[Samba] ADS and Winbind ... Can't access with Samba host name ...
Fernando Ruza
fernandor at sescam.jccm.es
Fri Dec 19 13:45:42 GMT 2003
Same problem, same error log messages. I'm using samba 3.0.1rc2 with
kerberos 1.3.1. Everything following is working:
wbinfo -u, wbinfo -g, getent passwd, getent group
wbinfo -I ip_address, wbinfo -N netbios_name
smbclient //Server/share -k
net lookup dc
net lookup kdc -> No output, and echo $? gives me: 255
Connecting from Win2k/XP clients to a samba share (share with valid user
option in smb.conf) using netbios name it doesn't work, using IP address
it works.
When I use IP address it uses NTLM authentication, that's why it works,
however when I use netbios name it uses kerberos and that's what it
doesn't work. I think it's something wrong in the configuration of
kerberos. My krb5.conf file is:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = HGUV.LOCAL
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
clockskew = 600
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
HGUV.LOCAL = {
kdc = 10.36.192.24:88
admin_server = 10.36.192.24:749
default_domain = hguv.local
}
[domain_realm]
.hguv.local = HGUV.LOCAL
hguv.local = HGUV.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[login]
krb4_convert = false
krb4_get_tickets = false
Thanks for any reply.
Regards,
Fernando.
On Fri, 2003-12-19 at 05:50, Peter wrote:
> It appears there are a number of us with this exact same problem. I
> posted this same question a few days ago and have seen 2 or 3 others
> mention the same symptoms since then but have yet to see any specific
> sollution.
>
> I assumed this would be an issue with WINS but I've tested WINS lookups
> from both Windows clients, Linux clients and Samba server and all seem
> to function properly.
>
> The fact that my net lookup all work fine is the only difference between
> our problems.
>
> [log.smbd]
>
> [2003/12/17 18:40:04, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> Failed to verify incoming ticket!
>
> [lob.winbindd]
>
> [2003/12/17 18:39:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
> krb5_cc_get_principal failed (No credentials cache found)
>
>
> Would appreciate some direct answers to this problem regarding WINS host
> vs. IP address share mapping from Windows clients.
>
> Thanks,
>
> Peter
>
>
> ________________________________________________________________________
> > From: C.Lee Taylor <leet at leenx.co.za>
> > To: samba at lists.samba.org
> > Subject: [Samba] ADS and Winbind ... Can't access with Samba host name ...
> > Date: Thu, 18 Dec 2003 16:59:28 +0200
> >
> > Greetings ...
> >
> > It seems I have really got myself confused ...
> >
> > I have a Win2K3 ADS domain, I have two FedoraCore systems, one with
> > Samba 3.0.0 and the other with Samba 3.0.1. Both give me the same problem.
> >
> > If I try access the Samba shares from Win2K3 using the host number,
> > I get prompted for a username and password, and no matter what I type
> > in, I can't get in.
> >
> > If I use the Samba server IP address, I am able to get into shares
> > without been prompted for user details, but Point'nPrint don't work, it
> > too requests user details.
> >
> > I do seem to be getting two errors in my logs ... First in smbd.log
> >
> > [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948)
> > getpeername failed. Error was Transport endpoint is not connected
> > [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948)
> > getpeername failed. Error was Transport endpoint is not connected
> >
> > And the other in the machine log with the IP address eg ...
> > 10.1.1.20.log
> > [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > Failed to verify incoming ticket!
> > [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > Failed to verify incoming ticket!
> >
> > But in the machine log with the hostname, I am getting normal
> > messages ...
> >
> > I have tried to make changes in /etc/krb5.conf, but I don't get any
> > further ...
> >
> > I have tried a few status checks with net, all hosts work fine ...
> >
> > [root at fd1-test-01 samba]# net lookup ldap
> > 10.1.1.16:389
> > 10.1.1.17:389
> >
> > [root at fd1-test-01 samba]# net lookup dc
> > 10.1.1.16
> > 10.1.1.17
> >
> > But net lookup kdc, master domain don't return any thing, so I don't
> > know what else to look for ...
> >
> > Thanks
> > Mailed
> > Lee
More information about the samba
mailing list