[Samba] ADS controller connection issue; clients work fine.

Tom Dickson tdickson at inostor.com
Mon Mar 22 18:12:20 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy Allison wrote:
| On Wed, Mar 17, 2004 at 11:31:40AM -0800, Tom Dickson wrote:
|
|>-----BEGIN PGP SIGNED MESSAGE-----
|>Hash: SHA1
|>
|>Jeremy Allison wrote:
|>| On Wed, Mar 17, 2004 at 09:26:45AM -0800, Tom Dickson wrote:
|>|
|>|>-----BEGIN PGP SIGNED MESSAGE-----
|>|>Hash: SHA1
|>|>
|>|>I've joined Samba to the domain, and everything seems to work fine.
|>|>Clients can login to their windows 2000 machines and access the Samba
|>|>server, which authenticates using kerberos to the 2003 AD controller.
|>|>
|>|>However, if I logon ON the 2003 AD controller, it can't access the Samba
|>|>server. The same user logged onto any of the clients does work fine.
|>|>Changing the passwords and rebooting things does not seem to help.
|>|>
|>|>Am I missing something easy? I can get logs and config files if needed.
|>|
|>|
|>| Debug 10 logs from the smbd would help.
|>|
|>| Jeremy.
|>|
|>| .
|>|
|>Ok. See attached! Thank you!
|
|
| Ok, looking at this it looks like you have a problem with encryption
| types. Are you sure it's using krb5 to allow clients access ? It may
| be falling back to NTLMSSP. What does your krb5.conf look like ? What
| version of MIT Kerberos are you using ?
|
| Jeremy.
|
| .
|
Here's the krb5.conf setup from a similar machine that shows the same
problem against Windows 2003.

more /etc/krb5.conf
[libdefaults]
~ default_realm = NETBENCHDOMAIN.LOCAL
#
[realms]
~ NETBENCHDOMAIN.LOCAL = {
~  kdc = NBSERVER.NETBENCHDOMAIN.LOCAL
~ }
#
[domain_realms]
~ .kerberos.server = NETBENCHDOMAIN.LOCAL
#===eof===


ls /usr/kerberos/lib/
libcom_err.so.3    libgssapi_krb5.so.2    libkadm5clnt.so.5    libkrb4.so.2
libcom_err.so.3.0  libgssapi_krb5.so.2.2  libkadm5clnt.so.5.0
libkrb4.so.2.0
libdes425.so.3     libgssrpc.so.3         libkadm5srv.so.5     libkrb5.so.3
libdes425.so.3.0   libgssrpc.so.3.0       libkadm5srv.so.5.0
libkrb5.so.3.1
libdyn.so.1        libk5crypto.so.3       libkdb5.so.3         libpty.so.1
libdyn.so.1.0      libk5crypto.so.3.0     libkdb5.so.3.1       libpty.so.1.2

I don't know how to find out the version any closer than than.

Another thing I noticed that if I connect to the IP address of the
machine, it sometimes works, but not when connecting to the netbios name.

How do I verify that it is using krb5 for the clients, which seem to
work just fine? It also seems that sometimes it just starts working
after a long time.

- -Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAXyyE2dxAfYNwANIRAuonAJ0UIg1wnXAFAAK5Ttft2eKZskNkOgCfd5en
NFVwpl+JE/qLQJ1Fl8OqFrY=
=0rlM
-----END PGP SIGNATURE-----

More information about the samba mailing list