Samba 4 - how to enable ADS while compiling
priya sehgal
priyagps at yahoo.co.in
Mon Sep 29 14:09:33 GMT 2008
Hello Andrew,
Thanks for the help. I was trying to configure Samba 4 like Samba 3. so, the problem.
I changed the smb.conf file the way suggested by you and could join the domain of W2k3 server. But, there are a few things failing :-
1. wbinfo -u says that "Error looking up domain users"
2. If I try to login from my Domain Controller(Win 2K3) machine, it works fine and I can see all the shares exported by linux samba server.(DC ip is 192.168.6.217)
3. But,Linux Samba server from a Windows XP machine in the same domain is not accessible. I get the error : "The Account is not authorized to login from this station." Please note that I have removed the host allow entry.
I ran smbd with --debuglevel=5 and have taken a bunch of logs of samba. It is a huge file and I am attaching it with the mail.
Please note that one of the connections passed. the ones in the end failed with the error : Selected protocol [5][NT LM 0.12]
single_terminate: reason[NT_STATUS_END_OF_FILE]
Please let me know what am I doing wrong?
New smb.conf file
[globals]
netbios name = linux_samba1
workgroup = PRIYADOMAIN
realm = PRIYADOMAIN.RETHER.COM
server role = member server
log level = 3
log file = /var/log/samba/%m
#max log size = 50
#winbind enum users = Yes
#winbind enum groups = Yes
#winbind use default domain = Yes
#winbind nested groups = Yes
#winbindd separator = +
#idmap uid = 10000 - 20000
#idmap gid = 10000 - 20000
;template primary group = "Domain Users"
#template homedir = /home/%D/%U
wins server = 192.168.6.217
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = no
[homes]
comment = Home Directory
valid users = %S
read only = No
browseable = No
[share1]
path = /home/priya/test1
read only = no
[IPC$]
comment = IPC Service (Samba 4.0.0alpha4)
path = /tmp
ntvfs handler = default
browseable = No
fstype = IPC
[ADMIN$]
comment = DISK Service (Samba 4.0.0alpha4)
path = /tmp
browseable = No
fstype = DISK
Here is an extract of the logs , which might help in analyzing the problem:
Note that machine 192.168.6.217 could successfully login to Linux_Samba1 server. This is the Win2k3 domain controller. The login after that failed - from the winxp machine.
switch message SMBreadX (task_id 0)
switch message SMBtrans (task_id 0)
Warning: 60 extra bytes in incoming RPC request
switch message SMBtrans (task_id 0)
switch message SMBtrans (task_id 0)
Key 'key=SchedulingAgent,key=Microsoft,key=SOFTWARE,hive=NONE' not found
Opening key SchedulingAgent failed: WERR_BADFILE
switch message SMBtrans (task_id 0)
switch message SMBclose (task_id 0)
Registered LINUX_SAMBA1<00> with 192.168.6.245 on interface 192.168.255.255
Registered LINUX_SAMBA1<03> with 192.168.6.245 on interface 192.168.255.255
Registered LINUX_SAMBA1<20> with 192.168.6.245 on interface 192.168.255.255
Registered PRIYADOMAIN<00> with 192.168.6.245 on interface 192.168.255.255
Received dgram packet of length 212 from 192.168.0.117:138
Browse DomainAnnouncement (Op 12) on '%01%02__MSBROWSE__%02<01>' '\MAILSLOT\BROWSE' from 192.168.0.117:138
Received dgram packet of length 212 from 192.168.0.117:138
Browse DomainAnnouncement (Op 12) on '%01%02__MSBROWSE__%02<01>' '\MAILSLOT\BROWSE' from 192.168.0.117:138
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 0)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][LANMAN1.0]
Requested protocol [2][Windows for Workgroups 3.1a]
Requested protocol [3][LM1.2X002]
Requested protocol [4][LANMAN2.1]
Requested protocol [5][NT LM 0.12]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des-cbc-md5)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (aes256-cts-hmac-sha1-96)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des3-cbc-sha1)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (arcfour-hmac-md5)
using SPNEGO
Selected protocol [5][NT LM 0.12]
single_terminate: reason[NT_STATUS_END_OF_FILE]
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 0)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][LANMAN1.0]
Requested protocol [2][Windows for Workgroups 3.1a]
Requested protocol [3][LM1.2X002]
Requested protocol [4][LANMAN2.1]
Requested protocol [5][NT LM 0.12]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des-cbc-md5)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (aes256-cts-hmac-sha1-96)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des3-cbc-sha1)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (arcfour-hmac-md5)
using SPNEGO
Selected protocol [5][NT LM 0.12]
single_terminate: reason[NT_STATUS_END_OF_FILE]
switch message SMBulogoffX (task_id 0)
switch message SMBtdis (task_id 0)
192.168.6.217 closed connection to service IPC$ <--- Domain Controller
