[Samba] Samba + Windows 2003 AD
Avron Gray
agray at aeso.ca
Thu Jan 8 16:25:47 GMT 2009
Have you run:
net ads testjoin
Does it say "Join is OK"?
This might not be related...
I had to compile samba 3.0.33 to get around a Windows Domain restriction
issue:
https://bugzilla.samba.org/show_bug.cgi?id=4771 The bug indicates that
if the \NETLOGON pipe is opened up on the Windows AD server, the join
works fine. As soon as it is restricted via domain policies, it
restricts anonymous access to the ports. As soon as this happens, we are
unable to complete a net join ads successfully.
- Avron
-----Original Message-----
From: samba-bounces+agray=aeso.ca at lists.samba.org
[mailto:samba-bounces+agray=aeso.ca at lists.samba.org] On Behalf Of Henrik
Dige Semark
Sent: Thursday, January 08, 2009 9:13 AM
To: Samba list
Subject: [Samba] Samba + Windows 2003 AD
Hey, I don't know if this is the right list to ask this question in, but
I have tried on the IRC (irc.freenode.net #samba) and people on there
advised me to try here instead.
I have:
Debian 4.0r4
Samba version 3.0.24 - mail.birke-gym.dk - 10.3.16.1
krb5 Version 1.4.4-7etch6
Kernel Version 2.6.18-6-amd64
A Windows Server 2003 SP2 with AD/DC - bgdc.birke-gym.dk - 10.3.17.1
------------------------------------------------------------------------
--------------
When I try to connect my samba to the DC I get this output:
# net ads join -U Administrator --debuglevel=10
[2009/01/08 17:10:15, 5] lib/debug.c:debug_dump_status(391)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
[2009/01/08 17:10:15, 3] param/loadparm.c:lp_load(4953)
lp_load: refreshing parameters
[2009/01/08 17:10:15, 3] param/loadparm.c:init_globals(1418)
Initialising global parameters
[2009/01/08 17:10:15, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2009/01/08 17:10:15, 3] param/loadparm.c:do_section(3695)
Processing section "[global]"
doing parameter server string = Debian 4.0 - Samba %v - BDC
doing parameter netbios name = mail
[2009/01/08 17:10:15, 4] param/loadparm.c:handle_netbios_name(3053)
handle_netbios_name: set global_myname to: MAIL
doing parameter workgroup = UNDERVISNING
doing parameter display charset = ASCII
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UCS-2LE
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UCS-2LE
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF-16LE
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF-16LE
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UCS-2BE
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UCS-2BE
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF-16BE
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF-16BE
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF8
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF8
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UTF-8
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UTF-8
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset ASCII
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113)
Registered charset ASCII
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset 646
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113)
Registered charset 646
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset ISO-8859-1
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113)
Registered charset ISO-8859-1
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
Attempting to register new charset UCS2-HEX
[2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113)
Registered charset UCS2-HEX
doing parameter unix charset = UTF-8
doing parameter dos charset = ASCII
doing parameter Inherit permissions = yes
doing parameter Inherit owner = yes
doing parameter security = ADS
