[Samba] ADS and Winbind ... Can't access with Samba host name ...
Tim Jordan
timothy_jordan at labor.state.ak.us
Tue Dec 23 16:53:14 GMT 2003
Fernando hello agian.
I would really like to help test your setup. I do have it working under
RPMs that Buchan Milne packaged for Mandrake 9.2.
I can not get AD domain member working under Samba 3.0.1 compiled from
source. I'm getting the same problems everyone else on the list is
compaining about...
Please provide your OS platform, ./configure options, design goals
etc...
I look forward to working with you,
Tim Jordan
On Tue, 2003-12-23 at 11:19, Fernando Ruza wrote:
> Still with the problem. I have tested with the version 3.0.0 and right,
> I can see the shares however cannot connect to the home shares or shares
> with valid users option in smb.conf. Besides this version cannot
> substitute correctly the %D %u %U %S variables. I have written them in
> the comment option of a share and I can see that the values are not
> correct. %D gives me the samba hostname, %S gives me "IPC_"
>
> Trying with version 3.0.1 cannot see no shares.
>
> Trying with version 3.0.1rc2, it's the same like 3.0.0, but it seems
> that some variables are correct like %u but %U is empty. I don't know is
> very strange. It worked once with this version after I changed the
> password for the Administrator of my PDC/KDC and the user I use to test
> the shares however in the next reboot of the WinXP client machine it
> already doesn't work again.
>
> I think that doing samba 3 be a member of AD is not working properly.
> Does anyone got it ?? Could make a howto ?
>
> Thanks in advance,
>
> Fernando.
>
>
> On Fri, 2003-12-19 at 14:00, C.Lee Taylor wrote:
> > Greetings ...
> >
> > Sorry for the long post, but I prefer to keep a copy of what I think
> > is need for this thread ...
> >
> > As requested, here are my smb.conf ... I have left in my comment to
> > show what I have been changing and see if it makes a differance ... plus
> > some shares ( not all that I use ) ...
> >
> > # Global parameters
> > [global]
> > workgroup = TEST-ZA
> > realm = TEST-ZA.CORP
> > security = ads
> > # netbios aliases = nasrec
> > server string = Samba Server %v %h
> > interfaces = eth0*,lo
> > bind interfaces only = Yes
> > # encrypt passwords = Yes
> > # update encrypted = Yes
> > # min passwd length = 4
> > # pam password change = Yes
> > # passwd program = /usr/bin/passwd %u
> > # passwd chat debug = Yes
> > # unix password sync = Yes
> > # username map = /etc/samba/smbusers
> > # admin users = administrator, TEST-ZA\administrator
> > log file = /var/log/samba/%m.log
> > max log size = 150
> > time server = Yes
> > unix extensions = Yes
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > logon script = login.bat
> > logon drive = l:
> > domain logons = no
> > # lm announce = yes
> > preferred master = no
> > domain master = no
> > # dns proxy = yes
> > # wins support = yes
> > # wins server = *
> > # wins server = naszadc01.test-za.corp, naszadc02.test-za.corp
> > wins server = 10.1.1.16, 10.1.1.17
> > utmp = Yes
> > message command = /bin/mail -s 'message from %f on %m' root <
> > %s; rm %s
> > comment = Test Nasrec Linux Box
> > create mask = 0660
> > force create mode = 0660
> > directory mask = 0770
> > force directory mode = 0770
> > inherit permissions = Yes
> > map archive = No
> >
> > # name resolve order = host, wins
> > # password server = *
> > password server = 10.1.1.16, 10.1.1.17
> >
> > # ldap suffix = dc=test-za,dc=corp
