[Samba] Samba-W3K-ADS

eric roseme eroseme at emonster.rose.hp.com
Wed Jul 14 23:56:12 GMT 2004 

My testing has shown that when using "security = ads" and specifying 
\\ipaddress\share, Kerberos fails with "PRINCIPAL_UNKNOWN" and auth then 
falls through (in my case, either NTLMv1 or NTLMv2 - I have tested with 
both).  So maybe you should try it with your hostname, or hostname.FQDN, 
and check out what happens with ethereal.  Maybe your fall-through 
auth-n is failing (easy to do with NTLMv2).

Of course, these results are specific to my test environment, so maybe 
this is not pervasive behavior.

Eric Roseme
Hewlett-Packard

Ben Schmaus wrote:
> Versions:
> 
> OS: Redhat ES Linux 3.0
> Windows OS: Windows 2003 & Active Directory
> Samba: samba-3.0.5rc1-2_rh9.i386.rpm
> Kerberos: krb5-1.3.4-i686-pc-linux-gnu.tar
> Using Windbind: Yes
> 
> Objective:
> 
> Allow Samba/Linux server to authenticate off of active directory to access
> Samba shares.
> 
> Problem:
> 
> I can get to some shares, but not to the user home shares.  When trying to
> access a user home share I get prompted for a password even though I have
> already connected to other shares with the same user name.  And even if I
> enter the username and password, access is denied.  I am currently trying
> this by doing a 'net use * \\ip address\home share'.
> 
> Smb.conf
> 
> [global] 
> workgroup = DOMAIN 
> netbios name = RCRH03 
> server string = RCRH03
> security = ADS
> realm = DOMAIN.COM 
> password server = 10.1.1.28
> wins server = 10.1.1.28
> client use spnego = yes
> client signing = yes
> encrypt passwords = yes
> printcap name = cups 
> disable spoolss = Yes 
> show add printer wizard = No 
> idmap uid = 15000-20000 
> idmap gid = 15000-20000 
> winbind separator = + 
> winbind use default domain = Yes 
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%D/%U
> template shell = /bin/bash
> use sendfile = Yes 
> printing = cups 
> ldap suffix = "dc=domain, dc=com"
> winbind cache time = 0
> log level = 10
> log file = /var/log/samba.log
> max log size = 5000000
> debug timestamp = yes
> 
> 
> [homes] 
> comment = Home Directories 
> valid users = %U 
> path = /home/%D/%U
> public = Yes 
> read only = No 
> browseable = No 
> 
> [apps] 
> comment = OSCAR 
> path = /apps 
> valid users = @dev, @REDHAT
> admin users = @dev, @REDHAT
> read only = No
> browseable = Yes 
>  
> [printers] 
> comment = All Printers 
> path = /var/spool/samba 
> printer admin = root 
> create mask = 0600 
> guest ok = Yes 
> printable = Yes 
> use client driver = Yes 
> browseable = No 
> 
> [public]
> comment = test
> path = /spare
> read only = No
> browseable = Yes
> 
> _____________________________________________________________________
> This message has been checked for all known viruses by the MessageLabs Virus Scanning Service for Chronimed, Inc.

More information about the samba mailing list