[Samba] issues with 3.0.14a domain member after 2003 dc upgrade

Mon May 9 18:31:45 GMT 2005

> Hello list,
> 
> Recently I've rebuilt our Windows 2000 DCs to Windows 2003 
> SP1 DCs that my 3.0.14a, mit-krb5-1.3.6, openldap-2.1.30 
> Gentoo box is a part of.
> Since then, on the Samba box I can getent group, getent 
> passwd, wbinfo -t, wbinfo -g, wbinfo -u, etc. properly but 
> anyone who accesses the shares on the Samba member server 
> gets prompted for a password.  
> 
> The logs are as follows:
> 
> [2005/05/06 14:25:49, 0] lib/util_sock.c:read_socket_data(384)
>   read_socket_data: recv failure for 4. Error = Connection 
> reset by peer
> [2005/05/06 14:42:05, 0] lib/util_sock.c:read_socket_data(384)
>   read_socket_data: recv failure for 4. Error = Connection 
> reset by peer
> 
> or:
> 
> [2005/05/06 08:51:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>   Username DOMAIN\user is invalid on this system
> [2005/05/06 08:51:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>   Username DOMAIN\SERVER$ is invalid on this system
> [2005/05/06 14:59:02, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
>   api_pipe_bind_req: unknown auth type 9 requested.
> 
> My krb5.conf looks like the following:
> 
> [libdefaults]
>         default_realm = EXAMPLE.COM
> 
> [realms]
>         EXAMPLE.COM = {
>         kdc = dc1.example.com:88
>         kdc = dc2.example.com:88
>         }
> 
> My smb.conf looks like the following:
> 
> [global] 
>         netbios name = VIDEODROME
>         socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>         idmap uid = 10000-20000 
>         winbind enum users = yes 
>         winbind gid = 10000-20000 
>         workgroup = DOMAIN
>         os level = 20
>         winbind enum groups = yes
>         winbind use default domain = yes
>         client use spnego = yes
>         password server = *
>         preferred master = no
>         log file = /var/log/samba/log.%m
>         encrypt passwords = yes
>         dns proxy = no
>         realm = EXAMPLE.COM 
>         security = ADS
>         wins server = dc1.example.com dc2.example.com
>         wins proxy = no
> 
> [checkpoint]
>         valid users = "DOMAIN\IT"
>         path = /var/platform/host/docs
>         public = no
>         writable = yes
>         forceuser = cchamberlain
> 
> I've tried:  removing the machine from the domain and adding 
> it back in, adding client use spnego = yes to smb.conf, using 
> heimdal instead of mit-krb5, specifying the default 
> encryption types of windows 2003 in
> krb5.conf:
> #        default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> #        default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> #        forwardable = true
> #        proxiable = true
> #        dns_lookup_realm = true
> #        dns_lookup_kdc = true
> #        permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> des-cbc-md4 des3-cbc-sha1 des-cbc-md4
> 
> All to no avail.  Does anyone have any suggestions?

Does anyone have any suggestions as to what this could be?  I've seen
similar posts in the archive go unresponded, and I'm wondering if
perhaps this is an unsupported configuration.

---
Chris Covington
IT
Plus One Health Management
75 Maiden Lane Suite 801
NY, NY 10038
646-312-6269
http://www.plusoneactive.com