samba4 alpha16 windows clients issue after alpha15 migration and samba config problems
David Lindauer
david at otlayi.com
Sun Jan 22 13:23:12 MST 2012
I migrated our Ubutnu samba4 alpha15 server to a new Ubuntu install and
samba alpha 16. I copied over my etc, var, and private folders and got
samba to run and to authenticate. In order to try to get it all the way
online, I connected it to the old alpha15 server and let it join the
active directory (planning to retire other machine).
The server is setup as 10.1.1.1 and the clients are all in the same /24
(via openvpn), and all the dns entries point to the public IPs (samba is
listening on public and private IPs momentarily).
I AM able to authenticate with pam_winbind, however there are two problems:
#1 - Windows 7 PCs are able to browse the shares list via \\10.1.1.1
(it's ignoring 'browseable = No' on shares annoyingly), however Windows
throws an error when trying to open the shares "The parameter is
incorrect". If I open cmd and "net use \\10.1.1.1\share_name /delete"
on a share I've tried to access, and remap it via "net use
\\10.1.1.1\share_name /U username" I CAN successfully access (only) that
specific share and work on files.
#2 - A couple of errors keep showing up in the Samba log now (which I
believe is related to the above)
[2012/01/22 15:02:46, 1]
../source4/auth/gensec/gensec_gssapi.c:638(gensec_gssapi_update)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
[2012/01/22 15:02:46, 2]
../source4/librpc/rpc/dcerpc.c:1041(dcerpc_bind_recv_handler)
dcerpc: bind_nak reason 0
[2012/01/22 15:02:46, 0]
../source4/librpc/rpc/dcerpc_util.c:660(dcerpc_pipe_auth_recv)
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:771cdd07-4d2e-497f-b8c4-b8919b3461fd._msdcs.realdomain.com[1024,seal,krb5]
NT_STATUS_UNSUCCESSFUL
I think that Samba is currently listing out the shares to anonymous
users, and then it is not allowing / forcing the windows machine to
authenticate itself. None of the previous config variables for 'guest
ok' or 'restrict anonymous' work on samba4 and I can't find anyway to
force it. I also had pam_winbind set to
"require_membership_of=S-1-5-rest-of-sid" and it didn't work at all. I
had users not within that group, and they were still able to connect via
ssh. I tried having it in all 3 files that pam_winbind is listed in
common-* for and nothing was restricted.
My smb.conf: http://www.otlayi.com/conf/smb.conf
I'm not sure if this is a problem with corruption in my AD now or if
it's an issue with the authentication, this is using the latest pull
from git as of a couple days ago, previously tried it with a week+ copy
of it. I have iptables completely letting all traffic through for
troubleshooting purposes to confirm it's not firewall related. thanks
for any thoughts on this
More information about the samba-technical
mailing list