[Samba] Problems with Samba and Active Directory
Ryan
wyild1 at gmail.com
Fri Dec 28 20:21:03 GMT 2007
I have version 5 installed, that was just the output of klist
Ya i have followed that and still no luck. Accually, now im getting
different errors! GAH!
When i try to connect after restarting the services, the logfile seems to
show its passing the domain FEDORAFTP.....which makes NO sence
[2007/12/28 14:14:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
Doing spnego session setup
[2007/12/28 14:14:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1]
PrimaryDomain=[]
[2007/12/28 14:14:57, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
Got user=[redwards] domain=[FEDORAFTP] workstation=[PIP03572] len1=24
len2=24
now i have the WTF going on lol
On Dec 28, 2007 2:01 PM, Dale Schroeder <dale at briannassaladdressing.com>
wrote:
> Maybe it was a typo, but you mentioned Kerberos 4 in the original post.
> Do you have version 5 installed?
>
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> > [root at fedoraftp /]#
>
> Not knowing everything you've done, perhaps try comparing what you did to
> the following two articles. These are what I follow.
>
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
>
> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
>
> They cover Samba/winbind/nsswitch/kerberos/pam - everything needed for ADS
> integration.
>
> Dale
>
> Ryan wrote:
>
> Thanks, but now it throws a different error :(
>
> From log of computer tryin to connect to the share
>
> [2007/12/28 13:40:54, 3]
> libads/kerberos_verify.c:ads_secrets_verify_ticket(279)
> ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
> Decrypt integrity check failed
> [2007/12/28 13:40:54, 3] libads/kerberos_verify.c:ads_verify_ticket(427)
> ads_verify_ticket: krb5_rd_req with auth failed (Decrypt integrity check
> failed)
> [2007/12/28 13:40:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2007/12/28 13:40:54, 3] smbd/error.c:error_packet_set(106)
> error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2007/12/28 13:40:54, 3] smbd/process.c:timeout_processing(1328)
> timeout_processing: End of file from client (client has disconnected).
>
>
> noticed this in the log.smbd file
>
>
> [2007/12/28 13:40:19, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
> ads_sasl_spnego_bind: got server principal name = pipdc01$@PIPFS.LOCAL
> [2007/12/28 13:40:19, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found)
> [2007/12/28 13:40:19, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
> expiration Fri, 28 Dec 2007 23:40:19 CST
>
>
> Any other thoughts? :)
>
> Cheers!
>
>
> On Dec 28, 2007 1:29 PM, Dale Schroeder <dale at briannassaladdressing.com>
> wrote:
>
> > Ryan,
> >
> > In your share try prefacing domain users and groups with the workgroup:
> >
> > admin users = @"PIPFS#Domain Users"
> > valid users = @"PIPFS#Domain Users"
> >
> > This is required since Samba 3.0.23.
> >
> > Good luck,
> > Dale
> >
> > Ryan wrote:
> > > Afternoon!
> > >
> > > Let me apologize first if this is something soooo simple, but i have
> > been
> > > working on this for days and I'm still stuck on one part.
> > >
> > > Where to start. Small user environment (under 100 users) using Active
> > > Directory on Win 2k3 server. Running Fedora 8 on a server, and I am
> > trying
> > > to get it added to the domain, and to be able to access a share using
> > > Windows usernames and passwords.
> > >
> > > The server (known from here as fedoraftp) can kinit
> > >
> > > [root at fedoraftp /]# kinit Administrator
> > > Password for Administrator at DOMAIN.LOCAL:
> > > [root at fedoraftp /]# klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: Administrator at DOMAIN.LOCAL
> > >
> > > Valid starting Expires Service principal
> > > 12/28/07 12:44:31 12/28/07 22:44:35 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
> > > renew until 12/29/07 12:44:31
> > >
> > >
> > > Kerberos 4 ticket cache: /tmp/tkt0
> > > klist: You have no tickets cached
> > > [root at fedoraftp /]#
> > >
> > > It can join the domain
> > > [root at fedoraftp /]# net ads join -U Administrator
> > > Administrator's password:
> > > Using short domain name -- DOMAIN
> > > Joined 'FEDORAFTP' to realm 'DOMAIN.LOCAL'
> > > [root at fedoraftp /]#
> > >
> > > wbinfo -u, wbinfo -g, getent passwd and getent group both show correct
> > > information (not going to show output). I can also login locally on
> > > fedoraftp using my windows username and password and not have any
> > issues.
