[Samba] Problems viewing shares on a SAMBA/Windows 2003 ADS setup
Ryan Rhoads
RRhoads at hmstech.com
Fri Feb 3 20:20:42 GMT 2006
Greetings,
I've set up a Fedora Core 4 server to be a file server, among other
things, to a mostly-Windows network. The Windows server I'm using to
authenticate against is a fully-patched Windows 2003 Small Business
server. I've used as many tutorials online that I can find. However,
once the server joins the domain and a share has been created, I am
bombarded with constant login prompts to view the share, no matter what
the username/password I use. I'm never able to map/view the share.
I've gotten the box to join the Windows domain:
[root at server ~]# net ads join -U username
username's password:
[2006/02/03 14:18:39, 0] libads/ldap.c:ads_add_machine_acct(1405)
ads_add_machine_acct: Host account for server already exists -
modifying old account
Using short domain name -- DOMAIN
Joined 'SERVER' to realm 'DOMAIN.LOCAL'
I've been able to initialize the user:
[root at server ~]# kinit username
Password for username at DOMAIN.LOCAL:
[root at server ~]#
I've been able to view the klist data:
[root at server ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: username at DOMAIN.LOCAL
Valid starting Expires Service principal
02/03/06 14:23:17 02/04/06 00:23:19 krbtgt/ DOMAIN.LOCAL at DOMAIN.LOCAL
renew until 02/04/06 14:23:17
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
I've been able to use smbclient to view a default admin share on another
server (IE: smbclient //servername/c$). I've used wbinfo -u and wbinfo
-g to view the live list of domain users and groups. I can view net ads
information as such:
[root at server ~]# net ads info
LDAP server: 10.34.1.20
LDAP server name: ad-server
Realm: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: Fri, 03 Feb 2006 14:35:00 GMT
KDC server: 10.34.1.20
Server time offset: 0
No matter what I've tried to do, I cannot view the shares on the Samba
server from any other Windows box. I've dug through every web link I can
find online. Every link I can dig up through Google now is marked as
read. Below are my configuration files. Any ideas? I would appreciate
any help.
Thanks,
Ryan
Server Information ( /proc/version ):
Fedora Core 4
Linux version 2.6.14-1.1656_FC4smp
(bhcompile at hs20-bc1-4.build.redhat.com) (gcc version 4.0.2 20051125 (Red
Hat 4.0.2-8)) #1 SMP Thu Jan 5 22:26:33 EST 2006
/etc/samba/smb.conf:
Version: 3.0.14a-2
#======================= Global Settings
=====================================
[global]
workgroup = domain
server string = Resources Device
log file = /var/log/samba/smb.%m.log
max log size = 500
realm = DOMAIN.LOCAL
password server = ad-server.domain.local
security = ADS
encrypt passwords = yes
client signing = yes
#use kerberos keytab = true
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
winbind nested groups = yes
# winbind trusted domains only = no
#ldap idmap suffix = ou=Idmap,dc=domain,dc=local
local master = no
domain master = no
preferred master = no
dns proxy = no
#============================ Share Definitions
==============================
[ZeeDrive]
comment = General User Drive
path = /path/to/share
public = yes
browseable = yes
writeable = yes
valid users = @"domain users"
force user = %S
/etc/krb5.conf
Version: krb5-libs-1.4-3
[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = FILE:/etc/krb5.keytab
default_lookup_realm = true
default_lookup_kdc = true
[realms]
DOMAIN.LOCAL = {
kdc = ad-server.domain.local
}
[domain_realms]
.domain.local = DOMAIN.LOCAL
Repeating Error Log Message from /var/log/samba/smb.X.X.X.X.log
This error is generated every time I try to view the share information
on the samba server:
[2006/02/03 14:49:59, 1] libads/kerberos_verify.c:ads_verify_ticket(324)
ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in
replay cache code)
[2006/02/03 14:49:59, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
No other logs are generating any worth-while errors.
More information about the samba
mailing list