[Samba] Problems accessing shares when authenticating to Win 2k3 AD

tvsjr tvsjr at sprynet.com
Fri Oct 10 11:57:53 GMT 2003


I'm a bit of a newbie to Samba, and am having some trouble getting it 
running with my Windows Server 2003 Active Directory. I've followed the 
procedures in the HOWTO-Collection.pdf, with no luck.

"kinit administrator" works fine, and stores a ticket in the cache:
[root at firewall root]# klist -5
Default principal: administrator at HOME.EXAMPLE.COM

Valid starting		Expires			Service principal
10/10/03 06:39:19	10/10/03 16:39:19	krbtgt/HOME.EXAMPLE.COM at HOME.EXAMPLE.COM
[root at firewall root]#

Joining the domain works:
[root at firewall root]# net ads join
Using short domain name -- HOME
Joined 'FIREWALL' to realm 'HOME.EXAMPLE.COM'
[root at firewall root]#

If I switch to the Active Directory server, it shows firewall as a member 
of the directory, with an OS of Samba 3.0.0, so there's no problem here.

However, trying to access a share on server01 fails:
[root at firewall root]# smbclient -k //server01/e$
[2003/10/10 06:43:40, 0] libsmb/clientgen.c:cli_receive_smb(121)
   SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!
[root at firewall root]#  smbclient -k //server01/testshare
[2003/10/10 06:48:10, 0] libsmb/clientgen.c:cli_receive_smb(121)
   SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!

If I try to access a share on a Win2k Pro machine, it works flawlessly:
[root at firewall root]# smbclient -k //desktop01/c$
smb: \> quit
[root at firewall root]#


My config files are attached below.

I am playing with this in a development lab with the intention of learning 
a bit more about Linux and Linux/Windows interoperability. Eventually, I'm 
heading for single sign-on across my Linux and Windows workstations (using 
winbindd, etc. as discussed in the HOWTO-Collection.) My Windows boxes 
(Win98SE, Win2K Pro/Server, WinXP Pro, Win2k3 Server) have no trouble 
authenticating through the Active Directory on server01.

I'm probably missing something incredibly obvious, but any assistance would 
be most appreciated.

Thanks,
Terry




Here are my config files (domain name has been changed):

/etc/samba/smb.conf:
[global]
realm = HOME.EXAMPLE.COM
workgroup = HOME
security = ADS

/etc/krb5.conf:
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/loc/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  ticket_lifetime = 24000
  default_realm = HOME.EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_etypes = des-cbc-crc des-cbc-md5
  default_etypes_des = des-cbc-crc des-cbc-md5

[realms]
  HOME.EXAMPLE.COM = {
   kdc=server01.home.example.com
   admin_server = server01.home.example.com
   default_domain = home.example.com
  }

[domain_realm]
.home.example.com = HOME.EXAMPLE.COM
home.example.com = HOME.EXAMPLE.COM

[kdc]
  profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
  pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
  }





More information about the samba mailing list