single_terminate: reason[NT_STATUS_END_OF_FILE]
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 0)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][LANMAN1.0]
Requested protocol [2][Windows for Workgroups 3.1a]
Requested protocol [3][LM1.2X002]
Requested protocol [4][LANMAN2.1]
Requested protocol [5][NT LM 0.12]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des-cbc-md5)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (aes256-cts-hmac-sha1-96)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des3-cbc-sha1)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (arcfour-hmac-md5)
using SPNEGO
Selected protocol [5][NT LM 0.12]
single_terminate: reason[NT_STATUS_END_OF_FILE]
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 0)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][LANMAN1.0]
Requested protocol [2][Windows for Workgroups 3.1a]
Requested protocol [3][LM1.2X002]
Requested protocol [4][LANMAN2.1]
Requested protocol [5][NT LM 0.12]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des-cbc-md5)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (aes256-cts-hmac-sha1-96)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des3-cbc-sha1)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (arcfour-hmac-md5)
using SPNEGO
Selected protocol [5][NT LM 0.12]
single_terminate: reason[NT_STATUS_END_OF_FILE]
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 0)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][LANMAN1.0]
Requested protocol [2][Windows for Workgroups 3.1a]
Requested protocol [3][LM1.2X002]
Requested protocol [4][LANMAN2.1]
Requested protocol [5][NT LM 0.12]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des-cbc-md5)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (aes256-cts-hmac-sha1-96)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des3-cbc-sha1)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (arcfour-hmac-md5)
using SPNEGO
Selected protocol [5][NT LM 0.12]
single_terminate: reason[NT_STATUS_END_OF_FILE]
smbsrv_accept
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 0)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][LANMAN1.0]
Requested protocol [2][Windows for Workgroups 3.1a]
Requested protocol [3][LM1.2X002]
Requested protocol [4][LANMAN2.1]
Requested protocol [5][NT LM 0.12]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des-cbc-md5)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (aes256-cts-hmac-sha1-96)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des3-cbc-sha1)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (arcfour-hmac-md5)
using SPNEGO
Selected protocol [5][NT LM 0.12]
Shutdown SMB signing
single_terminate: reason[NT_STATUS_END_OF_FILE]
single_terminate: reason[NT_STATUS_END_OF_FILE]
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 0)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][LANMAN1.0]
Requested protocol [2][Windows for Workgroups 3.1a]
Requested protocol [3][LM1.2X002]
Requested protocol [4][LANMAN2.1]
Requested protocol [5][NT LM 0.12]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des-cbc-md5)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (aes256-cts-hmac-sha1-96)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des3-cbc-sha1)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (arcfour-hmac-md5)
using SPNEGO
Selected protocol [5][NT LM 0.12]
single_terminate: reason[NT_STATUS_END_OF_FILE]
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 0)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][LANMAN1.0]
Requested protocol [2][Windows for Workgroups 3.1a]
Requested protocol [3][LM1.2X002]
Requested protocol [4][LANMAN2.1]
Requested protocol [5][NT LM 0.12]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des-cbc-md5)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (aes256-cts-hmac-sha1-96)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (des3-cbc-sha1)
Added LINUX_SAMBA1$@PRIYADOMAIN.RETHER.COM(kvno 2) to keytab (arcfour-hmac-md5)
using SPNEGO
Selected protocol [5][NT LM 0.12]
single_terminate: reason[NT_STATUS_END_OF_FILE]
Regards,
Priya Sehgal
--- On Thu, 9/25/08, Andrew Bartlett <abartlet at samba.org> wrote:
> From: Andrew Bartlett <abartlet at samba.org>
> Subject: Re: Samba 4 - how to enable ADS while compiling
> To: priyagps at yahoo.co.in
> Cc: samba-technical at lists.samba.org
> Date: Thursday, September 25, 2008, 8:22 AM
> On Thu, 2008-09-25 at 02:37 +0530, priya sehgal wrote:
> > Hi,
> > I wish to set up a samba 4 server as a domain member
> of a Win 2k3
> > domain, with Active Directory support. The samba
> server is on a Fedora
> > core 6 . Eventually, I would want to set this samba 4
> server as a CIFS
> > Proxy for Win2k3 domain.
