Issues with Samba+Kerberos (Heimdal 1.5) / FreeBSD / 2k8r2 domain

L

lopoetve

Extremely [H]
Joined
Oct 11, 2001
Messages
33,891
Been fighting this beast for about a week now, and I'm slowly going crazy.

I'm using Samba 3.6 with Kerberos 1.5.2 (Heimdal, but I've also tried the MIT version and had the same problems), trying to get it to join/auth against a Windows 2008R2 domain. Every time I run the net ads join command, I get the following failure (with debug 3 logging):

lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/usr/local/etc/smb.conf"
Processing section "[global]"
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Unknown parameter encountered: "template primary group"
Ignoring unknown parameter "template primary group"
added interface em0 ip=10.21.20.109 bcast=10.21.23.255 netmask=255.255.252.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter pcarmichael's password:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'BRM-KRB'
domain_name : *
domain_name : 'BRMSTORAGE.COM'
account_ou : NULL
admin_account : 'pcarmichael'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
Connecting to host=DC2.brmstorage.com
resolve_lmhosts: Attempting lmhosts lookup for name DC2.brmstorage.com<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC2.brmstorage.com<0x20>
resolve_wins: Attempting wins lookup for name DC2.brmstorage.com<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name DC2.brmstorage.com<0x20>
Connecting to 10.131.12.146 at port 445
Connecting to 10.131.12.146 at port 139
Doing spnego session setup (blob length=136)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
get_dc_list: preferred server list: ", *"
Successfully contacted LDAP server 10.131.12.146
Connected to LDAP server DC2.brmstorage.com
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Fri, 18 Apr 2014 06:04:31 MDT
net: sha1 checksum failed
Abort (core dumped)
Click to expand...

The exact same config works fine on Linux, however.
krb5.conf and samba.conf files:

logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = BRMSTORAGE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
[realms]
BRMSTORAGE.COM= {
kdc = dc1.brmstorage.com
kdc=dc3.brmstorage.com
kdc=dc4.brmstorage.com
kdc=dc5.brmstorage.com
kdc=dc2.brmstorage.com
}

[domain_realm]
.brmstorage.com = BRMSTORAGE.COM
brmstorage.com = BRMSTORAGE.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 500
try_first_pass = true
}
Click to expand...

SMB.conf:
#======================= Global Settings =====================================

[global]

workgroup = BRMSTORAGE
server string = Samba Server Version %v

netbios name = brm-krb

# --------------------------- Logging Options -----------------------------

log level = 3
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 50

# ----------------------- Domain Members Options ------------------------
#
security = ADS
realm = BRMSTORAGE.COM
encrypt passwords = yes

winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-20000
idmap gid = 600-20000
template primary group = "Domain Users"
template shell = /sbin/nologin

allow trusted domains = Yes
server signing = mandatory
client signing = mandatory
client use spnego = Yes
ntlm auth = Yes
lanman auth = No



# ----------------------- Browser Control Options ----------------------------
preferred master = no

# --------------------------- Printing Options -----------------------------

load printers = no

printcap name = /etc/printcap


#============================ Share Definitions ==============================

[homes]
comment = Home Directories
browseable = no
writable = yes

;[test]
; available = yes
; comment = Test Share
; path = /var/www/test
; writeable = yes
; browseable = yes
; invalid users = root
; create mask = 0660
; directory mask = 0770
; valid users = @DOMAIN+Group-Name
Click to expand...

Anyone done this / had the same problem and figured it out? Googling it leads to some possible heimdal bugs, but all the threads go dead there and silent, as if each person involved suddenly found the issue and never followed up (or what they found made them get religion).
 
I don't have an answer for you, but I don't think there are many FreeBSD users on this board.

You will probably have better luck with the FreeBSD Forums. Good luck, that looks like a strange problem to solve.
 
I've recently had to deal with this since we began upgrading our AD Domain Controllers (from 2003 to 2012R2)

This error is because the acceptable default Kerberos encryption types have been updated in 2008R2 and 2012R2, this not only effects a system like FreeBSD, but also Windows XP (which we should all have moved away from, right?)

This is a combination of Samba36, and the Heimdal version of kerberos that FreeBSD can use. The easiest method to fix this is to upgrade from 3.6.x to Samba 4.1

I was able to test this out because we have 2 2012R2 DC's now, but we also have the older 2003 DC's. When I ran "net -d ads join -U some_admin_user", it would fail if it happen to hit the new domain controller.

Once I upgraded to Samba 4.1, the net ads join command would work no matter what DC's it hit.
 
You must log in or register to reply here.
Back
Top