From: Rob Townley on 14 Dec 2009 12:20
i am in a mixed win2000 and win2003 R1 ActiveDirectory environment.
Have always had ntlmv2 server and client required. LM and NTLM have
always been rejected. That is how it has been for 10 years.
Mounting from CentOS 5 to the windows servers has not been an issue
for years. However, using ADS credentials for Linux workstation
logons has always been a issue. If using ADS credentials to logon to
a Linux workstation worked once, it would stop working for no apparent
reason very quickly. The problem seems to be that samba kerberos
wants to revert to using very old encryption technology that is
probably on par with plain LM.
How can i force samba to use and _KEEP_USING_ the better security
enctypes? i am no expert, but you don't have to be an expert to know
that aes is better than des-cbc-crc . des was broken in 1998, why is
samba kerberos trying to use it? Win 95 LM uses DES -- look at
lmHash() documented at http://davenport.sourceforge.net/ntlm.html.
We have been using our CentOS clients to mount with ntlmv2i so why
would attempts at joining the ADS domain fail with "stronger
mount -t cifs //ADScontroller/share /mnt/ntlmv2iprotected --verbose
Success with "kinit admin(a)dnsdomainname.com"
But then "net -d 10 ads join -U admin(a)dnsdomainname.com" would fail
with "stronger authentication required." I wondering why stronger
auth would be needed by ADS when i am already mounting a file share on
the ADS domain controller using ntlmv2i?
The answer is in "klist -e" and
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
Deleted the samba cache and added the following to /etc/krb5.conf and
it worked once to join the domain and logon a CentOS box with ADS
i could even map a drive letter from our Win2003 box to the CentOS
share using ADS credentials.
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
The samba cached krb5.conf.NETBIOSDOMAINNAME would come back populated
with weak and incompatible encryption types while /etc/krb5.conf would
still have decent enctypes. Then my account is locked out in ADS.
So how can i permanently force samba to use the better enctypes?
Disable it from ever using weak encryption such as DES? Triple DES
des3-hmac-sha1 would be ok.
How does one find the exact enctypes ADS will accept? There must be a
command or ldap location but i had many problems finding it.
The following are all previously documented problems related to this.
Symptoms left here for when others search.
kinit succeeded but ads_sasl_spnego_krb5_bind failed
[Samba] winbind and smb tries to auth as pdc$ rather than local name
when using ADS
From a debug level 10 using smbclient,
lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory
tree connect failed: NT_STATUS_ACCESS_DENIED
A HPUX guy reverted his net binary to an older version.
Sorry for the long post, but blogger is giving me some issues and i
will need this as reference material.
To unsubscribe from this list go to the following URL and read the
Prev: Vista clients having Issues Copying files from Samba Server
Next: [Samba] Samba for iPhone