[Samba] Samba's ADS security mode on Sun Solaris

Melfi.Marcello at hydro.qc.ca Melfi.Marcello at hydro.qc.ca
Tue Oct 12 19:54:31 GMT 2004 

Hi John,

I managed to compile Samba 3.0.7, along with MIT Kerberos 1.3.5 and OpenLDAP
2.2.17.

I am using the ADS security mode in the smb.conf file. The AD server is
Windows Server 2000.

As described in the How-To Samba doc, I ran the "kinit USERNAME at REALM"
command first. Then, I added the Samba machine to the Windows Server with
the "net ads join -U Administrator%password" command.

When I run the klist command, I get the following output:

***********
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <USERNAME at REALM>

Valid starting     Expires            Service principal
10/08/04 15:57:48  10/09/04 01:59:26  krbtgt/<REALM>@<REALM>
        renew until 10/09/04 15:57:48


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
***********

Is it OK or should I see more, i.e. not just the TGT ticket?

After starting Samba (i.e. the smbd and nmbd processes), I tried to map a
Samba share from a Windows workstation. On that workstation, I am logged in
with a user already defined in the AD server.

The first try (i.e. after a reboot of the workstation so that the cache is
cleared) never works! At that point, a window opens and I have to provide
the username/password information and then it works. It looks like the
password is not OK the first time (I did the map from a Windows CMD console
to get the error msg)... When I look at the samba log for that workstation,
I have the following error messages:

***********
[2004/10/08 17:31:34, 0] lib/util_sock.c:get_peer_addr(1000)
  getpeername failed. Error was Transport endpoint is not connected
[2004/10/08 17:31:34, 0] lib/util_sock.c:write_socket_data(430)
  write_socket_data: write failure. Error = Broken pipe
[2004/10/08 17:31:34, 0] lib/util_sock.c:write_socket(455)
  write_socket: Error writing 4 bytes to socket 24: ERRNO = Broken pipe
[2004/10/08 17:31:34, 0] lib/util_sock.c:send_smb(647)
  Error writing 4 bytes to client. -1. (Broken pipe)
***********

When the share is established, it is working OK.

Do you have any ideas here?

Regards,

Marcello Melfi

-----Original Message-----
From: John H Terpstra [mailto:samba at primastasys.com] 
Sent: September 28, 2004 23:49
To: Marcello Melfi
Subject: RE: [Samba] Samba's ADS security mode on Sun Solaris

Hi,

Some useful, but dated, info is to be found at:

http://samba.org/~jht/Notes/

- John T.
---
John H Terpstra
Samba-Team
email: jht at samba.org


> -------- Original Message --------
> Subject: [Samba] Samba's ADS security mode on Sun Solaris
> From: "Marcello Melfi" <marcello.melfi at videotron.ca>
> Date: Tue, September 28, 2004 6:20 pm
> To: samba at lists.samba.org
>
> Hi,
>
> I have installed and configured with success Samba 3.0.2a (using a
> binary
> package) on a Sun Solaris 8 using the DOMAIN security mode. I used the 
> usermaps.txt file to simplify the overall configuration of Unix vs 
> Windows users, e.g. no winbindd/ldap/pam/etc...
>
> I now have a requirement to set it up using the ADS security mode. So,
> my understanding is that I need to start from the Samba source files, 
> version
> 3.0.7 for instance, and compile everything. I also need to compile the 
> MIT Kerberos and the OpenLDAP source files first. I think that one of 
> these packages also requires the Kerberos DB.
>
> The following questions come to mind:
>
> 1. Has anybody done that (i.e. compiled Samba with ADS support) on Sun
> Solaris 8 or 9? If so, a few pointers would be greatly appreciated!
>
> 2. The ADS security mode requires the MIT Kerberos and OpenLDAP
> development libraries. Does this simply mean that I need to compile 
> the source code from their respective Web site? For example, I would 
> download the stable source code version 2.2.17 of OpenLDAP and compile it.
>
> 3. When using the ADS security mode, can I still simply use the
> usermaps.txt file and not winbindd/ldap/pam/etc?
>
> Regards,
>
> Marcello Melfi
> m_melfi@ <mailto:m_melfi at hotmail.com> hotmail.com
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list