L. Mark Stone
2004-Oct-13 14:50 UTC
[Samba] Samba3 By Example - Suggested Update (Correction?) And Two Winbind Defects
We were trying to build a SuSE 9.1 box in a lab as a Domain Member server in a Windows Active Directory domain where the AD server was running Windows 2000 Server. We found that the instructions in Chapter 9.3.3 were, at least in our case, incomplete. The AD server was managing a private domain, so following the Windows Configure My Server wizard the domain was setup as "smelug.local". When we attempted to have the Linux box (running SuSE 9.1 (fully patched) with the Samba 3.0.7 rpm packages from the SuSE ftp site) join the domain, we got an error indicating the Linux box could not find the Kerberos server. After Googling, we saw that others experiencing this problem had as the root cause either a DNS configuration problem or a misconfigured realm in krb5.conf. We checked DNS on the W2K server and on the Linux box, added entries in the Linux and Windows hosts files, and then watched the packets go back and forth with Ethereal between the Windows 2K AD server and the SuSE box, but we still got the error. The two boxes were clearly exchanging packets, so we felt pretty good that we didn't have any DNS configuration errors. Next, we undid all of the above changes, and simply edited the krb5.conf file to include the realm information and the IP:port info for the AD server. The join was successful now. May I therefore suggest that configuring the krb5.conf file be added to Chapter 9.3.3 in S3BE? Separately, we found two winbind errors during testing: First, we found that winbind does not shut down cleanly during a reboot (we used the SuSE runlevel editor in YaST to have smb, nmb and winbind startup automagically during boot up). Winbind leaves /var/run/samba/winbindd.pid in place, which we must remove manually before we can start winbind. Second, even after starting/stopping/restarting winbind manually, wbinfo -u (and -g) do not work at first. We found we needed to run "net ads info" first, and then wbinfo -whatever would work just fine. Please let me know if you would like me to file bugzilla reports on these errors, or if you would like more detail. We are not programmers so we don't know how to narrow this down further. With best regards, Mark P.S. The lab machines are VMware 4.5.2 guests, running on a SuSE Linux 8.2 host. We can make the virtual machine files available to you if you would like to run these machines locally for testing (assuming you have VMware and a Windows 2000 Server license). -- _________________________________________________ A Message From... L. Mark Stone Reliable Networks of Maine, LLC 477 Congress Street Portland, ME 04101 Tel: (207) 772-5678 Web: www.RNoME.com
Schlomo Schapiro
2004-Oct-14 10:02 UTC
[Samba] Samba3 By Example - Suggested Update (Correction?) And Two Winbind Defects
Hi, probably your problem was caused by SuSE's .local problem. They patched their glibc to do a multicast DNS lookup (AKA Apple ZeroConf) for all .local domains. A fix is supposed to come soon ( I pushed them to make one :-), but if you have support try to ask for it directly. Unfortunateley I am not allowed to distribute this patch myself. Using IP Addresses only of course also serves as a workaround, but with DNS-rooted domains this is a pain in the ass. Regards, Schlomo PS: Look for previous traffic on this list regarding SuSE 9.1 On Wed, 13 Oct 2004, L. Mark Stone wrote:> We were trying to build a SuSE 9.1 box in a lab as a Domain Member server in a > Windows Active Directory domain where the AD server was running Windows 2000 > Server. > > We found that the instructions in Chapter 9.3.3 were, at least in our case, > incomplete. > > The AD server was managing a private domain, so following the Windows > Configure My Server wizard the domain was setup as "smelug.local". > > When we attempted to have the Linux box (running SuSE 9.1 (fully patched) with > the Samba 3.0.7 rpm packages from the SuSE ftp site) join the domain, we got > an error indicating the Linux box could not find the Kerberos server. > > After Googling, we saw that others experiencing this problem had as the root > cause either a DNS configuration problem or a misconfigured realm in > krb5.conf. > > We checked DNS on the W2K server and on the Linux box, added entries in the > Linux and Windows hosts files, and then watched the packets go back and forth > with Ethereal between the Windows 2K AD server and the SuSE box, but we still > got the error. The two boxes were clearly exchanging packets, so we felt > pretty good that we didn't have any DNS configuration errors. > > Next, we undid all of the above changes, and simply edited the krb5.conf file > to include the realm information and the IP:port info for the AD server. The > join was successful now. > > May I therefore suggest that configuring the krb5.conf file be added to > Chapter 9.3.3 in S3BE? > > Separately, we found two winbind errors during testing: > > First, we found that winbind does not shut down cleanly during a reboot (we > used the SuSE runlevel editor in YaST to have smb, nmb and winbind startup > automagically during boot up). Winbind leaves /var/run/samba/winbindd.pid in > place, which we must remove manually before we can start winbind. > > Second, even after starting/stopping/restarting winbind manually, wbinfo -u > (and -g) do not work at first. We found we needed to run "net ads info" > first, and then wbinfo -whatever would work just fine. > > Please let me know if you would like me to file bugzilla reports on these > errors, or if you would like more detail. We are not programmers so we don't > know how to narrow this down further. > > With best regards, > Mark > > P.S. The lab machines are VMware 4.5.2 guests, running on a SuSE Linux 8.2 > host. We can make the virtual machine files available to you if you would > like to run these machines locally for testing (assuming you have VMware and > a Windows 2000 Server license). > >-- Regards, Schlomo