doing parameter idmap uid = 500-10000000
doing parameter idmap gid = 500-10000000
doing parameter template shell = /bin/bash
doing parameter winbind use default domain = yes
doing parameter winbind separator = %
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter template homedir = /home/%D/%U
doing parameter client use spnego = yes
doing parameter password server = bgdc.birke-gym.dk
doing parameter encrypt passwords = Yes
doing parameter realm = UNDERVISNING.LOCAL
doing parameter wins server = bgdc.birke-gym.dk
doing parameter nt acl support = true
doing parameter os level = 1000
doing parameter preferred master = no
doing parameter domain master = no
doing parameter local master = no
doing parameter domain logons = no
doing parameter hide special files = Yes
doing parameter hide unreadable = Yes
doing parameter disable netbios = yes
doing parameter name resolve order = wins lmhosts hosts bcast
doing parameter log level = 10
doing parameter log file = /var/log/samba/UNDERVISNING
[2009/01/08 17:10:15, 4] param/loadparm.c:lp_load(4984)
pm_process() returned Yes
[2009/01/08 17:10:15, 7] param/loadparm.c:lp_servicenumber(5120)
lp_servicenumber: couldn't find homes
[2009/01/08 17:10:15, 10] param/loadparm.c:set_server_role(4229)
set_server_role: role = ROLE_DOMAIN_MEMBER
[2009/01/08 17:10:15, 5] lib/util.c:init_names(286)
Netbios name list:-
my_netbios_names[0]="MAIL"
[2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81)
added interface ip=194.182.87.97 bcast=194.182.87.127
nmask=255.255.255.128
[2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81)
added interface ip=194.182.87.2 bcast=194.182.87.127
nmask=255.255.255.128
[2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81)
added interface ip=194.182.87.98 bcast=194.182.87.127
nmask=255.255.255.128
[2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81)
added interface ip=194.182.87.121 bcast=194.182.87.127
nmask=255.255.255.128
[2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81)
added interface ip=10.3.255.1 bcast=10.3.255.255 nmask=255.255.255.0
[2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81)
added interface ip=10.3.16.1 bcast=10.3.31.255 nmask=255.255.240.0
[2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81)
added interface ip=10.3.2.250 bcast=10.3.3.255 nmask=255.255.254.0
[2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81)
added interface ip=10.3.2.1 bcast=10.3.3.255 nmask=255.255.254.0
[2009/01/08 17:10:15, 2] lib/interface.c:add_interface(81)
added interface ip=10.8.0.1 bcast=10.8.0.255 nmask=255.255.255.0
Administrator's password:
[2009/01/08 17:10:19, 6] libads/ldap.c:ads_find_dc(224)
ads_find_dc: looking for realm 'UNDERVISNING.LOCAL'
[2009/01/08 17:10:19, 8] libsmb/namequery.c:get_sorted_dc_list(1551)
get_sorted_dc_list: attempting lookup using [ads]
[2009/01/08 17:10:19, 5] lib/gencache.c:gencache_init(61)
Opening cache file at /var/run/samba/gencache.tdb
[2009/01/08 17:10:19, 10] lib/gencache.c:gencache_get(329)
Cache entry with key = SAF/DOMAIN/UNDERVISNING.LOCAL couldn't be found
[2009/01/08 17:10:19, 5] libsmb/namequery.c:saf_fetch(105)
saf_fetch: failed to find server for "UNDERVISNING.LOCAL" domain
[2009/01/08 17:10:19, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", bgdc.birke-gym.dk"
[2009/01/08 17:10:19, 10] libsmb/namequery.c:internal_resolve_name(1132)
internal_resolve_name: looking up bgdc.birke-gym.dk#20
[2009/01/08 17:10:19, 10] lib/gencache.c:gencache_get(304)
Returning valid cache entry: key = NBT/BGDC.BIRKE-GYM.DK#20, value =
10.3.17.1:0, timeout = Thu Jan 8 17:20:53 2009
[2009/01/08 17:10:19, 5] libsmb/namecache.c:namecache_fetch(201)
name bgdc.birke-gym.dk#20 found.
