[Samba] Samba server joining domain and browsing group shares

Alex de Vaal samba.alex at gmail.com
Mon Mar 3 13:06:49 GMT 2008 

On Fri, Feb 29, 2008 at 5:06 PM, Victor Mendez <vmendez at netsystemsinfo.com>
wrote:

Output of getent command:
>
> cuzco:~ # getent group "NETSYS\Documentaries"
> documentaries:x:10008:netsys\fmendez,netsys\vmendez,amendez
>
> cuzco:~ # getent group "NETSYS\Series"
> series:x:10007:netsys\fmendez,netsys\vmendez,amendez
>
> cuzco:~ # getent group "NETSYS\Movies"
> movies:x:10005:netsys\vmendez,amendez,fmendez
>
> So it looks as we have solved the winbind separator problem .
>

Hi Victor,

This is the correct output of then "getent group" command. This is how I see
it on my Samba servers too, so it seems that your winbind problem is solved
indeed!

But we still get no directory browse. I include the output of
> the /var/log/samba/* files group when I try to login from a workstation
> see smb-logs.tar.gz
>
> In this file there is two errors that brough my attention:
> 1st error =
>  02/29/2008 10:22:01 AM libads/kerberos_verify.c
>  ads_keytab_verify_ticket        172
> ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
> principals
>
> 2nd error =
> 02/29/2008 10:22:01 AM  lib/util_sid.c  string_to_sid   223
> string_to_sid: Sid
> @NETSYSTEMSINFO>COM\Documentaries does not start with 'S-'.
>
> what I try to do is I try to browse/connect to the Documentaries share
>


Error messages of winbind can be found in the /var/log/samba/winbindd.log.
Look in this file or on the log file of the IP number that tries to connect
(via browse) to the share but you'll probably see "Failed to verify incoming
ticket".
This can be a number of things. Where did you get the Samba packages?
Which Kerberos version are you using on your server?

Did you configure /etc/krb5.conf too?

My /etc/krb5.conf looks like this:

[libdefaults]
 default_realm = TEST.COM

[realms]
 NH-HOTELES.COM = {
  kdc = adm01.test.com:88
  kdc = adm03.test.com:88
  kdc = adm04.test.com:88
 }


I have Red Hat Linux servers and to connect to a Windows Server 2003 I need
at least MIT Kerberos version 1.3.1 on my Linux server with the Samba Red
Hat packages downloaded from samba.org
Your Linux server must be in timesync with the DC too; use "ntpdate -b <IP
address of DC>" to synchronize time.
Use the "net ads info" command to see if you're in timesync (look at "Server
time offset", must be around 0, but not more than 300!)

Sometimes you need to reboot your workstation too that need to connect to
the share on the samba server.

If you don't use MIT kerberos, but HEIMDAL kerberos, you have to look in the
Samba documentation how to configure this (it is well described).


I hope this helps!

Regards,
Alex.

More information about the samba mailing list