[Samba] issues with 3.0.14a domain member after 2003 dc upgrade

Covington, Chris ccovington at plusone.com
Fri May 6 19:10:30 GMT 2005 

Hello list,

Recently I've rebuilt our Windows 2000 DCs to Windows 2003 SP1 DCs that
my 3.0.14a, mit-krb5-1.3.6, openldap-2.1.30 Gentoo box is a part of.
Since then, on the Samba box I can getent group, getent passwd, wbinfo
-t, wbinfo -g, wbinfo -u, etc. properly but anyone who accesses the
shares on the Samba member server gets prompted for a password.  

The logs are as follows:

[2005/05/06 14:25:49, 0] lib/util_sock.c:read_socket_data(384)
  read_socket_data: recv failure for 4. Error = Connection reset by peer
[2005/05/06 14:42:05, 0] lib/util_sock.c:read_socket_data(384)
  read_socket_data: recv failure for 4. Error = Connection reset by peer

or:

[2005/05/06 08:51:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username DOMAIN\user is invalid on this system
[2005/05/06 08:51:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username DOMAIN\SERVER$ is invalid on this system
[2005/05/06 14:59:02, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
  api_pipe_bind_req: unknown auth type 9 requested.

My krb5.conf looks like the following:

[libdefaults]
        default_realm = EXAMPLE.COM

[realms]
        EXAMPLE.COM = {
        kdc = dc1.example.com:88
        kdc = dc2.example.com:88
        }

My smb.conf looks like the following:

[global] 
        netbios name = VIDEODROME
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        idmap uid = 10000-20000 
        winbind enum users = yes 
        winbind gid = 10000-20000 
        workgroup = DOMAIN
        os level = 20
        winbind enum groups = yes
        winbind use default domain = yes
        client use spnego = yes
        password server = *
        preferred master = no
        log file = /var/log/samba/log.%m
        encrypt passwords = yes
        dns proxy = no
        realm = EXAMPLE.COM 
        security = ADS
        wins server = dc1.example.com dc2.example.com
        wins proxy = no

[checkpoint]
        valid users = "DOMAIN\IT"
        path = /var/platform/host/docs
        public = no
        writable = yes
        forceuser = cchamberlain

I've tried:  removing the machine from the domain and adding it back in,
adding client use spnego = yes to smb.conf, using heimdal instead of
mit-krb5, specifying the default encryption types of windows 2003 in
krb5.conf:
#        default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
#        default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
#        forwardable = true
#        proxiable = true
#        dns_lookup_realm = true
#        dns_lookup_kdc = true
#        permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des-cbc-md4 des3-cbc-sha1 des-cbc-md4

All to no avail.  Does anyone have any suggestions?

thanks
---
Chris Covington
IT
Plus One Health Management
75 Maiden Lane Suite 801
NY, NY 10038
646-312-6269
http://www.plusoneactive.com

More information about the samba mailing list