samba - Jun 2004 - The Solution for: Samba+ADS, w2k clients can't access samba by ne tbios name

As many of us suffer this problem I would like to share my success with the
list. This weekend I made this configuration work !
After this procedure you can access the samba machine, from any client
(Win-XP, Win2k, Win2k3, Win9x and WinNT) using
\\samba-netbios-name\share-name (using kerberos) or
\\samba-ip-address\share-name (using NTLM)

Debian Woody 3.0R2
Samba-3.0.4
MIT Kerberos 1.3.4

Windows 2003
In Windows 2003 apply the fix described in the article:
KDC does not allow clients to specify an etype in Windows Server 2003
http://support.microsoft.com/default.aspx?kbid=833708

In Windows 2003 force Kerberos to use TCP instead UDP:
How to force Kerberos to use TCP instead of UDP
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474

Remember to reboot Windows 2003 after this steps

Linux
Compile MIT with the options
configure -sysconfdir=/etc -localstatedir=/var/kerberos --enable-dns
--without-krb4 
make
make install
test Kerberos with klist/kinit/kdestroy
Ps.: use a very simple krb5.conf, see the attached sample

Compile SAMBA 
configure --localstatedir=/var/samba --sysconfdir=/etc/samba --with-ads
--with-ldap --with-krb5=/usr/local --with-winbind --with-pam
-with-pam_smbpass 
make 
make install
(don't forget to follow all the steps in
http://us1.samba.org/samba/docs/man/howto/winbind.html, and also take a look
at my smb.conf sample file)

(before proceed delete any previous machine account that belongs to this
samba machine in Active Directory)
/opt/samba/bin/net ads join -U <win admin user>

Start the samba services (nmbd, smbd and winbindd)

That's all, I hope this help ! :-)


More reference about Kerberos and Windows integration can be found at:
Troubleshooting Kerberos Errors
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/tkerberr.mspx


Estevam Henrique



========================================================= 
Esta mensagem pode conter informacao confidencial e/ou privilegiada. Se voce
nao for o destinatario ou a pessoa autorizada a receber esta mensagem, nao
devera utilizar, copiar, alterar, divulgar a informacao nela contida ou
tomar qualquer acao baseada nessas informacoes. Se voce recebeu esta
mensagem por engano, por favor avise imediatamente o remetente, respondendo
o e-mail e em seguida apague-o. Agradecemos sua cooperacao. 

This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, change, take any action based on this message
or any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this
message. Thank you for your cooperation. 
=========================================================