> >
> > But, when I compile samba-4.0.0alpha4 and try to start
> smbd, it warns
> > me about unrecognized value ADS for security.
> >
> > 1.How should we compile samba-4 with Active Directory
> support?
> > I tried .configure --with-ads --with-krb5
> --with-ldap., but still it
> > gives the warning - unrecognized "ADS" for
> security.
>
> Samba4 does not make any of these components optional.
> Don't specify
> any of these options, they are already included.
>
> The 'security=' parameter has been removed. See
> instead 'server role =
> dc/member/standalone'. You want to be a member.
>
> > Although, I am able to join the domain and kinit also
> works fine for
> > me,
> > my windows XP machine in the same domain cannot access
> linux samba
> > server in the domain. It gets error - "The
> account is not authorized
> > to login from this station".
> >
> > Also, smbclient -L /linux_samba -k
> > gives the error :
> > "tree connect failed: Read error: Connection
> reset by peer."
>
> This is because you set the 'hosts allow'.
>
> > I think there is something going wrong in the
> authentication. The call
> > is not going to the Win2k3 server.
>
> > I looked into the ethereal traces.It may be due to ADS
> security not
> > recognized by samba.
> > Please let me know what could be wrong?
>
> Perhaps you can post the compressed traces to the list?
>
> > 2.Also, I could not locate the new winbind binaries,
> after make
> > install? Is it not compiled? how can we compile it?
>
> This is included in smbd now.
>
> > 3.Also, FC6 already has samba 3.0.23c-2. Will this
> create any hurdle
> > in installing samba4 on FC6?
>
> That depends where you install Samba4.
>
> > Following is the set of packages and files on my
> system -
> > netbios name of linux server : linux_samba
> > Windows 2k3 Domain Controller : 192.168.6.217
> > DNS Server : 192.168.6.217
> > DomainName: PRIYADOMAIN.COM
> >
> > I already have the following packages installed :
> > 1.krb5-workstation-1.5-7
> > 2.krb5-devel-1.5-7
> > 3.krb5-libs-1.5-7
> > 4.krb5-server-1.5-7
> > 5.openldap-2.3.27-4
> > 6.openldap-devel-2.3.27-4
>
> None of these are used or required. We have our own
> internal LDAP and
> Kerberos code.
>
> >
> > My smb.conf file looks like this :
> > [globals]
> > netbios name = linux_samba
> > workgroup = PRIYADOMAIN
> > realm = PRIYADOMAIN.COM
>
> > preferred master = no
> > password server = 192.168.6.217
> > security = ads
> > encrypt passwords = yes
>
> Remove all these, we don't use them.
>
> > log level = 3
> > log file = /var/log/samba/%m
> > max log size = 50
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind use default domain = Yes
> > winbindd separator = +
> > idmap uid = 10000 - 20000
> > idmap gid = 10000 - 20000
> > ;template primary group = "Domain Users"
> > wins server = 192.168.6.217
> > hosts allow = 192.168.6.251
>
> This will by why your connection is being reset.
>
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > read only = no
> >
> > [homes]
> > comment = Home Directory
> > valid users = %S
> > read only = No
> > browseable = No
> >
> > [share1]
> > path = /home/priya/test1
> > read only = no
> > write list = PRIYADOMAIN+user1
>
> I would not use 'write list' in Samba4. It is
> certainly not hooked up,
> I'm supprised it is even recognised. Please run
> 'testparm' over your
> smb.conf
>
> Andrew Bartlett
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team
> http://samba.org
> Samba Developer, Red Hat Inc.
> http://redhat.com
More information about the samba-technical
mailing list