[Samba] Problems after changing security = domain to security = ads

Hamish lists at subvs.co.uk
Tue Jun 7 09:58:43 GMT 2005 

On Monday 06 June 2005 13:22, Hamish wrote:
> Hello all
> I have a samba domain member authenticating to a w2k3 server, after
> installing SP1, there were problems, and a solution I found was to change
> to security = ads. This seemed to work fine, but today no-one can get their
> home drives, and some people are denied access to shares where the
> permissions on the files are rwx for the user.
> I did not change anything other than the security line in smb.conf and
> rejoined the domain with `net ads join -U administrator` (this was
> successful)
>
> I find this in the samba log when users try to connect:
> [2005/06/06 13:16:17, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> [2005/06/06 13:16:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>   Failed to verify incoming ticket!
>
> I can do `kinit Administrator at MY.DOMAIN.NET` and it returns no errors (but
> no success either - if I put in a wrong password, it gives an error though,
> so i guess this is ok)
>
> Anyone have any ideas? or can I change back to security = domain with some
> other fix?
>
> Thanks,
> H
Looks like this might be a lonely troubleshoot, but here is more for anyone 
who may experience similar symptoms... (and of course any kind people who 
throw in a suggestion or two)

I have narrowed this down to what seems to be incompatable auth methods:
In XPsp2, I go to \\smbserver\fred - this shows either an empty folder, or an 
error (I have hide unreadable = on, so this may be the cause)
With konqueror, (smbclient -V: Version 3.0.15pre2-0.1-SUSE) i can go to 
smb:/user at smbserver - i get a user/pass dialog, and then i can see the 
directory fine!

Is my logic right? The xp clients are using some other kind of auth or 
connection than smbclient does?

The windows clients work ok, but it seems that the files they need to be chmod 
740 at least (700, 710 does not work, file owned by user.domain users)

Rather than play around with permissions (that worked before the trouble 
started) I would like to see what xpsp2 and smbclient do differently - please 
could anyone help with this?

Thanks,
H
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20050607/eee79faa/attachment.bin

More information about the samba mailing list