> > > What i cannot get to work is accessing the share, as it wont take any
> > > username/password thrown at it.
> > >
> > > smb.conf
> > > [global]
> > > log file = /var/log/samba/log.%m
> > > guest account = admin
> > > load printers = no
> > > show add printer wizard = No
> > > idmap gid = 10000-20000
> > > smb passwd file = /etc/samba/smbpasswd
> > > unix password sync = yes
> > > guest ok = yes
> > > encrypt passwords = yes
> > > realm = PIPFS.LOCAL
> > > template shell = /bin/bash
> > > netbios name = FEDORAFTP
> > > cups options = raw
> > > server string = Fedora Server Ver %v
> > > idmap uid = 10000-20000
> > > password server = 192.168.0.240
> > > winbind nested groups = yes
> > > workgroup = PIPFS
> > > dns proxy = no
> > > passwd program = /usr/bin/passwd %u
> > > obey pam restrictions = yes
> > > os level = 20
> > > security = ads
> > > preferred master = no
> > > max log size = 50
> > > winbind separator = #
> > > winbind cache time = 0
> > > log level = 3
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > > winbind use default domain = yes
> > > passdb backend = tdbsam
> > >
> > > [FTP]
> > > msdfs root = yes
> > > inherit permissions = yes
> > > writeable = yes
> > > admin users = @"domain users"
> > > path = /home/ftpshare/
> > > create mask = 700
> > > directory mask = 700
> > > valid users = admin,@"domain users",
> > > inherit acls = yes
> > > ; public=yes
> > >
> > > Output of /var/log/samba/log.smbd
> > >
> > > [2007/12/28 12:53:05, 0] smbd/server.c:main(944)
> > > smbd version 3.0.28-0.fc8 started.
> > > Copyright Andrew Tridgell and the Samba Team 1992-2007
> > > [2007/12/28 12:53:05, 2] param/loadparm.c:do_section(3796)
> > > Processing section "[FTP]"
> > > [2007/12/28 12:53:05, 3] param/loadparm.c:lp_add_ipc(2711)
> > > adding IPC service
> > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117)
> > > reloading printcap cache
> > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223)
> > > reload status: ok
> > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117)
> > > reloading printcap cache
> > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223)
> > > reload status: ok
> > > [2007/12/28 12:53:05, 2] lib/interface.c:add_interface(81)
> > > added interface ip=192.168.0.50 bcast=192.168.0.255 nmask=
> > 255.255.255.0
> > > [2007/12/28 12:53:05, 3] smbd/server.c:main(982)
> > > loaded services
> > > [2007/12/28 12:53:05, 3] smbd/server.c:main(997)
> > > Becoming a daemon.
> > > [2007/12/28 12:53:05, 2] lib/tallocmsg.c:register_msg_pool_usage(105)
> > > Registered MSG_REQ_POOL_USAGE
> > > [2007/12/28 12:53:05, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75)
> > > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
> > > store_gid_sid_cache: gid 0 in cache ->
> > > S-1-5-21-3422581952-716862249-2814536807-1002
> > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
> >
> > > store_gid_sid_cache: gid 10000 in cache -> S-1-5-32-544
> > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
> > > store_gid_sid_cache: gid 10001 in cache -> S-1-5-32-545
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
> > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > > get_privileges: No privileges assigned to SID [S-1-22-1-0]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > > get_privileges: No privileges assigned to SID [S-1-5-2]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > > get_privileges: No privileges assigned to SID [S-1-5-11]
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > > se_access_check: user sid is S-1-22-1-0
> > > se_access_check: also S-1-5-32-544
> > > se_access_check: also S-1-1-0
> > > se_access_check: also S-1-5-2
> > > se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > > se_access_check: user sid is S-1-22-1-0
> > > se_access_check: also S-1-5-32-544
> > > se_access_check: also S-1-1-0
> > > se_access_check: also S-1-5-2
> > > se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > > se_access_check: user sid is S-1-22-1-0
> > > se_access_check: also S-1-5-32-544
> > > se_access_check: also S-1-1-0
> > > se_access_check: also S-1-5-2
> > > se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > > se_access_check: user sid is S-1-22-1-0
> > > se_access_check: also S-1-5-32-544
> > > se_access_check: also S-1-1-0
> > > se_access_check: also S-1-5-2
> > > se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > > se_access_check: user sid is S-1-22-1-0
> > > se_access_check: also S-1-5-32-544
> > > se_access_check: also S-1-1-0
> > > se_access_check: also S-1-5-2
> > > se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > > se_access_check: user sid is S-1-22-1-0
> > > se_access_check: also S-1-5-32-544
