[Samba] Samba 3.0.2 and Windows 2003 ADS.
TBrown at neurology.ahsc.arizona.edu
TBrown at neurology.ahsc.arizona.edu
Mon Feb 9 20:06:12 GMT 2004
I'm having similar problems as Christian. However, I'm using Heimdal
Kerberos (heimdal-0.6-67) and Windows 2000 Advanced Server. I've spent a
bit of time working on the krb5.conf file to determine encryption settings
that essentially work. I can only get the Samba 3.0.2 server talking to the
Windows 2000 ADS when the default_etypes are set to: des-cbc-crc. If I omit
default etype settings, they fail to talk. I should also note that Heimdal
kerb5.conf doesn't use the default_t/gxx_enctypes used in the MIT
distrobution in case folks are trying these settings.
Basically I can join the ADS domain without trouble:
% s-gowers:/usr/local/samba/bin # ./net ads join
% [2004/02/09 12:54:31, 0] libads/ldap.c:ads_add_machine_acct(1006)
% Host account for s-gowers already exists - modifying old account
% Using short domain name -- NEUROLOGY
% Joined 'S-GOWERS' to realm 'NEUROLOGY.AHSC.ARIZONA.EDU'
And from here I can surf my shares on my windows 2000 server using the
smbclient //server/share -k command. Likewise, I can list the shares
available using the smbclient -k -L server. Also, I can send messages using
the smbclient -k -M host without a glitch.
But when I attempt to connect to the Samba 3.0.2 server via \\NetBIOS name,
I get a usernam/password dialogue box and a bunch of entries in the smb.log
saying that:
% [2004/02/09 12:52:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
% Failed to verify incoming ticket!
I cannot access these shares using the IP address instead of the NetBIOS
name. I've been working on this for a couple days now and really can't
figure it out. I've used versions 3.0.0, 3.0.1, and now 3.0.2 with
identical results with all three. I've tried this with and withoth a keytab
file generated using Windows 2000 Server (ktpass).
I compiled the source using: --enable-cups --with-ads --with-winbind
Here's my krb5.conf:
===============
[libdefaults]
default_realm = NEUROLOGY.AHSC.ARIZONA.EDU
ticket_lifetime = 2400
clockskew = 300
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
default_keytab_name = 'FILE:/etc/krb5.keytab'
forwardable = true
extra_addresses = 150.135.29.201
dns_lookup_realm = false
kdc_timesync = true
scan_interfaces = true
[realms]
NEUROLOGY.AHSC.ARIZONA.EDU = {
kdc = jackson.neurology.ahsc.arizona.edu
admin_server = jackson.neurology.ahsc.arizona.edu
kpasswd_server = jackson.neurology.ahsc.arizona.edu
default_domain = neurology.ahsc.arizona.edu
}
[domain_realm]
.neurology.ahsc.arizona.edu = NEUROLOGY.AHSC.ARIZONA.EDU
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
============
And, the smb.conf:
============
[global]
workgroup = NEUROLOGY
realm = NEUROLOGY.AHSC.ARIZONA.EDU
server string =
security = ADS
password server = 150.135.28.105
log file = /var/log/smb.log
unix extensions = No
server signing = auto
socket options = SO_KEEPALIVE TCP_NODELAY
printcap name = cups
add machine script = /usr/sbin/useradd -c Machine -g machines -d
/dev/null -s /bin/false %u
logon path = /srv/users/%U
logon home =
os level = 0
preferred master = No
local master = No
domain master = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /srv/users/%U
winbind separator = +
winbind use default domain = Yes
create mask = 0777
directory mask = 0777
printing = cups
case sensitive = Yes
oplocks = No
level2 oplocks = No
dos filemode = Yes
dos filetimes = Yes
=============
Thanks for your help.
Tracy Steven Brown
University of Arizona
Dept. Neurology
(520) 626-4660
More information about the samba
mailing list