[Samba] ADS and Winbind ... Can't access with Samba host name ...
C.Lee Taylor
leet at leenx.co.za
Fri Dec 19 13:00:01 GMT 2003
Greetings ...
Sorry for the long post, but I prefer to keep a copy of what I think
is need for this thread ...
As requested, here are my smb.conf ... I have left in my comment to
show what I have been changing and see if it makes a differance ... plus
some shares ( not all that I use ) ...
# Global parameters
[global]
workgroup = TEST-ZA
realm = TEST-ZA.CORP
security = ads
# netbios aliases = nasrec
server string = Samba Server %v %h
interfaces = eth0*,lo
bind interfaces only = Yes
# encrypt passwords = Yes
# update encrypted = Yes
# min passwd length = 4
# pam password change = Yes
# passwd program = /usr/bin/passwd %u
# passwd chat debug = Yes
# unix password sync = Yes
# username map = /etc/samba/smbusers
# admin users = administrator, TEST-ZA\administrator
log file = /var/log/samba/%m.log
max log size = 150
time server = Yes
unix extensions = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon script = login.bat
logon drive = l:
domain logons = no
# lm announce = yes
preferred master = no
domain master = no
# dns proxy = yes
# wins support = yes
# wins server = *
# wins server = naszadc01.test-za.corp, naszadc02.test-za.corp
wins server = 10.1.1.16, 10.1.1.17
utmp = Yes
message command = /bin/mail -s 'message from %f on %m' root <
%s; rm %s
comment = Test Nasrec Linux Box
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
inherit permissions = Yes
map archive = No
# name resolve order = host, wins
# password server = *
password server = 10.1.1.16, 10.1.1.17
# ldap suffix = dc=test-za,dc=corp
# ldap idmap suffix = ou=idmap
# ldap admin dn = cn=root,dc=test-za,dc=corp
ldap suffix = dc=test,dc=co,dc=za
ldap admin dn = cn=Manager,dc=test,dc=co,dc=za
ldap idmap suffix = ou=idmap
# ldap ssl = start tls
ldap ssl = no
# ldap passwd sync = yes
# winbind separator = +
# idmap backend = ldap:ldap://localhost
idmap backend = ldap:ldap://zeus.test.co.za
idmap uid = 10000-20000
idmap gid = 10000-20000
# client schannel = no
# server schannel = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
# winbind trusted domains only = yes
# template shell = /sbin/nologin
# template shell = /bin/bash
# template homedir = /home/%D/%U
template homedir = /home/TEST-ZA/%U
load printers = yes
printing = cups
printcap = cups
# log level = 1
# guest account = NULL
restrict anonymous = yes
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
public = yes
writable = no
write list = root, Administrator, TEST-ZA\Administrator
printer admin = root, Administrator, TEST-ZA\Administrator
vfs object = extd_audit
[print$]
comment = Printer Driver Download Area
path = /home/services/smb/printers/drivers
browseable = No
# browseable = yes
guest ok = Yes
# guest ok = no
# read only = yes
read only = no
# write list = @ntadmin, root, Administrator
write list = root, Administrator, TEST-ZA\Administrator
printer admin = root, Administrator, TEST-ZA\Administrator
vfs object = extd_audit
[netlogon]
comment = Network Logon share
path = /home/services/smb/netlogon
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
guest ok = Yes
#[profiles]
# path = /etc/samba/profiles
# read only = No
# create mask = 0600
# directory mask = 0700
# browseable = No
# csc policy = disable
[homes]
comment = Home Directory for %u and %D\%S
read only = No
# valid users = %D\%S, %S
create mask = 0600
force create mode = 0600
directory mask = 0700
force directory mode = 0700
profile acls = yes
veto files = /Maildir/ /.recycle/
browseable = No
vfs object = recycle
vfs_recycle_bin:noversions = *.doc|*.xls|*.ppt
vfs_recycle_bin:exclude_dir = /tmp|/temp|/cache|/profile
vfs_recycle_bin:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.lnk
vfs_recycle_bin:maxsize = 0
vfs_recycle_bin:touch = yes
vfs_recycle_bin:versions = no
vfs_recycle_bin:keeptree = yes
vfs_recycle_bin:repository = .recycle/%U
[public]
comment = Public Stuff
path = /home/services/smb/public
read only = No
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
guest ok = Yes
oplocks = No
level2 oplocks = No
veto files = /.recycle/
vfs object = extd_audit recycle
vfs_recycle_bin:noversions = *.doc|*.xls|*.ppt
vfs_recycle_bin:exclude_dir = /tmp|/temp|/cache
vfs_recycle_bin:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.lnk
vfs_recycle_bin:maxsize = 0
vfs_recycle_bin:touch = yes
vfs_recycle_bin:versions = no
vfs_recycle_bin:keeptree = yes
vfs_recycle_bin:repository = .recycle
As requested my krb5.conf ...
