[Samba] Problems viewing shares on a SAMBA/Windows 2003 ADS setup

Ryan Rhoads RRhoads at hmstech.com
Fri Feb 3 20:20:42 GMT 2006 

Greetings,

 

I've set up a Fedora Core 4 server to be a file server, among other
things, to a mostly-Windows network. The Windows server I'm using to
authenticate against is a fully-patched Windows 2003 Small Business
server. I've used as many tutorials online that I can find. However,
once the server joins the domain and a share has been created, I am
bombarded with constant login prompts to view the share, no matter what
the username/password I use. I'm never able to map/view the share.

 

I've gotten the box to join the Windows domain:

 

[root at server ~]# net ads join -U username

username's password:

[2006/02/03 14:18:39, 0] libads/ldap.c:ads_add_machine_acct(1405)

  ads_add_machine_acct: Host account for server already exists -
modifying old account

Using short domain name -- DOMAIN

Joined 'SERVER' to realm 'DOMAIN.LOCAL'

 

I've been able to initialize the user:

 

[root at server ~]# kinit username

Password for username at DOMAIN.LOCAL:

[root at server ~]#

 

I've been able to view the klist data:

 

[root at server  ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: username at DOMAIN.LOCAL

 

Valid starting     Expires            Service principal

02/03/06 14:23:17  02/04/06 00:23:19  krbtgt/ DOMAIN.LOCAL at DOMAIN.LOCAL

        renew until 02/04/06 14:23:17

 

 

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

 

I've been able to use smbclient to view a default admin share on another
server (IE: smbclient //servername/c$). I've used wbinfo -u and wbinfo
-g to view the live list of domain users and groups. I can view net ads
information as such:

 

[root at server  ~]# net ads info

LDAP server: 10.34.1.20

LDAP server name: ad-server

Realm: DOMAIN.LOCAL

Bind Path: dc=DOMAIN,dc=LOCAL

LDAP port: 389

Server time: Fri, 03 Feb 2006 14:35:00 GMT

KDC server: 10.34.1.20

Server time offset: 0

 

No matter what I've tried to do, I cannot view the shares on the Samba
server from any other Windows box. I've dug through every web link I can
find online. Every link I can dig up through Google now is marked as
read. Below are my configuration files. Any ideas? I would appreciate
any help.

 

Thanks,

Ryan

 

Server Information ( /proc/version ):

Fedora Core 4

Linux version 2.6.14-1.1656_FC4smp
(bhcompile at hs20-bc1-4.build.redhat.com) (gcc version 4.0.2 20051125 (Red
Hat 4.0.2-8)) #1 SMP Thu Jan 5 22:26:33 EST 2006

 

/etc/samba/smb.conf:

Version: 3.0.14a-2

 

#======================= Global Settings
=====================================

[global]

 

        workgroup = domain

        server string = Resources Device

        log file = /var/log/samba/smb.%m.log

        max log size = 500

 

        realm = DOMAIN.LOCAL

        password server = ad-server.domain.local

        security = ADS

        encrypt passwords = yes

 

        client signing = yes

        #use kerberos keytab = true

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        winbind uid = 10000-20000

        winbind gid = 10000-20000

        winbind separator = +

        winbind enum users = yes

        winbind enum groups = yes

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind use default domain = yes

        winbind nested groups = yes

        # winbind trusted domains only = no

 

        #ldap idmap suffix = ou=Idmap,dc=domain,dc=local

 

        local master = no

        domain master = no

        preferred master = no

        dns proxy = no

 

#============================ Share Definitions
==============================

 

[ZeeDrive]

        comment = General User Drive

        path = /path/to/share

        public = yes

        browseable = yes

        writeable = yes

        valid users = @"domain users"

        force user = %S

 

/etc/krb5.conf

Version: krb5-libs-1.4-3

 

[libdefaults]

        default_realm = DOMAIN.LOCAL

        default_keytab_name = FILE:/etc/krb5.keytab

        default_lookup_realm = true

        default_lookup_kdc = true

 

[realms]

        DOMAIN.LOCAL = {

                kdc = ad-server.domain.local

        }

 

[domain_realms]

        .domain.local = DOMAIN.LOCAL

 

 

Repeating Error Log Message from /var/log/samba/smb.X.X.X.X.log

This error is generated every time I try to view the share information
on the samba server:

 

[2006/02/03 14:49:59, 1] libads/kerberos_verify.c:ads_verify_ticket(324)

  ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in
replay cache code)

[2006/02/03 14:49:59, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!

 

No other logs are generating any worth-while errors.

More information about the samba mailing list