[Samba] access samba 3.0 shares from Win2K, Win3K, WinXPProf. using netbios name

Juan José Muñoz samba-cifs at iespana.es
Mon Dec 1 12:35:47 GMT 2003 

Hi:
  I have a Windows 2003 Server Enterprise Ed. as Domain controller, an
its 

current domain functional level is 'Windows Server 2003'.
Also, I have a RedHat Linux 7.3 server with SaMBa (tested with rpm 

samba-3.0.0-2, and compiling the samba source code).
I'd joined the linux server to the AD tree without problems, access from


it to the Win2003 shared resources too, but I have problems when try to 

access to the SaMBa resources from the Win2K, Win3K, WinXPProf machines.
The things I can do are:
 - obtain a kerberos ticket: kinit ADMINISTRATOR at DOMAIN
 - join to the domain using this ticket: smb ads join -k
 - obtain a domain user or group list: wbinfo -u/-s
 - obtain an entire list of the users or groups (Unix+Domain): getent 

passwd/group
 - access from linux server with the kerberos ticket to the Win2003
Server 

shares: smblicent //SERVER/share -k
 - Access from Win9x/WinMe/WinXP Home clients to the linux/samba shares,


using the linux name or ip, with the network browser or the net use 

command.
 - Access from Win2K, Win3K, WinXPProf clients to the linux/samba
shares, 

ONLY USING THE LINUX IP with the network browser or the net use command 

(net use * \\ip\share)

Things I CAN'T do:
-----------------
 - Access from Win2K, Win3K, WinXPProf clients to the linux/samba
shares, 

ONLY USING THE LINUX NETBIOS NAME with the network browser or the net
use 

command (net use * \\name\share)
 - access from linux server with the kerberos ticket to the linux+samba 

shares: smblicent //SERVER/share -k


The problem seems to be in the client access to the samba shares with th


kerberos ticket authentication.
When a win9x/winME client access to a share, the authentication mode
used 

is NTLM, and I have not problems with it, and occurs the same ussing the


IP instead the name with any client.
When I use a kerberos ticket obtained in the linux machine to access 

win2003 resources, I have no probles neither.
But when I try to access linux shares with the kerberos authentication 

method, I have problems.

How can I beat this problem??


These are my machines:
->Windows 2003 Server Enterprise Edition 
  Name: w2003srv.ns1.abcdom
  REALM: NS1.ABCDOM
  WORKGROUP: NS1

->RedHat Linux 7.3
  Name: rhd
  Samba 3.0.0 compiled openldap-2.1.22 and Kerberos 1.3.1 del MIT
  (Also tested with samba 3.0.0-2 rpm package)


These are my configuration files:
/etc/krb5.conf
--------------
  [logging]
  default = FILE:/var/log/krb5/libs.log
  kdc = FILE:/var/log/krb5/kdc.log
  admin_server = FILE:/var/log/krb5/admin.log

  [libdefaults]
  ticket_lifetime = 24000
  default_realm = NS1.ABCDOM
  forwardable = true
  proxiable = true

  [realms]
  NS1.ABCDOM = {
  kdc = w2003srv.ns1.abcdom
  default_domain = ns1.abcdom
  }

  [domain_realm]
  .ns1.abcdom = NS1.ABCDOM
  ns1.abcdom = NS1.ABCDOM

/etc/nsswitch.conf
------------------
  passwd:     files compat winbind nisplus
  shadow:     files nisplus
  group:      files compat winbind nisplus
  hosts:      files nisplus dns
  bootparams: nisplus [NOTFOUND=return] files
  ethers:     files
  netmasks:   files
  networks:   files
  protocols:  files nisplus
  rpc:        files
  services:   files nisplus
  netgroup:   files nisplus
  publickey:  nisplus
  automount:  files nisplus
  aliases:    files nisplus

/etc/samba/smb.conf
-------------------
  workgroup = NS1
  realm = NS1.ABCDOM
  security = ADS
  password server = w2003srv.ns1.abcdom
  username map = /etc/samba/smbusers
  os level = 10
  dns proxy = No
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  template shell = /bin/bash
  winbind separator = +
  winbind use default domain = Yes

  # Recurso compartido para pruebas
  [tmp]
    comment = Temporary file space
    path = /tmp
    read only = no
    public = yes

/etc/samba/smbusers
-------------------
root=Administrator


Also:
 - I have the nobody user on the linux server
 - 'ldd /usr/sbin/smbd | grep krb5'
     returns:
       libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x40014000)
       libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x40026000)
 - 'smbclient -L localhost -U%' works fine
 - 'kinit ADMINISTRATOR at NS1.ABCDOM' works too

 - 'klist'
    returns: 
      Ticket cache: FILE:/tmp/krb5cc_0
      Default principal: ADMINISTRATOR at NS1.ABCDOM

      Valid starting     Expires            Service principal
      11/26/03 10:58:05  11/26/03 20:58:13  rbtgt/NS1.ABCDOM at NS1.ABCDOM

      Kerberos 4 ticket cache: /tmp/tkt0
      klist: You have no tickets cached
 - 'net ads join'
    without '-U administrator' works returning:
      Using short domain name -- NS1
      Joined 'RHD' to realm 'NS1.ABCDOM'
 - from Windows 2003 Server command line:
   'net use * \\rhd\tmp' 
    asks me from user and password authentication, and fails with the
message:
     "The password or the username is invalid for \\rhd\tmp"
   'net use * \\192.168.0.24\tmp'
    works fine without prompting user and password authentication
 -  with the browser happens the same, using name fails, but with ip,
works fine.


---Publicidad--------------------------------------------------------
Únete a los miles de sin pareja en Meetic... ¡te vas a enamorar!
http://www.iespana.es/_reloc/email.meetic


---Publicidad--------------------------------------------------------
Juega con Ventura24.es, lotería inteligente y multiplica tus
posibilidades!! http://www.iespana.es/_reloc/email.ventura

More information about the samba mailing list