[Samba] Getting errors while running Samba 3.0.7 with ADS security
mode under MIT Kerberos
Melfi.Marcello at hydro.qc.ca
Melfi.Marcello at hydro.qc.ca
Thu Oct 14 19:27:35 GMT 2004
Hi,
I compiled Samba 3.0.7, MIT Kerberos 1.3.5 and OpenLDAP 2.2.17. I did not
notice any errors during compilation. I searched and found the #define
HAVE_LDAP 1 and #define HAVE_KRB5 1 statements in the config.h file of Samba
3.0.7's include dir. So, ADS should be supported in the compiled Samba 3.0.7
version.
Here is what I did up to now. As described in the How-To Samba doc, I
created the /etc/krb5.conf file and I ran the "kinit USERNAME at REALM"
command. I had to provide the password for USERNAME.
When I run the "klist" command, I get the following output:
*********************************************
Ticket cache: FILE:/tmp/krb5cc_0 <FILE:/tmp/krb5cc_0>
Default principal: <USERNAME at REALM>
Valid starting Expires Service principal
10/08/04 15:57:48 10/09/04 01:59:26 krbtgt/<REALM>@<REALM>
renew until 10/09/04 15:57:48
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
*********************************************
Is it OK or should I see more then just the TGT ticket?
My understanding is that I ran the "kinit" command just to make sure that
Kerberos was working between the Win2K3 server and the Samba machine. Am I
right?
Then, I joined successfully the Samba machine to the Win2K3 server's domain
with the "net ads join -U Administrator%password" command.
After starting Samba (i.e. only the smbd and nmbd processes), I tried to map
a Samba share from a Windows XP Pro workstation from which I was already
logged in with a user account defined in the Win2K3 server's domain.
The first try (i.e. after a reboot of the workstation so that the cache was
cleared) never works! At that point, a username/password box opened and I
entered the username and password information of that same user I was logged
in and it worked. It looks like the password was not OK the first time (I
did the map from a Windows "CMD" console to get the error message)... When I
look at the Samba log for that workstation (log=0 ... sorry!), I noticed the
following error messages:
*********************************************
[2004/10/08 17:31:34, 0] lib/util_sock.c:get_peer_addr(1000)
getpeername failed. Error was Transport endpoint is not connected
[2004/10/08 17:31:34, 0] lib/util_sock.c:write_socket_data(430)
write_socket_data: write failure. Error = Broken pipe [2004/10/08
17:31:34, 0] lib/util_sock.c:write_socket(455)
write_socket: Error writing 4 bytes to socket 24: ERRNO = Broken
pipe [2004/10/08 17:31:34, 0] lib/util_sock.c:send_smb(647)
Error writing 4 bytes to client. -1. (Broken pipe)
*********************************************
When the Samba share was established, it seemed to work OK.
But today, I changed the log setting (i.e. log=2), I repeated the same steps
and I noticed that there were some additional messages about NTLM being used
the second time (i.e. after the username/password box)...
See the following Samba log output:
*********************************************
[2004/10/13 16:01:57, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources. [2004/10/13 16:01:58, 1]
smbd/sesssetup.c:reply_spnego_kerberos(250)
Username DEV-TESTAD.HYDRO.QC.CA\mv90ddmexp02$ is invalid on this
system
[2004/10/13 16:01:58, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/10/13 16:01:58, 2] smbd/service.c:make_connection_snum(314)
user 'qc9999' (from session setup) not permitted to access this share
(ddm_mv90data)
[2004/10/13 16:01:58, 2] smbd/server.c:exit_server(571)
Closing connections
[2004/10/13 16:02:13, 0] lib/util_sock.c:get_peer_addr(1000)
getpeername failed. Error was Transport endpoint is not connected
[2004/10/13 16:02:13, 0] lib/util_sock.c:write_socket_data(430)
write_socket_data: write failure. Error = Broken pipe
[2004/10/13 16:02:13, 0] lib/util_sock.c:write_socket(455)
write_socket: Error writing 4 bytes to socket 24: ERRNO = Broken pipe
[2004/10/13 16:02:13, 0] lib/util_sock.c:send_smb(647)
Error writing 4 bytes to client. -1. (Broken pipe)
[2004/10/13 16:02:13, 2] smbd/server.c:exit_server(571)
Closing connections
[2004/10/13 16:02:13, 2] libsmb/namequery.c:name_query(492)
Got a positive name query response from 10.6.1.103 ( 10.6.1.103 )
[2004/10/13 16:02:13, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [QC9999] -> [ddmuser] ->
[ddmuser] succeeded
[2004/10/13 16:02:13, 1] smbd/service.c:make_connection_snum(648)
mv90ddmexp02 (10.4.114.22) connect to service ddm_mv90data initially as
user ddmuser (uid=40147, gid=30013) (pid 4162)
*********************************************
>From that, I can only guess that when I try to map the Samba share from the
Windows XP Pro workstation, it fails and Samba seems to revert to the NTLM
authentication... Is that possible?
Here is my "krb5.conf" file:
*********************************************
[libdefaults]
default_realm = <REALM>
[realms]
<REALM> = {
default_domain = <REALM>
kdc = 10.6.1.103
}
[domain_realm]
.<kerberos server> = <REALM>
<kerberos server> = <REALM>
*********************************************
Here is my "smb.conf" file:
*********************************************
[global]
workgroup = DEV-TESTAD
netbios name = HONDA
server string = honda
interfaces = <IP address of honda> 127.0.0.1
bind interfaces only = yes
security = ads
realm = <Domain of the Win2K3 server starting with "DEV-TESTAD.">
allow trusted domains = yes
encrypt passwords = yes
password server = *
wins support = no
wins server = 10.6.1.103
username map = /usr/local/samba307ads/lib/usermap.txt
case sensitive = yes
preserve case = yes
short preserve case = yes
default case = upper
log file = /usr/local/samba307ads/var/log.%m
log level = 2
max log size = 50
load printers = no
preferred master = false
local master = no
domain master = false
dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[ddm_mv90data]
path = /path/of/the/share
guest ok = no
directory mask = 0770
create mask = 0660
browseable = no
writeable = yes
valid users = ddmuser
*********************************************
Here is my "usermap.txt" file:
*********************************************
ddmuser = qc9999
*********************************************
Any help would be very much appreciated at this point!
Regards,
Marcello
More information about the samba
mailing list