> > > se_access_check: also S-1-1-0
> > > se_access_check: also S-1-5-2
> > > se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > > se_access_check: user sid is S-1-22-1-0
> > > se_access_check: also S-1-5-32-544
> > > se_access_check: also S-1-1-0
> > > se_access_check: also S-1-5-2
> > > se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > > se_access_check: user sid is S-1-22-1-0
> > > se_access_check: also S-1-5-32-544
> > > se_access_check: also S-1-1-0
> > > se_access_check: also S-1-5-2
> > > se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > > se_access_check: user sid is S-1-22-1-0
> > > se_access_check: also S-1-5-32-544
> > > se_access_check: also S-1-1-0
> > > se_access_check: also S-1-5-2
> > > se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] libsmb/namequery.c:get_dc_list(1489)
> > > get_dc_list: preferred server list: "192.168.0.240, 192.168.0.240"
> > > [2007/12/28 12:53:05, 3] libads/ldap.c:ads_connect(394)
> > > Connected to LDAP server 192.168.0.240
> > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> > > ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> > > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> > > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> > > ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
> > > ads_sasl_spnego_bind: got server principal name =
> > pipdc01$@DOMAIN.LOCAL
> > > [2007/12/28 12:53:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
> > > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> > found)
> > > [2007/12/28 12:53:05, 3]
> > libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
> > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
> > > expiration Fri, 28 Dec 2007 22:53:05 CST
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
> > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
> >
> > > store_gid_sid_cache: gid 10008 in cache ->
> > > S-1-5-21-1220945662-682003330-839522115-513
> > > [2007/12/28 12:53:05, 3]
> > passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> > > fetch gid from cache 10000 -> S-1-5-32-544
> > > [2007/12/28 12:53:05, 3]
> > passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> > > fetch gid from cache 10001 -> S-1-5-32-545
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
> > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > > get_privileges: No privileges assigned to SID
> > > [S-1-5-21-3422581952-716862249-2814536807-501]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > > get_privileges: No privileges assigned to SID
> > > [S-1-5-21-1220945662-682003330-839522115-513]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > > get_privileges: No privileges assigned to SID [S-1-5-2]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > > get_privileges: No privileges assigned to SID [S-1-5-32-546]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > > get_privileges: No privileges assigned to SID [S-1-22-2-10008]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > > get_privileges: No privileges assigned to SID [S-1-5-32-545]
> > > [2007/12/28 12:53:05, 3]
> > passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> > > fetch gid from cache 10008 ->
> > S-1-5-21-1220945662-682003330-839522115-513
> > > [2007/12/28 12:53:05, 3]
> > passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> > > fetch gid from cache 10001 -> S-1-5-32-545
> > > [2007/12/28 12:53:05, 3]
> > printing/printing.c:start_background_queue(1388)
> > > start_background_queue: Starting background LPQ thread
> > > [2007/12/28 12:53:05, 2] smbd/server.c:open_sockets_smbd(458)
> > > waiting for a connection
> > >
> > >
> > > The main thing i see in the log from the computer trying to connect is
> > (log
> > > is huge...not going to post it all)
> > >
> > > [2007/12/28 12:56:55, 2] smbd/service.c:make_connection_snum(616)
> > > user 'DOMAIN#redwards' (from session setup) not permitted to access
> > this
> > > share (FTP)
> > > [2007/12/28 12:56:55, 3] smbd/error.c:error_packet_set(106)
> > > error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
> > > NT_STATUS_ACCESS_DENIED
> > >
> > > redwards is part of the group "Domain Users"
> > > Im at a HUGE loss right now how to go about this, as im still pretty
> > green
> > > to this whole type of setup. Any advice would be helpful. If more
> > info is
> > > required, please ask and ill provide it as i would like to resolve
> > this
> > > issue.
> > >
> > > Cheers!
> > >
> >
>
> ------------------------------
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.516 / Virus Database: 269.17.11/1201 - Release Date: 12/28/2007 11:51 AM
>
>
>
More information about the samba
mailing list