[Samba] security = ADS

Tom Skeren tms3 at fskklaw.com
Thu Jul 22 20:29:51 GMT 2004 

John H Terpstra wrote:

>On Thursday 22 July 2004 14:07, Tom Skeren wrote:
>  
>
>>Yes I've seen this behavior a LOT.  I've replied to it.  For some
>>reason, the Samba when joined to ads needs to contacted for shares by IP
>>addy.  The XP shares then authenticate properly.
>>    
>>
>
>No way, your ADS server is answering on port 445 - the port for netbios-less 
>SMB.
>  
>
>
>  
>
>>Try \\ipaddy-samba-server\share-name.  If you connect, do a netstat -an
>>on the samba server.  You'll see the XP box connected to port 445.  I
>>suspect that in an ads environment, the XP boxes default to connecting
>>to shares on 445.  I suspect smbd, or nmbd are mishandling this when
>>netbios names are used.
>>    
>>
>
>Nope. To avoid this, in your smb.conf [globals] set:
>	smb port = 139
>
Doesn't work as the XP box is the source of the problem.  In the 
following, all the port 445 requests are from XP boxes.  1/3 of them are 
part of an ads domain.  All the XP boxes try 445 first.  However the ADS 
joined machines always fail to connect, unless 445 is available.

PRiSM# netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0     48  x.199.7.138.22        y.174.106.82.49787    ESTABLISHED
tcp4       0      0  x.199.7.138.445       z.120.237.222.1434    ESTABLISHED
tcp4       0      0  x.199.7.138.445       y.174.106.82.1081     ESTABLISHED
tcp4       0      0  x.199.7.138.139       y.174.106.82.1027     ESTABLISHED
tcp4       0      0  x.199.7.138.445       y.174.106.82.2720     ESTABLISHED
tcp4       0      0  x.199.7.138.445       y.174.106.82.4095     ESTABLISHED
tcp4       0      0  x.199.7.138.445       y.174.106.82.1818     ESTABLISHED
tcp4       0      0  x.199.7.138.445       y.174.106.82.1906     ESTABLISHED
tcp4       0      0  x.199.7.138.139       y.174.106.82.1433     ESTABLISHED
tcp4       0      0  x.199.7.138.445       y.174.106.82.3v0     ESTABLISHED
tcp4       0      0  x.199.7.138.445       y.174.106.82.3180     ESTABLISHED
tcp4       0      0  x.199.7.138.445       z.15.79.153.1027      ESTABLISHED
tcp4       0      0  x.199.7.138.445       y.174.106.82.3834     ESTABLISHED
tcp4       0      0  x.199.7.138.445       y.174.106.82.1913     ESTABLISHED
tcp4       0      0  x.199.7.138.445       z.120.237.222.1035    ESTABLISHED
tcp4       0      0  x.199.7.138.445       z.15.79.153.4435      ESTABLISHED
tcp4       0      0  x.199.7.138.139       y.174.106.82.11x     ESTABLISHED
tcp4       0      0  x.199.7.138.445       z.15.79.153.1030      ESTABLISHED
tcp4       0      0  x.199.7.138.445       z.15.79.153.3165      ESTABLISHED
tcp4       0      0  x.199.7.138.445       z.15.79.153.2037      ESTABLISHED
tcp4       0      0  192.1w.y.1.22        192.1w.y.2.1876      ESTABLISHED
tcp4       0      0  192.1w.y.1.445       192.1w.y.2.1808      ESTABLISHED
tcp4       0      0  x.199.7.138.445       w.120.237.222.1070    ESTABLISHED
tcp4       0      0  x.199.7.138.445       w.120.237.222.1039    ESTABLISHED
tcp4       0      0  192.1w.y.1.49161     192.1w.0.1.139        ESTABLISHED
tcp4       0      0  x.199.7.138.445       v.194.126.54.1050     ESTABLISHED
tcp4       0      0  x.199.7.138.445       w.120.237.222.1037    ESTABLISHED
tcp4       0      0  x.199.7.138.445       v.194.126.54.42y     ESTABLISHED
tcp4       0      0  x.199.7.138.445       v.194.126.54.2752     ESTABLISHED
tcp4       0      0  x.199.7.138.139       y.174.106.82.55888    ESTABLISHED
tcp4       0      0  x.199.7.138.139       y.174.106.82.55887    ESTABLISHED
tcp4       0      0  x.199.7.138.139       y.174.106.82.55886    ESTABLISHED
tcp4       0      0  x.199.7.138.445       v.194.126.54.4272     ESTABLISHED
tcp4       0      0  x.199.7.138.445       v.194.126.54.2296     ESTABLISHED
tcp4       0      0  x.199.7.138.139       y.174.106.82.49760    ESTABLISHED


>
>- John T.
>
>  
>
>>Rashaad S. Hyndman wrote:
>>    
>>
>>>Hi all,
>>>
>>>I've been fighting with joining my samba server (debian) to my active
>>>directory domain for 4 days now.  The problem here is that users in my
>>>active directory domain on windows machines are not able to browse my
>>>samba shares without being prompted for authentication.
>>>
>>>I can:
>>>- Join the domain from samba server using net ads
>>>- View list of tickets when brownsing window shares with klist
>>>- list window shares without being prompted with "smbclient -k -L
>>><windows_servername>
>>>
>>>I can NOT:
>>>- use "net use * \\<smb_servername>\share" from window based machine.
>>>(this resultes in "The password or user name is invalid for
>>>\\delshare\public" (delshare being my samba server name)
>>>
>>>I have no clue what to do from here. I've looked over my smb.conf file 20
>>>times likewise my krb5.conf file
>>>
>>>Any suggestions would be greatly appreciated. I've arn out of tests.
>>>
>>>R.
>>>      
>>>
>
>  
>

More information about the samba mailing list