> > # ldap idmap suffix = ou=idmap
> > # ldap admin dn = cn=root,dc=test-za,dc=corp
> > ldap suffix = dc=test,dc=co,dc=za
> > ldap admin dn = cn=Manager,dc=test,dc=co,dc=za
> > ldap idmap suffix = ou=idmap
> > # ldap ssl = start tls
> > ldap ssl = no
> > # ldap passwd sync = yes
> >
> > # winbind separator = +
> > # idmap backend = ldap:ldap://localhost
> > idmap backend = ldap:ldap://zeus.test.co.za
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> >
> > # client schannel = no
> > # server schannel = no
> >
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > # winbind trusted domains only = yes
> >
> > # template shell = /sbin/nologin
> > # template shell = /bin/bash
> > # template homedir = /home/%D/%U
> > template homedir = /home/TEST-ZA/%U
> >
> > load printers = yes
> > printing = cups
> > printcap = cups
> >
> > # log level = 1
> >
> > # guest account = NULL
> > restrict anonymous = yes
> >
> > [printers]
> > comment = All Printers
> > path = /var/spool/samba
> > guest ok = Yes
> > printable = Yes
> > browseable = No
> > public = yes
> > writable = no
> > write list = root, Administrator, TEST-ZA\Administrator
> > printer admin = root, Administrator, TEST-ZA\Administrator
> > vfs object = extd_audit
> >
> > [print$]
> > comment = Printer Driver Download Area
> > path = /home/services/smb/printers/drivers
> > browseable = No
> > # browseable = yes
> > guest ok = Yes
> > # guest ok = no
> > # read only = yes
> > read only = no
> > # write list = @ntadmin, root, Administrator
> > write list = root, Administrator, TEST-ZA\Administrator
> > printer admin = root, Administrator, TEST-ZA\Administrator
> > vfs object = extd_audit
> >
> > [netlogon]
> > comment = Network Logon share
> > path = /home/services/smb/netlogon
> > create mask = 0664
> > force create mode = 0664
> > directory mask = 0775
> > force directory mode = 0775
> > guest ok = Yes
> >
> > #[profiles]
> > # path = /etc/samba/profiles
> > # read only = No
> > # create mask = 0600
> > # directory mask = 0700
> > # browseable = No
> > # csc policy = disable
> >
> > [homes]
> > comment = Home Directory for %u and %D\%S
> > read only = No
> > # valid users = %D\%S, %S
> > create mask = 0600
> > force create mode = 0600
> > directory mask = 0700
> > force directory mode = 0700
> > profile acls = yes
> > veto files = /Maildir/ /.recycle/
> > browseable = No
> > vfs object = recycle
> > vfs_recycle_bin:noversions = *.doc|*.xls|*.ppt
> > vfs_recycle_bin:exclude_dir = /tmp|/temp|/cache|/profile
> > vfs_recycle_bin:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.lnk
> > vfs_recycle_bin:maxsize = 0
> > vfs_recycle_bin:touch = yes
> > vfs_recycle_bin:versions = no
> > vfs_recycle_bin:keeptree = yes
> > vfs_recycle_bin:repository = .recycle/%U
> >
> > [public]
> > comment = Public Stuff
> > path = /home/services/smb/public
> > read only = No
> > create mask = 0664
> > force create mode = 0664
> > directory mask = 0775
> > force directory mode = 0775
> > guest ok = Yes
> > oplocks = No
> > level2 oplocks = No
> > veto files = /.recycle/
> > vfs object = extd_audit recycle
> > vfs_recycle_bin:noversions = *.doc|*.xls|*.ppt
> > vfs_recycle_bin:exclude_dir = /tmp|/temp|/cache
> > vfs_recycle_bin:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.lnk
> > vfs_recycle_bin:maxsize = 0
> > vfs_recycle_bin:touch = yes
> > vfs_recycle_bin:versions = no
> > vfs_recycle_bin:keeptree = yes
> > vfs_recycle_bin:repository = .recycle
> >
> > As requested my krb5.conf ...
