[Samba] Problems accessing shares when authenticating to Win 2k3 AD
tvsjr
tvsjr at sprynet.com
Fri Oct 10 11:57:53 GMT 2003
I'm a bit of a newbie to Samba, and am having some trouble getting it
running with my Windows Server 2003 Active Directory. I've followed the
procedures in the HOWTO-Collection.pdf, with no luck.
"kinit administrator" works fine, and stores a ticket in the cache:
[root at firewall root]# klist -5
Default principal: administrator at HOME.EXAMPLE.COM
Valid starting Expires Service principal
10/10/03 06:39:19 10/10/03 16:39:19 krbtgt/HOME.EXAMPLE.COM at HOME.EXAMPLE.COM
[root at firewall root]#
Joining the domain works:
[root at firewall root]# net ads join
Using short domain name -- HOME
Joined 'FIREWALL' to realm 'HOME.EXAMPLE.COM'
[root at firewall root]#
If I switch to the Active Directory server, it shows firewall as a member
of the directory, with an OS of Samba 3.0.0, so there's no problem here.
However, trying to access a share on server01 fails:
[root at firewall root]# smbclient -k //server01/e$
[2003/10/10 06:43:40, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!
[root at firewall root]# smbclient -k //server01/testshare
[2003/10/10 06:48:10, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!
If I try to access a share on a Win2k Pro machine, it works flawlessly:
[root at firewall root]# smbclient -k //desktop01/c$
smb: \> quit
[root at firewall root]#
My config files are attached below.
I am playing with this in a development lab with the intention of learning
a bit more about Linux and Linux/Windows interoperability. Eventually, I'm
heading for single sign-on across my Linux and Windows workstations (using
winbindd, etc. as discussed in the HOWTO-Collection.) My Windows boxes
(Win98SE, Win2K Pro/Server, WinXP Pro, Win2k3 Server) have no trouble
authenticating through the Active Directory on server01.
I'm probably missing something incredibly obvious, but any assistance would
be most appreciated.
Thanks,
Terry
Here are my config files (domain name has been changed):
/etc/samba/smb.conf:
[global]
realm = HOME.EXAMPLE.COM
workgroup = HOME
security = ADS
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/loc/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = HOME.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
[realms]
HOME.EXAMPLE.COM = {
kdc=server01.home.example.com
admin_server = server01.home.example.com
default_domain = home.example.com
}
[domain_realm]
.home.example.com = HOME.EXAMPLE.COM
home.example.com = HOME.EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
More information about the samba
mailing list