AW: [Samba] Samba3 with W2K Native Mode

Axel Spallek Axel at Spallek.ws
Fri Mar 19 08:41:18 GMT 2004


Hi.

I have news.
The Problem with  3.0.2-29 persisted, so I compiled 3.0.2a.
./configure --with-acl-support --with-winbind --with-ldap --with-ldapsam --w
ith-pam --with-pam_smbpass --with-krb5=/usr/local --with-ads

One problem after that was the missing pam_winbind.so used by
nssswitch.conf(?).
Now I am as far as with 2.0.2-29. I can get an kinit Administrator-Ticket
and can do a net join ads.
But when I try to click on s7 in the Network-Section of S4 I get a

[2004/03/19 09:33:06, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/03/19 09:33:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/03/19 09:33:06, 2] smbd/server.c:exit_server(558) Closing connections

That worked with 3.0.2-29.
I can connect via net use m: \\<ip>\share.
I think there is a problem with
nsswitch
pam_*.so
/lib/security/samba
But how can I debug this?


Sincerly,

Axel Spallek
Hülenweg 21
89134 Blaustein
http://mail.map24.com/axel_spallek

-----Ursprüngliche Nachricht-----
Von: samba-bounces+axel=spallek.ws at lists.samba.org
[mailto:samba-bounces+axel=spallek.ws at lists.samba.org]Im Auftrag von
Axel Spallek
Gesendet: Freitag, 27. Februar 2004 10:51
An: Samba
Betreff: [Samba] Samba3 with W2K Native Mode


Hi.
I use Samba 3.0.2-29 on Server S7.
In our network is a W2K Server named S4 running in Native Mode, Domain Name
hel.lan.
I tried to join the S4-Domain hel.lan.


s7:~ # kinit Administrator at HEL.LAN
Administrator at HEL.LAN's Password:
s7:~ # net ads join
[2004/02/27 08:20:54, 0] libads/ldap.c:ads_add_machine_acct(1006)
  Host account for s7 already exists - modifying old account
Using short domain name -- HEL
Joined 'S7' to realm 'HEL.LAN'
s7:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator at HEL.LAN

  Issued           Expires          Principal
Feb 27 08:20:12  Feb 27 18:20:12  krbtgt/HEL.LAN at HEL.LAN
Feb 27 08:20:19  Feb 27 18:20:12  s4$@HEL.LAN
Feb 27 08:20:19  Feb 27 18:20:12  kadmin/changepw at HEL.LAN

rcsmb restart
rcwinbind restart

Last two are needed (don't know why) otherwise the new Credentials are not
usable (getent gives error).
These steps I have to do every morning, because the credentials expired. Is
there a workaround?


So far so good.
Next I tried to use these

getent passwd
wbinfo -u
wbinfo -g
getent group


without any problem. They work fine, I can see all users and groups from
ADS.
Next I tried to use a share.
My smb.conf:

# Samba config file created using SWAT
# from 172.23.4.3 (172.23.4.3)
# Date: 2004/02/16 15:00:31

# Global parameters
[global]
        unix charset = LOCALE
        workgroup = HEL
        realm = HEL.LAN
        interfaces = 127.0.0.1, eth0
        bind interfaces only = Yes
        security = ADS
        password server = s4.hel.lan
        log level = 2
        preferred master = No
        local master = No
        domain master = No
        wins server = s4.hel.lan
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        winbind use default domain = Yes

[asx]
        path = /mnt/testsamba
        force user = root
        read only = No

[test]
        path = /mnt/Test
#       force user = root
        read only = No
        create mask = 0700
        force create mode = 0700
        directory mask = 0700
        force directory mode = 0700




The directories definitively exist, but the only share I can use is the asx
with force user = root. No matter which other user I try (even without the
force user) I get the following error message in log.smbd:

[2004/02/27 08:22:38, 2] smbd/server.c:open_sockets_smbd(318)
  waiting for a connection
[2004/02/27 08:34:53, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/02/27 08:35:19, 0] smbd/service.c:make_connection_snum(677)
  '/mnt/Test' does not exist or is not a directory, when connecting to
[test]
[2004/02/27 08:35:19, 0] smbd/service.c:make_connection_snum(677)
  '/mnt/Test' does not exist or is not a directory, when connecting to
[test]
[2004/02/27 08:35:19, 0] smbd/service.c:make_connection_snum(677)
  '/mnt/Test' does not exist or is not a directory, when connecting to
[test]
[2004/02/27 08:35:19, 0] smbd/service.c:make_connection_snum(677)
  '/mnt/Test' does not exist or is not a directory, when connecting to
[test]

asx works:

[2004/02/27 08:35:33, 1] smbd/service.c:make_connection_snum(705)
  172.23.4.3 (172.23.4.3) connect to service asx initially as user root
(uid=0, gid=0) (pid 732)


I can move the force user= root to the test share and I have the same
problem with asx.

s7:~ # dir /mnt
total 0
drwx------    7 root     root          184 Feb 16 13:41 .
drwxr-xr-x   20 root     root          464 Feb 18 12:20 ..
drwxrwxrwx    3 as       Domänen-Benutzer       72 Feb 16 13:57 Test
drwxrwxrwx    3 akey     users         440 Feb 18 13:11 testsamba

As you can see the rights are changed to o+rwx for testing. No difference.
"as" is a ADS-User. "Domänen-Benutzer" is a Group from ADS. As you can see I
can do a "chown hel+as /mnt/test".
akey and users are local. force user = akey doesn't work as well as force
user hel+as

Is this a bug? I did not find a patch. Can anyone help?



s7:~ # cat /etc/krb5.conf
[libdefaults]
        default_realm = HEL.LAN
        clockskew = 300

[realms]
        HEL.LAN = {
                kdc = S4.HEL.LAN
#               admin_server = MY.COMPUTER
                kpasswd_server = S4.HEL.LAN
        }
#       OTHER.REALM = {
#               kdc = OTHER.COMPUTER
#       }

[domain_realm]
        hel.lan = HEL.LAN

        .hel.lan = HEL.LAN

[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                debug = false
        }



s7:~ #cat /etc/nsswitch.conf
passwd: files winbind
shodow: files
group:  files winbind

hosts:  files dns
networks:       files dns

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files





Gruss,

Axel Spallek
Hülenweg 21
89134 Blaustein
http://mail.map24.com/axel_spallek

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba



More information about the samba mailing list