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = TEST-ZA.CORP
# dns_lookup_realm = true
# dns_lookup_kdc = true
# default_tgs_enctypes = des-cbc-md5 des-cbc-crc
# default_tkt_enctypes = des-cbc-md5 des-cbc-crc
# permitted_enctypes = des-cbc-md5 des-cbc-crc
# kdc_req_checksum_type = 2
# checksum_type = 2
# ccache_type = 1
# forwardable = true
# proxiable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
# default_domain = example.com
}
SCANIA-ZA.CORP = {
kdc = 10.1.1.16
# kdc = naszadc01.test-za.corp
# kdc = naszadc02.test-za.corp
# default_domain = test-za.corp
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
.test-za.corp = TEST-ZA.CORP
test-za.corp = TEST-ZA.CORP
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
I hope this helps ..
Mailed
Lee
P.S. Remember this works with Samba 3.0.0 and not Samba 3.0.1 ...
>I'd like to have a copy of your smb.conf and krb5.conf files. I have had
>the same problem like you for weeks and still without success.
>
>> Okay, first I throught that maybe this a problem with Samba3, but I
>>know that I have been able to use this, so I tried on both Samba 3.0.0
>>(FC1 rpms ) and Samba 3.0.1 ( compiled on FC1 by myself rpms ) ...
>>
>> At first I had no joy with either, so I throught that maybe I had
>>done something wrong ( blush! ) ... So, I went back to basics ... I
>>found that if I removed all the funky options in /etc/krb5.conf and used
>>Samba 3.0.0, all seems to work fine ( expect for know bugs in 3.0.0,
>>understandable ) ... I think upgraded to Samba 3.0.1, and I could not
>>access the Samba server again using is hostname ...
>>
>> So now I have two servers for test, both with FC1 and all the
>>updates, one with Samba 3.0.0 ( FC1 rpms ) and the other with Samba
>>3.0.1 ( self maybe rpms ).
>>
>>>| I have a Win2K3 ADS domain, I have two FedoraCore systems, one with
>>>| Samba 3.0.0 and the other with Samba 3.0.1. Both give me the same
>>>problem.
>>>|
>>>| If I try access the Samba shares from Win2K3 using the host
>>>number, I
>>>| get prompted for a username and password, and no matter what I type in,
>>>| I can't get in.
>>>|
>>>| If I use the Samba server IP address, I am able to get into shares
>>>| without been prompted for user details, but Point'nPrint don't work, it
>>>| too requests user details.
>>>|
>>>| I do seem to be getting two errors in my logs ... First in smbd.log
>>>|
>>>| [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948)
>>>| getpeername failed. Error was Transport endpoint is not connected
>>>| [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948)
>>>| getpeername failed. Error was Transport endpoint is not connected
>>>|
>>>| And the other in the machine log with the IP address eg ...
>>>| 10.1.1.20.log
>>>| [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>>>| Failed to verify incoming ticket!
>>>| [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>>>| Failed to verify incoming ticket!
>>>|
>>>| But in the machine log with the hostname, I am getting normal
>>>| messages ...
>>>|
>>>| I have tried to make changes in /etc/krb5.conf, but I don't get any
>>>| further ...
>>>|
>>>| I have tried a few status checks with net, all hosts work fine ...
>>>|
>>>| [root at fd1-test-01 samba]# net lookup ldap
>>>| 10.1.1.16:389
>>>| 10.1.1.17:389
>>>|
>>>| [root at fd1-test-01 samba]# net lookup dc
>>>| 10.1.1.16
>>>| 10.1.1.17
>>>|
>>>| But net lookup kdc, master domain don't return any thing, so I don't
>>>| know what else to look for ...
>>>
More information about the samba
mailing list