[Samba] samba and RODC

Alex Samad - Yieldbroker Alex.Samad at yieldbroker.com
Wed Dec 5 13:30:25 MST 2012 

Hi

Dumping this incase it didn't make it the first time.

Also should I be looking at samba4 ?  currently using samba on centos 6.2 I think its 3

Alex

> -----Original Message-----
> From: Alex Samad - Yieldbroker
> Sent: Friday, 30 November 2012 7:44 PM
> To: samba at lists.samba.org
> Subject: samba and RODC
> 
> 
> Hi
> 
> I am trying to setup samba (rhel6/centos 6.2) and I am having some issues.
> 
> So what I have is
> 
> Server A (centos 6.2)
> It exists in my DMZ so very limited access to thing. Juts mainly DNS and some
> ports for RODC
> 
> Sever B (W2k8r2)
> RODC, exists in my insecure vlan, stepping stone into the DMZ (dmz-inside)
> My Windows box work fine talking to the RODC
> 
> When I try wbinfo -u it fails. I have opened up the kerbos and the ldap ports
> for a -> b.  I drop the old still netbios, but I do allow port 445 tcp
> 
> The wbinfo -u waits a long time then fails
> 
> Note xyz.com is not the real domain :)
> 
> 
> My smb.conf
> [global]
> #--authconfig--start-line--
> 
> # Generated by authconfig on 2012/11/28 10:16:49 # DO NOT EDIT THIS
> SECTION (delimited by --start-line--/--end-line--) # Any modification may be
> deleted or altered by authconfig in future
> 
>    workgroup = XYZ
>    password server = int3.xyz.com
>    realm = XYZ.COM
>    security = ads
>    idmap uid = 5000-10000
>    idmap gid = 5000-10000
>    template homedir = /home/%D/%U
>    template shell = /bin/bash
>    winbind use default domain = true
>    winbind offline logon = false
> 
> #--authconfig--end-line--
> 
>  winbind enum users = 1
>  winbind enum groups = 1
>  winbind nested groups = Yes
> 
>  preferred master = no
>  encrypt passwords = yes
>  log level = 3
> 
> 
>  server string = Samba Server Version %v
> 
>  # logs split per machine
>  log file = /var/log/samba/log.%m
>  # max 50KB per log file, then rotate
>  max log size = 50
> 
>  passdb backend = tdbsam
> 
>  # the login script name depends on the machine name  # the login script
> name depends on the unix user used  # disables profiles support by specifing
> an empty path
> 
>  load printers = yes
>  cups options = raw
>  #obtain list of printers automatically on SystemV
> 
> [homes]
>  comment = Home Directories
>  browseable = no
>  writable = yes
> 
> [printers]
>  comment = All Printers
>  path = /var/spool/samba
>  browseable = no
>  guest ok = no
>  writable = no
>  printable = yes
> 
> 
> 
> 
> my /etc/krb.conf
> 
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = XYZ.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = yes
> 
> [realms]
> XYZ.COM = {
>   admin_server = int3.xyz.com
>   default_domain = xyz.com
>   kdc = int3.xyz.com
> }
> 
> [domain_realm]
> .kerberos.server = XYZ.COM
> .zyx.com = XYZ.COM
> 
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
> pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
> }
> 
> 
> I have done tcpdumps and it seems like when it gets stuck on is on Kerberos
> (UDP) .. I see quit a few UDP A to B and no replies from B
> 
> Thanks
> Alex

More information about the samba mailing list