[Samba] ADS and Winbind ... Can't access with Samba host name ...
Fernando Ruza
fernandor at sescam.jccm.es
Tue Dec 23 11:19:23 GMT 2003
Still with the problem. I have tested with the version 3.0.0 and right,
I can see the shares however cannot connect to the home shares or shares
with valid users option in smb.conf. Besides this version cannot
substitute correctly the %D %u %U %S variables. I have written them in
the comment option of a share and I can see that the values are not
correct. %D gives me the samba hostname, %S gives me "IPC_"
Trying with version 3.0.1 cannot see no shares.
Trying with version 3.0.1rc2, it's the same like 3.0.0, but it seems
that some variables are correct like %u but %U is empty. I don't know is
very strange. It worked once with this version after I changed the
password for the Administrator of my PDC/KDC and the user I use to test
the shares however in the next reboot of the WinXP client machine it
already doesn't work again.
I think that doing samba 3 be a member of AD is not working properly.
Does anyone got it ?? Could make a howto ?
Thanks in advance,
Fernando.
On Fri, 2003-12-19 at 14:00, C.Lee Taylor wrote:
> Greetings ...
>
> Sorry for the long post, but I prefer to keep a copy of what I think
> is need for this thread ...
>
> As requested, here are my smb.conf ... I have left in my comment to
> show what I have been changing and see if it makes a differance ... plus
> some shares ( not all that I use ) ...
>
> # Global parameters
> [global]
> workgroup = TEST-ZA
> realm = TEST-ZA.CORP
> security = ads
> # netbios aliases = nasrec
> server string = Samba Server %v %h
> interfaces = eth0*,lo
> bind interfaces only = Yes
> # encrypt passwords = Yes
> # update encrypted = Yes
> # min passwd length = 4
> # pam password change = Yes
> # passwd program = /usr/bin/passwd %u
> # passwd chat debug = Yes
> # unix password sync = Yes
> # username map = /etc/samba/smbusers
> # admin users = administrator, TEST-ZA\administrator
> log file = /var/log/samba/%m.log
> max log size = 150
> time server = Yes
> unix extensions = Yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> logon script = login.bat
> logon drive = l:
> domain logons = no
> # lm announce = yes
> preferred master = no
> domain master = no
> # dns proxy = yes
> # wins support = yes
> # wins server = *
> # wins server = naszadc01.test-za.corp, naszadc02.test-za.corp
> wins server = 10.1.1.16, 10.1.1.17
> utmp = Yes
> message command = /bin/mail -s 'message from %f on %m' root <
> %s; rm %s
> comment = Test Nasrec Linux Box
> create mask = 0660
> force create mode = 0660
> directory mask = 0770
> force directory mode = 0770
> inherit permissions = Yes
> map archive = No
>
> # name resolve order = host, wins
> # password server = *
> password server = 10.1.1.16, 10.1.1.17
>
> # ldap suffix = dc=test-za,dc=corp
> # ldap idmap suffix = ou=idmap
> # ldap admin dn = cn=root,dc=test-za,dc=corp
> ldap suffix = dc=test,dc=co,dc=za
> ldap admin dn = cn=Manager,dc=test,dc=co,dc=za
> ldap idmap suffix = ou=idmap
> # ldap ssl = start tls
> ldap ssl = no
> # ldap passwd sync = yes
>
> # winbind separator = +
> # idmap backend = ldap:ldap://localhost
> idmap backend = ldap:ldap://zeus.test.co.za
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
> # client schannel = no
> # server schannel = no
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> # winbind trusted domains only = yes
>
> # template shell = /sbin/nologin
> # template shell = /bin/bash
> # template homedir = /home/%D/%U
> template homedir = /home/TEST-ZA/%U
>
> load printers = yes
> printing = cups
> printcap = cups
>
> # log level = 1
>
> # guest account = NULL
> restrict anonymous = yes
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> guest ok = Yes
> printable = Yes
> browseable = No
> public = yes
> writable = no
> write list = root, Administrator, TEST-ZA\Administrator
> printer admin = root, Administrator, TEST-ZA\Administrator
> vfs object = extd_audit
>
> [print$]
> comment = Printer Driver Download Area
> path = /home/services/smb/printers/drivers
> browseable = No
> # browseable = yes
> guest ok = Yes
> # guest ok = no
> # read only = yes
> read only = no
> # write list = @ntadmin, root, Administrator
> write list = root, Administrator, TEST-ZA\Administrator
> printer admin = root, Administrator, TEST-ZA\Administrator
> vfs object = extd_audit
>
> [netlogon]
> comment = Network Logon share
> path = /home/services/smb/netlogon
> create mask = 0664
> force create mode = 0664
> directory mask = 0775
> force directory mode = 0775
> guest ok = Yes
>
> #[profiles]
> # path = /etc/samba/profiles
> # read only = No
> # create mask = 0600
> # directory mask = 0700
> # browseable = No
> # csc policy = disable
>
> [homes]
> comment = Home Directory for %u and %D\%S
> read only = No
> # valid users = %D\%S, %S
> create mask = 0600
> force create mode = 0600
> directory mask = 0700
> force directory mode = 0700
> profile acls = yes
> veto files = /Maildir/ /.recycle/
> browseable = No
> vfs object = recycle
> vfs_recycle_bin:noversions = *.doc|*.xls|*.ppt
> vfs_recycle_bin:exclude_dir = /tmp|/temp|/cache|/profile
> vfs_recycle_bin:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.lnk
> vfs_recycle_bin:maxsize = 0
> vfs_recycle_bin:touch = yes
> vfs_recycle_bin:versions = no
> vfs_recycle_bin:keeptree = yes
> vfs_recycle_bin:repository = .recycle/%U
>
> [public]
> comment = Public Stuff
> path = /home/services/smb/public
> read only = No
> create mask = 0664
> force create mode = 0664
> directory mask = 0775
> force directory mode = 0775
> guest ok = Yes
> oplocks = No
> level2 oplocks = No
> veto files = /.recycle/
> vfs object = extd_audit recycle
> vfs_recycle_bin:noversions = *.doc|*.xls|*.ppt
> vfs_recycle_bin:exclude_dir = /tmp|/temp|/cache
> vfs_recycle_bin:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.lnk
> vfs_recycle_bin:maxsize = 0
> vfs_recycle_bin:touch = yes
> vfs_recycle_bin:versions = no
> vfs_recycle_bin:keeptree = yes
> vfs_recycle_bin:repository = .recycle
>
> As requested my krb5.conf ...
