FW: [Samba] Cannot access shares from a Win2k client

Tim Jordan timothy_jordan at labor.state.ak.us
Fri Dec 19 23:43:07 GMT 2003 


This is keeping you from seeing DOMAIN\username:
> winbind use default domain = yes
Personally I like this option especially when you have large domains
with trust relationships.

You also may want to look at putting "client use spnego = yes" into your
smb.conf since your using W2k3.

Can you get a valid kerberoes ticket from kinit?

What does your klist -e look like?

Several of us are trying to nail out similiar errors.  I have this
working correctly on a Mandrake 9.2 server using Samba3.0.pre1.....but
it's not working on my Gentoo box running Samba3.0.1

Look for my post and maybe compare notes...

Tim




On Fri, 2003-12-19 at 23:22, Brian Spiegel wrote:
> Here's a followup.  I also get these errors in the smbd logs.  The thing is,
> the share directory has full permissions (0777) and the smb.conf is set to
> be fully readable, writeable and okay for guests.
> 
> [2003/12/19 15:21:23, 0] smbd/service.c:make_connection_snum(677)
>   '/home/bspiegel/test/' does not exist or is not a directory, when
> connecting to [test]
> [2003/12/19 15:21:23, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2003/12/19 15:21:23, 3] smbd/connection.c:yield_connection(69)
>   Yielding connection to test
> [2003/12/19 15:21:23, 3] smbd/error.c:error_packet(94)
>   error string = Permission denied
> [2003/12/19 15:21:23, 3] smbd/error.c:error_packet(118)
>   error packet at smbd/reply.c(286) cmd=117 (SMBtconX)
> NT_STATUS_BAD_NETWORK_NAME
> 
> 
> -----Original Message-----
> From: Brian Spiegel [mailto:BSpiegel at Matchnet.com] 
> Sent: Friday, December 19, 2003 2:53 PM
> To: 'samba at lists.samba.org'
> Subject: [Samba] Cannot access shares from a Win2k client
> 
> Hey all.
> 
> I'm running Samba 3.0.1 as a domain member in a Win2k3 ADS domain.  I'm
> attempting to view shares on the samba server via a Win2000 client.
> 
> I've been getting the following messages from the smbd logs and I'm
> wondering why.  I can connect to the Samba server (using the IP only) to
> view which shares are available, but when I double click the share to access
> it, I get a "network name cannot be found" on the share.
> 
> >From smbd log:
> [2003/12/19 14:25:08, 3] libads/kerberos_verify.c:setup_keytab(147)
>   unable to create MEMORY: keytab (Unknown Key table type)
> [2003/12/19 14:25:08, 3] libads/kerberos_verify.c:ads_verify_ticket(280)
>   ads_verify_ticket: unable to setup keytab
> [2003/12/19 14:25:08, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>   Failed to verify incoming ticket!
> 
> Can anyone shed some light on what this might be caused by?
> 
> Also, I'm running winbind for UNIX/Windows user/group mapping.  The 'wbinfo
> -u' command works, but it spits out only the user names rather than
> DOMAIN\username.  Since usernames aren't unique across our OSes, 'getent
> passwd' results in duplicate entries.  Groups are not prefixed by their
> domain either.  Anyone have this problem?
> 
> Below are my configs:
> 
> smb.conf
> --
> [global]
> ; smbd settings
>     log level = 3
>     log file = /var/log/samba/log.%m
>     server string = %U [Samba Server %v]
> ; Active Directory settings
> ;    dns proxy = yes
>     workgroup = FOO
>     security = ADS
>     realm = FOO.COM
>     local master = no
>     domain master = no
>     preferred master = no
>     os level = 0
> ; winbind stuff
>     winbind separator = +
>     winbind enum users = yes
>     idmap uid = 10000-20000
>     winbind enum groups = yes
>     idmap gid = 10000-20000
>     winbind use default domain = yes
>     password server = dc.foo.com
>     encrypt passwords = yes
> 
> [test]
>     comment = Samba functionality test directory
>     path = /home/user/test/
>     read only = no
>     browsable = yes
>     writable = yes
>     guest ok = yes
> 
> 
> krb5.conf
> --
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = FOO.COM
>  default_tgs_enctypes = des-cbc-crc des-cbc-md5 
>  default_tkt_enctypes = des-cbc-crc des-cbc-md5 
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
> 
> [realms]
>   FOO.COM = {
>   kdc = dc.foo.com:88
>   admin_server = dc.foo.com:749
>   default_domain = foo.com
>  }
> 
> [domain_realm]
>  .foo.com = FOO.COM
>  foo.com = FOO.COM
> 
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> 
>  nsswitch.conf
>  --
>  ...
>  passwd:     files winbind
>  shadow:     files
>  group:      files winbind
>  host:       files dns winbind
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list