache: FILE:/tmp/krb5cc_p149790
Default principal: ADMINISTRATOR@IM-SERV.COM

Valid starting Expires Service principal
01/13/04 21:30:44 01/14/04 07:33:37 krbtgt/IM-SERV.COM@IM-SERV.COM
renew until 01/14/04 21:30:44, Etype (skey, tkt): DES cbc mode with CRC-
32, ArcFour with HMAC/md5


Kerberos 4 ticket cache: /tmp/tkt208
klist: You have no tickets cached

 

[ManicAJK]

here's a testparm

bernie.im-serv.com> testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[tmp]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

# Global parameters
[global]
workgroup = IM-SERV
realm = IM-SERV.COM
server string = Test Server - Bernie
security = ADS
auth methods = guest, winbind
map to guest = Bad User
password server = imserv-dc1-sc.im-serv.com
username map = /etc/samba/smbusers
log file = /var/log/samba/log.%m
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
winbind cache time = 10
guest ok = Yes

[homes]
comment = Home Directories
read only = No
guest ok = No
browseable = No

[tmp]
comment = Temporary file space
path = /tmp
read only = No

 

[xmsre]

You'll need to check "use DES" on the user's properties in ADUC.

Depending on how you got to W2K, the krbtgt account may not have a DES key. In that case, you have to set it to use DES and change the password.

WARNING: Don't do that more than once in a ticket lifetime [10 hours by default] or you'll invalidate all the tickets in your domain; no fun.

 

[xmsre]

http://support.microsoft.com/default.aspx?scid=kb;en-us;248808

 

[ManicAJK]

we got to win2k3 via a fresh install of a new domain.
Let me just see if I have this right.

1. I create a user account on the AD domain which corresponds to the machine account of the unix box and set it to require DES encryption.

2. I use the ktpass.exe utility to map the user account to the machine account and generate a keytab file.

3. I ftp the keytab file to the unix box and using the ktutil utility import the keytab into krb5.keytab

Have i missed anything?

 

[ManicAJK]

the krbtgt account on the ad domain is showing as disabled and the check box is not set to require DES encryption. As far as I can remember this account has never been enabled since the domain install and I certainly have never changed it's password. Should I enable it and change the password?

 

[xmsre]

You can't enable it. The KDC uses the keys however.

http://support.microsoft.com/default.aspx?scid=kb;en-us;247008

 

[ManicAJK]

so have i got the steps correct?
thanks for your help by the way!

 

[ManicAJK]

i cannot set the krbtgt account to require DES encryption as the option is greyed out so how do i go about doing it?

 

[xmsre]

I think some fairly decent docs on kerberos interop came out after the dart debacle. Let's see:

Step by Step:

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

Links to Whitepapers:

http://support.microsoft.com/default.aspx?scid=kb;en-us;810755

Overview:

http://support.microsoft.com/default.aspx?scid=kb;en-us;217098

Error codes from KRB events in the W2K security log.

http://support.microsoft.com/default.aspx?scid=kb;en-us;230476

Flags:

http://support.microsoft.com/default.aspx?scid=kb;en-us;230669

Make sure it's DES-CBC-MD5, not CRC}

http://support.microsoft.com/default.aspx?scid=kb;en-us;296842

may or may not cause grief with ktpass:

http://support.microsoft.com/default.aspx?scid=kb;en-us;308339

 

[xmsre]

at most, you should only have to change the password on the krbtgt account [remember, not more than once in a ticket lifetime, or else..] It's grayed out because you can't "use" the account. The Keys are used by the KDC.
If it's a missing key, you should see the acct name as krgtgt in the error in the W2K security log.

I noticed you still had DES-CBC-CRC i n your krb5.conf. You might want to take that out.