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = TEST-ZA.CORP
> # dns_lookup_realm = true
> # dns_lookup_kdc = true
> # default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> # default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> # permitted_enctypes = des-cbc-md5 des-cbc-crc
> # kdc_req_checksum_type = 2
> # checksum_type = 2
> # ccache_type = 1
> # forwardable = true
> # proxiable = true
>
> [realms]
> EXAMPLE.COM = {
> kdc = kerberos.example.com:88
> admin_server = kerberos.example.com:749
> # default_domain = example.com
> }
>
> SCANIA-ZA.CORP = {
> kdc = 10.1.1.16
> # kdc = naszadc01.test-za.corp
> # kdc = naszadc02.test-za.corp
>
> # default_domain = test-za.corp
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
> .test-za.corp = TEST-ZA.CORP
> test-za.corp = TEST-ZA.CORP
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = true
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> I hope this helps ..
>
> Mailed
> Lee
>
> P.S. Remember this works with Samba 3.0.0 and not Samba 3.0.1 ...
>
> >I'd like to have a copy of your smb.conf and krb5.conf files. I have had
> >the same problem like you for weeks and still without success.
> >
> >> Okay, first I throught that maybe this a problem with Samba3, but I
> >>know that I have been able to use this, so I tried on both Samba 3.0.0
> >>(FC1 rpms ) and Samba 3.0.1 ( compiled on FC1 by myself rpms ) ...
> >>
> >> At first I had no joy with either, so I throught that maybe I had
> >>done something wrong ( blush! ) ... So, I went back to basics ... I
> >>found that if I removed all the funky options in /etc/krb5.conf and used
> >>Samba 3.0.0, all seems to work fine ( expect for know bugs in 3.0.0,
> >>understandable ) ... I think upgraded to Samba 3.0.1, and I could not
> >>access the Samba server again using is hostname ...
> >>
> >> So now I have two servers for test, both with FC1 and all the
> >>updates, one with Samba 3.0.0 ( FC1 rpms ) and the other with Samba
> >>3.0.1 ( self maybe rpms ).
> >>
> >>>| I have a Win2K3 ADS domain, I have two FedoraCore systems, one with
> >>>| Samba 3.0.0 and the other with Samba 3.0.1. Both give me the same
> >>>problem.
> >>>|
> >>>| If I try access the Samba shares from Win2K3 using the host
> >>>number, I
> >>>| get prompted for a username and password, and no matter what I type in,
> >>>| I can't get in.
> >>>|
> >>>| If I use the Samba server IP address, I am able to get into shares
> >>>| without been prompted for user details, but Point'nPrint don't work, it
> >>>| too requests user details.
> >>>|
> >>>| I do seem to be getting two errors in my logs ... First in smbd.log
> >>>|
> >>>| [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948)
> >>>| getpeername failed. Error was Transport endpoint is not connected
> >>>| [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948)
> >>>| getpeername failed. Error was Transport endpoint is not connected
> >>>|
> >>>| And the other in the machine log with the IP address eg ...
> >>>| 10.1.1.20.log
> >>>| [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> >>>| Failed to verify incoming ticket!
> >>>| [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> >>>| Failed to verify incoming ticket!
> >>>|
> >>>| But in the machine log with the hostname, I am getting normal
> >>>| messages ...
> >>>|
> >>>| I have tried to make changes in /etc/krb5.conf, but I don't get any
> >>>| further ...
> >>>|
> >>>| I have tried a few status checks with net, all hosts work fine ...
> >>>|
> >>>| [root at fd1-test-01 samba]# net lookup ldap
> >>>| 10.1.1.16:389
> >>>| 10.1.1.17:389
> >>>|
> >>>| [root at fd1-test-01 samba]# net lookup dc
> >>>| 10.1.1.16
> >>>| 10.1.1.17
> >>>|
> >>>| But net lookup kdc, master domain don't return any thing, so I don't
> >>>| know what else to look for ...
> >>>
>
>
More information about the samba
mailing list