[Samba] Win2K works but WinXP doesnt using ADS
Victor Hiebert
vic at sfu.ca
Fri Nov 14 19:29:40 GMT 2003
WindowsXP clients are unable to access shares from a Samba 3.0.0
server which is using ADS authentication against a Windows2000 AD
running in native mode. Winodws2000 clients have no problems.
I am almost certain the problem lies with security being locked down
too tightly on the AD server. Everything works fine with another
Samba server which is setup the same, aside from using another
domain/AD server which isn’t locked down.
As I don’t have administrator rights to the AD server that’s locked
down, and I have to be specific when I request changes, I was hoping
some one would be able to tell me what needs to be enabled/changed on
the AD server to get WinXP clients working.
The symptoms include WinXP clients being asked for a user/pass, which
is then refused, when trying to access the shares.
Looking in the samba logs I see that Win2K clients use Kerberos where
as XP clients try to use LDAP. On the AD that isn’t locked down XP
clients dont use LDAP. The event logs on the locked down AD show that
an XP client is granted a Kerberos ticket however.
I also notice an nmap scan of both AD servers show more ports open on
the one that isn’t locked down.
I an attempt to avoid “you didn’t post enough information for us to
diagnose the problem” replies, and stay under the 40K post limit, I am
including the following information:
Samba Server OS: FreeBSD 4.9-RELEASE
Using Heimdal Kerberos V 0.6 (compiled from FreeBSD ports)
With Samba 3.0.0 (compiled from FreeBSD ports)
Both AD servers OS: Winodws 2000 Server sp4
1.) Nmap scan of open AD server
2.) Nmap scan of locked down AD server
3.) /etc/krb5.conf
4.) /usr/local/etc/smb.conf
5.) Event log from locked down AD server
6.) Samba log of WinXP client connecting to a share using the open AD server
7.) Samba log of WinXP client connecting to a share using the locked down AD server
8.) Samba log of Win2K client connecting to a share using the locked down AD server
..which can be found at:
http://www.sfu.ca/~vhiebert/Win2K_works_but_WinXP_doesnt_using_ADS.txt
Thanks for any help.
--
Victor Hiebert mailto:vic at sfu.ca
Network Technician, Operations and Technical Support Department
Simon Fraser University, Surrey Campus
--
More information about the samba
mailing list