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > ticket_lifetime = 24000
> > default_realm = TEST-ZA.CORP
> > # dns_lookup_realm = true
> > # dns_lookup_kdc = true
> > # default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> > # default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > # permitted_enctypes = des-cbc-md5 des-cbc-crc
> > # kdc_req_checksum_type = 2
> > # checksum_type = 2
> > # ccache_type = 1
> > # forwardable = true
> > # proxiable = true
> >
> > [realms]
> > EXAMPLE.COM = {
> > kdc = kerberos.example.com:88
> > admin_server = kerberos.example.com:749
> > # default_domain = example.com
> > }
> >
> > SCANIA-ZA.CORP = {
> > kdc = 10.1.1.16
> > # kdc = naszadc01.test-za.corp
> > # kdc = naszadc02.test-za.corp
> >
> > # default_domain = test-za.corp
> > }
> >
> > [domain_realm]
> > .example.com = EXAMPLE.COM
> > example.com = EXAMPLE.COM
> > .test-za.corp = TEST-ZA.CORP
> > test-za.corp = TEST-ZA.CORP
> >
> > [kdc]
> > profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > [appdefaults]
> > pam = {
> > debug = true
> > ticket_lifetime = 36000
> > renew_lifetime = 36000
> > forwardable = true
> > krb4_convert = false
> > }
> >
> > I hope this helps ..
> >
> > Mailed
> > Lee
> >
> > P.S. Remember this works with Samba 3.0.0 and not Samba 3.0.1 ...
> >
> > >I'd like to have a copy of your smb.conf and krb5.conf files. I have had
> > >the same problem like you for weeks and still without success.
> > >
> > >> Okay, first I throught that maybe this a problem with Samba3, but I
> > >>know that I have been able to use this, so I tried on both Samba 3.0.0
> > >>(FC1 rpms ) and Samba 3.0.1 ( compiled on FC1 by myself rpms ) ...
> > >>
> > >> At first I had no joy with either, so I throught that maybe I had
> > >>done something wrong ( blush! ) ... So, I went back to basics ... I
> > >>found that if I removed all the funky options in /etc/krb5.conf and used
> > >>Samba 3.0.0, all seems to work fine ( expect for know bugs in 3.0.0,
> > >>understandable ) ... I think upgraded to Samba 3.0.1, and I could not
> > >>access the Samba server again using is hostname ...
> > >>
> > >> So now I have two servers for test, both with FC1 and all the
> > >>updates, one with Samba 3.0.0 ( FC1 rpms ) and the other with Samba
> > >>3.0.1 ( self maybe rpms ).
> > >>
> > >>>| I have a Win2K3 ADS domain, I have two FedoraCore systems, one with
> > >>>| Samba 3.0.0 and the other with Samba 3.0.1. Both give me the same
> > >>>problem.
> > >>>|
> > >>>| If I try access the Samba shares from Win2K3 using the host
> > >>>number, I
> > >>>| get prompted for a username and password, and no matter what I type in,
> > >>>| I can't get in.
> > >>>|
> > >>>| If I use the Samba server IP address, I am able to get into shares
> > >>>| without been prompted for user details, but Point'nPrint don't work, it
> > >>>| too requests user details.
> > >>>|
> > >>>| I do seem to be getting two errors in my logs ... First in smbd.log
> > >>>|
> > >>>| [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948)
> > >>>| getpeername failed. Error was Transport endpoint is not connected
> > >>>| [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948)
> > >>>| getpeername failed. Error was Transport endpoint is not connected
> > >>>|
> > >>>| And the other in the machine log with the IP address eg ...
> > >>>| 10.1.1.20.log
> > >>>| [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > >>>| Failed to verify incoming ticket!
> > >>>| [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > >>>| Failed to verify incoming ticket!
> > >>>|
> > >>>| But in the machine log with the hostname, I am getting normal
> > >>>| messages ...
> > >>>|
> > >>>| I have tried to make changes in /etc/krb5.conf, but I don't get any
> > >>>| further ...
> > >>>|
> > >>>| I have tried a few status checks with net, all hosts work fine ...
> > >>>|
> > >>>| [root at fd1-test-01 samba]# net lookup ldap
> > >>>| 10.1.1.16:389
> > >>>| 10.1.1.17:389
> > >>>|
> > >>>| [root at fd1-test-01 samba]# net lookup dc
> > >>>| 10.1.1.16
> > >>>| 10.1.1.17
> > >>>|
> > >>>| But net lookup kdc, master domain don't return any thing, so I don't
> > >>>| know what else to look for ...
> > >>>
> >
> >
More information about the samba
mailing list