Re: [Samba] Samba + Active Directory

samba_list samba_list at terra.com.br
Wed Jan 7 21:10:50 GMT 2004 

Hi,

As Cedric suggested (thank you very much, man !!),  I´ve downgraded my
Samba
from 3.0.1 to 3.0.0 and it worked !! There´s no more "password asking"
window and no more Kerboros ticket errors.

Now I´m facing a new, weird problem: when my users can´t print 0(I´ve
installed Cups to manage the Deskjet 840c), they receive an "access
denied -
unable to connect" error message when they try to print.

From the Samba server box I can print using cat <somefile> > /dev/lp0.

I´ve tried to change permissions, 777-ing both printer spool directory and
/dev/lp0. The computer sharing options are: writable=yes, guest ok = yes,
browseable = yes...etc).

What is missing ?? Is there any config I´m forgetting ?

Thanks in advance,

Lindolfo Rodrigues
---------- Cabeçalho inicial  -----------

De: Cedric Puddy <cedric at cadence.thinkers.org>
Para: samba_list <samba_list at terra.com.br>
Cópia: samba <samba at lists.samba.org>
Data: Tue, 6 Jan 2004 19:42:27 -0500 (EST)
Assunto: Re: [Samba] Samba + Active Directory

> On Tue, 6 Jan 2004, samba_list wrote:
> 
> > Hi,
> >
> > I´m having much trouble on configuring Samba to work on an Active
> > Directory
> > environment.
> >
> > Using getent password I´m able to see AD´s users. wbinfo -u and
wbinfo -g
> > also work fine.
> >
> > When someone from a Windows try to access my Samba server, the smd
> > password
> > window is shown (I think that the autehntication would be transparent,
> > wouldn't it ?), any password I provide is rejected: I tried AD
users using
> > either the plain username and the DOMAIN\username form. I tried
also using
> > my root password, without any success.
> >
> > The logs are saying:
> > [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > Failed to verify incoming ticket!
> > [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > Failed to verify incoming ticket!
> >
> > Is there any special configuration I have to do on Active Directory to
> > become AD authentication available to Samba ?
> 
> Almost certainly, you are running version 3.0.1, which as best
> I've been able to determine breaks kerberos ticket handling
> in the case of a Win2k/XP box trying to access SAMBA.
> 
> I've reported the problem to the list, and several others have
> as well in recent times, but as yet, I haven't noticed a clear
> answer as to what is broken.  One fellow said that he was
> testing 3.0.1 with the libads code changes reverted to 3.0.0, but
> I don't believe he's reported back yet.  (I'd be *very* interested
> in beta testing that! :)
> 
> What works for me is going to back to version 3.0.0.
> The reason that's not good for me is becuase I have
> a whole bunch of existing unix users that I want to
> map properly to existing windows users of the same
> names, and 3.0.1 is supposed to do that automaticly.
> If that's not a concern for you, then you might not
> have any reason to care which version you are running.
> 
> I'm using the redhat RPMS, and doing this sequence
> successfully downgrades me from 3.0.1 -> 3.0.0:
> 
> 	<ensure that you have an admin ticket with
> 		kinit, if you do the net ads leave/join
> 		bits...>
> 	net ads leave
> 	cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
> 	/etc/rc.d/init.d/smb stop
> 	/etc/rc.d/init.d/winbind stop
> 	rpm -Uvh --force /usr/src/rpms/samba-3.0.0-2_rh9.i386.rpm
> 	cp /etc/samba/smb.conf.bak /etc/samba/smb.conf
> 	/etc/rc.d/init.d/smb start
> 	/etc/rc.d/init.d/winbind start
> 	net ads join
> 
> The above process assumes that you've got the rpm file
> downloaded in /usr/src/rpms, that you have the right
> rpms for your system (in my case, rh9), and guarentees that
> your smb.conf file doesn't get accidentally wiped out.
> 
> I'm don't believe that the "net ads leave/join" part is
> strictly necessary.  I've just been doing it whenever I
> upgrade/downgrade out of pedantdry.  My understanding
> is that it shouldn't be necessary, because the shared
> secrets/etc should be stored in the Samba TDB databases
> somewhere...
> 
> In my case, simply changing to 3.0.0 immediately makes
> everything work, and going to 3.0.1 immediately mades
> everything break.
> 
> If you want further confirmation that you are having
> the same problem I am, increase the logging level to
> something like 5, and look for "unknown key table type"
> errors shortly before the "Failed to verify ticket"
> error in your /var/log/samba/log.<workstation> file
> (assuming that you put your logs in the default linux
> location :)
> 
> 	I hope that helps,
> 
> 	Best Regards,
> 
> 	-Cedric Puddy
> 
> > I´ve already installed PAM and followed all intructions at samba.org,
> > but is
> > not working.
> >
> > Could someone please help me ?
> >
> > Thanks in advance,
> >
> > Lindolfo
> >
> > P.S.: I´ve already checked both servers´ time, they are syncronized.
> >
> >
> 
> -- 
> -
> |  CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
> |  118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157
> \____________________________________________________________________
>    Cedric Puddy, IS Director		cedric at thinkers.org
>      PGP Key Available at: 		http://www.thinkers.org/cedric
> 
>

More information about the samba mailing list