[Samba] smbtorture config issue?

Mon Dec 7 12:39:52 MST 2009

Kristy,

I put up some ideas and things to think about in-line.  I hope it helps 
out.  Does anyone in the group coding for samba4 have anything to weigh in 
as well, esp the smb.conf and documentation issues?

On Fri, 4 Dec 2009, Kristy Kallback-Rose wrote:

> Date: Fri, 4 Dec 2009 16:11:55 -0500
> From: Kristy Kallback-Rose <kallbac at indiana.edu>
> To: samba at lists.samba.org
> Subject: [Samba] smbtorture config issue?
> 
> Hello,
>
> 	I'm trying to run smbtorture against another system. I have installed 
> version 4.0.0alpha9 locally. The remote system is registered with ADS as:

Any reason you are using samba4 for this testing?  Documentation is pretty 
scarce.

>
> distinguishedName: CN=bl-uits-cictest,CN=Computers,DC=ads,DC=iu,DC=edu
> name: bl-uits-cictest
> dNSHostName: bl-uits-cictest.ads.iu.edu
> servicePrincipalName: HOST/bl-uits-cictest.ads.iu.edu
> servicePrincipalName: HOST/BL-UITS-CICTEST
>
> 	The server itself is cictest.cic.iu.edu, and I can connect to the 
> remote server with smbclient as such:
> smbclient -s /usr/local/samba/etc/smb.conf -n bl-uits-cictest.ads.iu.edu 
> -Ukallbac //cictest.cic.iu.edu/projects Password:
> Domain=[ADS] OS=[Unix] Server=[Samba 3.2.11-ctdb-65]
> smb: \> quit

This is using ntlmv2 if you have that directive in your smb.conf and not 
kerberos.
client use ntlmv2 = yes

>
>
> The problem is this:
>
> 1) smbtorture complains about the ads security setting:
> /usr/local/samba/bin/smbtorture --realm=ads.iu.edu -T samba3 -d 3 -W ADS 
> --netbiosname=BL-UITS-CICTEST -U cictestuser3  //cictest.cic.iu.edu/projects 
> RAW-QFSINFO
> lp_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> params.c:pm_process() - Processing configuration file 
> "/usr/local/samba/etc/smb.conf"
> Processing section "[global]"
> Unknown enumerated value 'ADS' for 'security'
> params.c:pm_process() - Failed.  Error returned from params.c:parse().
>
> I have tried both ads and ADS, it doesn't seem to like either

I no longer see the directive "security" mentioned in samba4, but I do see 
statements similar to "server-role" which may cover for security.
http://wiki.samba.org/index.php/Samba4/HOWTO#Step_4:_Provision_Samba4

Not only is there no directive in the regular man pages (samba 3) for 
"server-role", but last I looked there was question as to whether the 
traditional smb.conf file would be used when samba4 would be released:
http://lists.samba.org/archive/samba-technical/2005-March/039741.html

>
> 2) smbtorture proceeds to complain as such:
> Server is not registered with our KDC:  Miscellaneous failure (see text): 
> Server (cifs/cictest.cic.iu.edu at ADS.IU.EDU) unknown
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed to parse: 
> NT_STATUS_INVALID_PARAMETER
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> Server is not registered with our KDC:  Miscellaneous failure (see text): 
> Server (cifs/cictest.cic.iu.edu at ADS.IU.EDU) unknown
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed to parse: 
> NT_STATUS_INVALID_PARAMETER
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> Password for [ADS\cictestuser3]:
>
> Fwiw, my krb5.conf has a default realm of ADS.IU.EDU as well as a realms 
> section for ADS.IU.EDU I can provide other information if it would be 
> helpful.

Does your server have a cifs principal (ie 
cifs/fqdn.domain.edu at ADS.IU.EDU) for either bl-uits-cictest.ads.iu.edu or 
cictest.cic.iu.edu?  It seems to be wanting to get the principal for 
"cifs/cictest.cic.iu.edu at ADS.IU.EDU".

>
> Can anyone offer some suggestions to troubleshoot this?
>
> Many thanks,
> Kristy
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

---Robert Freeman-Day
---------------
I would really like you to be on my side,
but the side you show me isn't what I had in mind.

-Judybats
GPG Public Key:
http:keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36