[Samba] Samba 3.0.2 and Windows 2003 ADS.

TBrown at neurology.ahsc.arizona.edu TBrown at neurology.ahsc.arizona.edu
Mon Feb 9 20:06:12 GMT 2004

I'm having similar problems as Christian. However, I'm using Heimdal
Kerberos (heimdal-0.6-67) and Windows 2000 Advanced Server. I've spent a
bit of time working on the krb5.conf file to determine encryption settings
that essentially work. I can only get the Samba 3.0.2 server talking to the
Windows 2000 ADS when the default_etypes are set to: des-cbc-crc. If I omit
default etype settings, they fail to talk. I should also note that Heimdal
kerb5.conf doesn't use the default_t/gxx_enctypes used in the MIT
distrobution in case folks are trying these settings.

Basically I can join the ADS domain without trouble:
% s-gowers:/usr/local/samba/bin # ./net ads join
% [2004/02/09 12:54:31, 0] libads/ldap.c:ads_add_machine_acct(1006)
%  Host account for s-gowers already exists - modifying old account
% Using short domain name -- NEUROLOGY

And from here I can surf my shares on my windows 2000 server using the
smbclient //server/share -k command. Likewise, I can list the shares
available using the smbclient -k -L server. Also, I can send messages using
the smbclient -k -M host without a glitch.

But when I attempt to connect to the Samba 3.0.2 server via \\NetBIOS name,
I get a usernam/password dialogue box and a bunch of entries in the smb.log
saying that:
% [2004/02/09 12:52:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
%   Failed to verify incoming ticket!

I cannot access these shares using the IP address instead of the NetBIOS
name. I've been working on this for a couple days now and really can't
figure it out. I've used versions 3.0.0, 3.0.1, and now 3.0.2 with
identical results with all three. I've tried this with and withoth a keytab
file generated using Windows 2000 Server (ktpass).

I compiled the source using: --enable-cups --with-ads --with-winbind

Here's my krb5.conf:
        default_realm           = NEUROLOGY.AHSC.ARIZONA.EDU
        ticket_lifetime         = 2400
        clockskew               = 300
        default_etypes          = des-cbc-crc
        default_etypes_des      = des-cbc-crc
        default_keytab_name     = 'FILE:/etc/krb5.keytab'
        forwardable             = true
        extra_addresses         =
        dns_lookup_realm        = false
        kdc_timesync            = true
        scan_interfaces         = true

                kdc             = jackson.neurology.ahsc.arizona.edu
                admin_server    = jackson.neurology.ahsc.arizona.edu
                kpasswd_server  = jackson.neurology.ahsc.arizona.edu
                default_domain  = neurology.ahsc.arizona.edu

        .neurology.ahsc.arizona.edu = NEUROLOGY.AHSC.ARIZONA.EDU

        default = SYSLOG:NOTICE:DAEMON
        kdc     = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log


And, the smb.conf:

        workgroup = NEUROLOGY
        server string =
        security = ADS
        password server =
        log file = /var/log/smb.log
        unix extensions = No
        server signing = auto
        socket options = SO_KEEPALIVE TCP_NODELAY
        printcap name = cups
        add machine script = /usr/sbin/useradd -c Machine -g machines -d
/dev/null -s /bin/false %u
        logon path = /srv/users/%U
        logon home =
        os level = 0
        preferred master = No
        local master = No
        domain master = No
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /srv/users/%U
        winbind separator = +
        winbind use default domain = Yes
        create mask = 0777
        directory mask = 0777
        printing = cups
        case sensitive = Yes
        oplocks = No
        level2 oplocks = No
        dos filemode = Yes
        dos filetimes = Yes

Thanks for your help.

Tracy Steven Brown
University of Arizona
Dept. Neurology
(520) 626-4660

More information about the samba mailing list