[2009/01/08 17:10:19, 10]
libsmb/namequery.c:remove_duplicate_addrs2(408)
remove_duplicate_addrs2: looking for duplicate address/port pairs
[2009/01/08 17:10:19, 4] libsmb/namequery.c:get_dc_list(1529)
get_dc_list: returning 1 ip addresses in an ordered list
[2009/01/08 17:10:19, 4] libsmb/namequery.c:get_dc_list(1530)
get_dc_list: 10.3.17.1:389
[2009/01/08 17:10:19, 5] libads/ldap.c:ads_try_connect(127)
ads_try_connect: sending CLDAP request to 10.3.17.1 (realm:
UNDERVISNING.LOCAL)
[2009/01/08 17:10:19, 10] libsmb/namequery.c:saf_store(71)
saf_store: domain = [UNDERVISNING], server = [10.3.17.1], expire =
[1231431919]
[2009/01/08 17:10:19, 10] lib/gencache.c:gencache_set(140)
Adding cache entry with key = SAF/DOMAIN/UNDERVISNING; value =
10.3.17.1 and timeout = Thu Jan 8 17:25:19 2009
(900 seconds ahead)
[2009/01/08 17:10:19, 3] libads/ldap.c:ads_connect(287)
Connected to LDAP server 10.3.17.1
==== STOPS HERE FOR ABOUT 30 SEC ====
[2009/01/08 17:10:24, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Operations error
[2009/01/08 17:10:24, 2] utils/net.c:main(988)
return code = -1
------------------------------------------------------------------------
--------------
Windows Server Event log:
=======
Windows Server Event - [22:56:34]
Successful Network Logon:
User Name: BGDC$
Domain: UNDERVISNING
Logon ID: (0x0,0x1C82893)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {791dbfae-1330-1cc3-24ee-538ed69bc9d8}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.3.17.1
Source Port: 4831
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
======================================
Windows Server Event - [22:56:34]
Special privileges assigned to new logon:
User Name: BGDC$
Domain: UNDERVISNING
Logon ID: (0x0,0x1C82893)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivilege
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
======================================
Windows Server Event - [23:01:34]
User Logoff:
User Name: BGDC$
Domain: UNDERVISNING
Logon ID: (0x0,0x1C82893)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
------------------------------------------------------------------------
--------------
My klist:
=======
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at UNDERVISNING.LOCAL
Valid starting Expires Service principal
01/04/09 16:36:47 01/04/09 23:16:47
krbtgt/UNDERVISNING.LOCAL at UNDERVISNING.LOCAL
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
------------------------------------------------------------------------
--------------
smb.conf
=======
cat /etc/samba/smb.conf | grep -v "#"
[global]
dos charset = ASCII
display charset = ASCII
workgroup = UNDERVISNING
realm = UNDERVISNING.LOCAL
server string = Debian 4.0 - Samba %v - BDC
security = ADS
password server = bgdc.birke-gym.dk
log level = 10
log file = /var/log/samba/UNDERVISNING
disable netbios = Yes
name resolve order = wins lmhosts hosts bcast
os level = 1000
preferred master = No
local master = No
domain master = No
wins server = bgdc.birke-gym.dk
idmap uid = 500-10000000
idmap gid = 500-10000000
template shell = /bin/bash
winbind separator = %
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
inherit permissions = Yes
inherit owner = Yes
hide special files = Yes
hide unreadable = Yes
[homes]
comment = Home Directories
valid users = %U
read only = No
browseable = No
------------------------------------------------------------------------
--------------
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
^C
------------------------------------------------------------------------
--------------
krb5.conf
======
[logging]
default = FILE:/var/log/krb5libs.log
#kdc = FILE:/var/log/krb5kdc.log
#admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = UNDERVISNING.LOCAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
#================ Birke-gym.dk =========================
UNDERVISNING.LOCAL = {
kdc = bgdc.birke-gym.dk
admin_server = bgdc.birke-gym.dk
default_domain = UNDERVISNING.LOCAL
}
[domain_realm]
.undervisning.local = UNDERVISNING.LOCAL
undervisning.local = UNDERVISNING.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
------------------------------------------------------------------------
--------------
# cat /etc/hosts
127.0.0.1 localhost mail
127.0.1.1 mail.birke-gym.dk mail
10.3.17.1 bgdc.birke-gym.dk bgdc
------------------------------------------------------------------------
--------------
Any suggestion ?
And how mutch do I have to setup on the Windows Server ? I have createt
a krb. trust on it and I use the pass I gave there, but is there more I
have to set ?
Sorry for my bad english, and if there is anything plz feel free to
write, all help is resived with love
----
Med Venlig Hilsen / Best regards
Henrik Dige Semark
_________________________________________________________________
Del dine billeder med alle vennerne med Windows Live Photo Gallery.
http://download.live.com/photogallery--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list