[Samba] Samba + Win2k works, Win2003 fails

Michael Schurter michael at susens-schurter.com
Wed Dec 6 17:28:19 GMT 2006 

Hi all,

I've finally almost gotten my desired Samba+AD integration working: I've
joined a domain, AD users can login, kerberos works (keytab integration,
caching, etc.), etc.

However, this is only true as long as I hack my /etc/hosts
and /etc/samba/lmhosts files to trick Samba into always using my
networks Windows 2000 Active Directory Server.  The second a Samba
command finds and attempts to use the 2003 server, it fails.

Workstation: Debian Sid, Samba 3.0.23d (pam_winbind, MIT kerberos)

Domain: TREMONT
Realm: tremont.local
AD Servers:
	thsdc1/192.168.100.4 (Windows 2000)
	thsdc2/192.168.100.6 (Windows 2003)

So both my hosts & lmhosts files point thsdc2 to thsdc1's IP address
which seems to trick Samba into always using thsdc1.  thsdc1 is also
what I set all the appropriate /etc/krb5.conf settings to.

Here's the error message I get when attempting to use thsdc2 from pretty
much any Samba command (without hosts file hacks):

michael at schurter3-Linux:~$ net -U admin%PASSWORD -d8 ads status

...snip charset and parameter debugging info...

  Netbios name list:-
  my_netbios_names[0]="SCHURTER3-LINUX"
[2006/12/06 11:08:39, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.101.51 bcast=192.168.103.255
nmask=255.255.252.0
[2006/12/06 11:08:39, 6] libads/ldap.c:ads_find_dc(224)
  ads_find_dc: looking for realm 'TREMONT.LOCAL'
[2006/12/06 11:08:39, 8] libsmb/namequery.c:get_sorted_dc_list(1551)
  get_sorted_dc_list: attempting lookup using [ads]
[2006/12/06 11:08:39, 5] lib/gencache.c:gencache_init(61)
  Opening cache file at /var/run/samba/gencache.tdb
[2006/12/06 11:08:39, 5] tdb/tdbutil.c:tdb_log(783)
  tdb(unnamed): tdb_open_ex: could not open
file /var/run/samba/gencache.tdb: Permission denied
[2006/12/06 11:08:39, 5] lib/gencache.c:gencache_init(70)
  gencache_init: Opening cache file /var/run/samba/gencache.tdb
read-only.
[2006/12/06 11:08:39, 5] libsmb/namequery.c:saf_fetch(105)
  saf_fetch: failed to find server for "TREMONT.LOCAL" domain
[2006/12/06 11:08:39, 3] libsmb/namequery.c:get_dc_list(1426)
  get_dc_list: preferred server list: ", *"
[2006/12/06 11:08:39, 5] libsmb/namecache.c:namecache_fetch(201)
  name TREMONT.LOCAL#1C found.
[2006/12/06 11:08:39, 8] libsmb/namequery.c:get_dc_list(1441)
  Adding 2 DC's from auto lookup
[2006/12/06 11:08:39, 4] libsmb/namequery.c:get_dc_list(1529)
  get_dc_list: returning 2 ip addresses in an ordered list
[2006/12/06 11:08:39, 4] libsmb/namequery.c:get_dc_list(1530)
  get_dc_list: 192.168.100.6:389 192.168.100.4:389
[2006/12/06 11:08:39, 5] libads/ldap.c:ads_try_connect(127)
  ads_try_connect: sending CLDAP request to 192.168.100.6 (realm:
TREMONT.LOCAL)
[2006/12/06 11:08:39, 3] libads/ldap.c:ads_connect(287)
  Connected to LDAP server 192.168.100.6
[2006/12/06 11:08:54, 0] utils/net_ads.c:ads_startup(289)
  ads_connect: Operations error
[2006/12/06 11:08:54, 2] utils/net.c:main(988)
  return code = -1

The last few log messages show where the LDAP connection to the Windows
2003 server (thsdc2/192.168.100.6) fails.

Here's what it looks like when I force it to use my Windows 2000 Server:

$ net -U admin%PASSWORD -d8 -S thsdc1 ads status
...snip parameters & charset debugging info...
  Netbios name list:-
  my_netbios_names[0]="SCHURTER3-LINUX"
[2006/12/06 11:09:30, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.101.51 bcast=192.168.103.255
nmask=255.255.252.0
[2006/12/06 11:09:30, 5] libads/ldap.c:ads_try_connect(127)
  ads_try_connect: sending CLDAP request to thsdc1 (realm:
TREMONT.LOCAL)
[2006/12/06 11:09:30, 5] lib/gencache.c:gencache_init(61)
  Opening cache file at /var/run/samba/gencache.tdb
[2006/12/06 11:09:30, 5] tdb/tdbutil.c:tdb_log(783)
  tdb(unnamed): tdb_open_ex: could not open
file /var/run/samba/gencache.tdb: Permission denied
[2006/12/06 11:09:30, 5] lib/gencache.c:gencache_init(70)
  gencache_init: Opening cache file /var/run/samba/gencache.tdb
read-only.
[2006/12/06 11:09:30, 3] libads/ldap.c:ads_connect(287)
  Connected to LDAP server 192.168.100.4
[2006/12/06 11:09:30, 4] libads/ldap.c:ads_current_time(2296)
  time offset is 2 seconds
[2006/12/06 11:09:30, 4] libads/sasl.c:ads_sasl_bind(468)
  Found SASL mechanism GSS-SPNEGO

...snipped successful kerberos auth & data returned...

Any ideas on why Win2000 works, but Win2003 fails?

Thanks!

Michael Schurter

More information about the samba mailing list