[Samba] Getting errors while running Samba 3.0.7 with ADS security mode under MIT Kerberos

Melfi.Marcello at hydro.qc.ca Melfi.Marcello at hydro.qc.ca
Thu Oct 14 19:27:35 GMT 2004 

Hi,
 
I compiled Samba 3.0.7, MIT Kerberos 1.3.5 and OpenLDAP 2.2.17. I did not
notice any errors during compilation. I searched and found the #define
HAVE_LDAP 1 and #define HAVE_KRB5 1 statements in the config.h file of Samba
3.0.7's include dir. So, ADS should be supported in the compiled Samba 3.0.7
version.
 
Here is what I did up to now. As described in the How-To Samba doc, I
created the /etc/krb5.conf file and I ran the "kinit USERNAME at REALM"
command. I had to provide the password for USERNAME.

When I run the "klist" command, I get the following output:

*********************************************
Ticket cache: FILE:/tmp/krb5cc_0 <FILE:/tmp/krb5cc_0> 
Default principal: <USERNAME at REALM> 

Valid starting     Expires            Service principal 
10/08/04 15:57:48  10/09/04 01:59:26  krbtgt/<REALM>@<REALM> 
        renew until 10/09/04 15:57:48

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
*********************************************

Is it OK or should I see more then just the TGT ticket?

My understanding is that I ran the "kinit" command just to make sure that
Kerberos was working between the Win2K3 server and the Samba machine. Am I
right?

Then, I joined successfully the Samba machine to the Win2K3 server's domain
with the "net ads join -U Administrator%password" command.

After starting Samba (i.e. only the smbd and nmbd processes), I tried to map
a Samba share from a Windows XP Pro workstation from which I was already
logged in with a user account defined in the Win2K3 server's domain.

The first try (i.e. after a reboot of the workstation so that the cache was
cleared) never works! At that point, a username/password box opened and I
entered the username and password information of that same user I was logged
in and it worked. It looks like the password was not OK the first time (I
did the map from a Windows "CMD" console to get the error message)... When I
look at the Samba log for that workstation (log=0 ... sorry!), I noticed the
following error messages:

*********************************************
[2004/10/08 17:31:34, 0] lib/util_sock.c:get_peer_addr(1000) 
  getpeername failed. Error was Transport endpoint is not connected 
[2004/10/08 17:31:34, 0] lib/util_sock.c:write_socket_data(430)

  write_socket_data: write failure. Error = Broken pipe [2004/10/08
17:31:34, 0] lib/util_sock.c:write_socket(455)
  write_socket: Error writing 4 bytes to socket 24: ERRNO = Broken 
pipe [2004/10/08 17:31:34, 0] lib/util_sock.c:send_smb(647)

  Error writing 4 bytes to client. -1. (Broken pipe)
*********************************************

When the Samba share was established, it seemed to work OK.

But today, I changed the log setting (i.e. log=2), I repeated the same steps
and I noticed that there were some additional messages about NTLM being used
the second time (i.e. after the username/password box)...

See the following Samba log output:

*********************************************
[2004/10/13 16:01:57, 2] smbd/sesssetup.c:setup_new_vc_session(608) 
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would 
close all old resources. [2004/10/13 16:01:58, 1] 
smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username DEV-TESTAD.HYDRO.QC.CA\mv90ddmexp02$ is invalid on this 
system
[2004/10/13 16:01:58, 2] smbd/sesssetup.c:setup_new_vc_session(608) 
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources. 
[2004/10/13 16:01:58, 2] smbd/service.c:make_connection_snum(314) 
  user 'qc9999' (from session setup) not permitted to access this share
(ddm_mv90data) 
[2004/10/13 16:01:58, 2] smbd/server.c:exit_server(571) 
  Closing connections 
[2004/10/13 16:02:13, 0] lib/util_sock.c:get_peer_addr(1000) 
  getpeername failed. Error was Transport endpoint is not connected 
[2004/10/13 16:02:13, 0] lib/util_sock.c:write_socket_data(430) 
  write_socket_data: write failure. Error = Broken pipe 
[2004/10/13 16:02:13, 0] lib/util_sock.c:write_socket(455) 
  write_socket: Error writing 4 bytes to socket 24: ERRNO = Broken pipe 
[2004/10/13 16:02:13, 0] lib/util_sock.c:send_smb(647) 
  Error writing 4 bytes to client. -1. (Broken pipe) 
[2004/10/13 16:02:13, 2] smbd/server.c:exit_server(571) 
  Closing connections 
[2004/10/13 16:02:13, 2] libsmb/namequery.c:name_query(492) 
  Got a positive name query response from 10.6.1.103 ( 10.6.1.103 ) 
[2004/10/13 16:02:13, 2] auth/auth.c:check_ntlm_password(305) 
  check_ntlm_password:  authentication for user [QC9999] -> [ddmuser] ->
[ddmuser] succeeded 
[2004/10/13 16:02:13, 1] smbd/service.c:make_connection_snum(648) 
  mv90ddmexp02 (10.4.114.22) connect to service ddm_mv90data initially as
user ddmuser (uid=40147, gid=30013) (pid 4162)
*********************************************

>From that, I can only guess that when I try to map the Samba share from the
Windows XP Pro workstation, it fails and Samba seems to revert to the NTLM
authentication... Is that possible?

Here is my "krb5.conf" file:

*********************************************
[libdefaults]
        default_realm = <REALM>

[realms]
        <REALM> = {
                default_domain = <REALM>
                kdc = 10.6.1.103
        }

[domain_realm]
        .<kerberos server> = <REALM>
        <kerberos server> = <REALM>
*********************************************

Here is my "smb.conf" file:

*********************************************
[global]
        workgroup = DEV-TESTAD
        netbios name = HONDA
        server string = honda
        interfaces = <IP address of honda> 127.0.0.1
        bind interfaces only = yes
        security = ads
        realm = <Domain of the Win2K3 server starting with "DEV-TESTAD.">
        allow trusted domains = yes
        encrypt passwords = yes
        password server = *
        wins support = no
        wins server = 10.6.1.103
        username map = /usr/local/samba307ads/lib/usermap.txt
        case sensitive = yes
        preserve case = yes
        short preserve case = yes
        default case = upper
        log file = /usr/local/samba307ads/var/log.%m
        log level = 2
        max log size = 50
        load printers = no
        preferred master = false
        local master = no
        domain master = false
        dns proxy = no
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[ddm_mv90data]
        path = /path/of/the/share
        guest ok = no
        directory mask = 0770
        create mask = 0660
        browseable = no
        writeable = yes
        valid users = ddmuser
*********************************************

Here is my "usermap.txt" file:

*********************************************
ddmuser = qc9999
*********************************************

Any help would be very much appreciated at this point!

Regards,

Marcello

More information about the samba mailing list