Hi folks,
I have an issue that has me shaking my head.
Once a workstation has made the initial connection to a host, things
seem to work well for a day or so. However, if the resource hasn't been
accessed in a while, and then a connection is retried, this following
message is returned:
"\\hostname is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to find out
if you have access permissions.
The trust relationship between this workstation and the primary domain
failed."
I'm not sure exactly where I should begin looking - any help would be
welcome!
Thanks!
The particulars of my install follow:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
samba 3.0.33 on Solaris 8, 9 and 10
Using 'ads' for authentication to Active Directory on a pool of Windows
2003 domain controllers
Samba is used strictly for file access from Windows workstations to UNIX
file systems
No other magic required
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
Kerberos5 1.5.4 was compiled without options using gcc 3.4.6
./configure
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
samba 3.0.33 was compiled with the following options using gcc 3.4.6
./configure --with-ldap --with-ads=yes --with-pam
--enable-socket-wrapper --with-krb5=/usr/local/include/krb5.h
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
smb.conf:
[global]
security = ads
realm = <MYDOMAIN>.COM
workgroup = <MYDOMAIN>
encrypt passwords = yes
server string = %h Samba %v
smb ports = 445
disable netbios = yes
name resolve order = hosts
# In practice, avoid using log levels greater than 3 unless you are
working on the Samba source code
# or temporarily debugging a specific problem. Ensure that this
directory exists before starting samba
log file = /var/log/samba/samba_log.%m
log level = 2
# This include statement will grab the share configuration information
from an external file
include = /usr/local/samba/lib/smb.conf.%h
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
smb.conf.hostname
[Test 1]
read only = no
browseable = yes
public = no
force directory mode = 0770
create mask = 0770
path = /opt/samba/test1
comment = %h Samba %v test1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
krb5.conf
[libdefaults]
ticket_lifetime = 2400
default_realm = MYDOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
dns_lookup_realm = true
dns_lookup_kds = true
[realms]
MYDOMAIN.COM = {
kds = dc01.mydomain.com
admin_server = dc01.mydomain.com
default_domain = MYDOMAIN.COM
}
[domain_realms]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
kdc.conf
[kdcdefaults]
kdc_ports = 88,750
[reamls]
MYDOMAIN.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}
Anyone?
Hi folks,
I have an issue that has me shaking my head.
Once a workstation has made the initial connection to a host, things
seem to work well for a day or so. However, if the resource hasn't been
accessed in a while, and then a connection is retried, this following
message is returned:
"\\hostname is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to find out
if you have access permissions.
The trust relationship between this workstation and the primary domain
failed."
I'm not sure exactly where I should begin looking - any help would be
welcome!
Thanks!
The particulars of my install follow:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
samba 3.0.33 on Solaris 8, 9 and 10
Using 'ads' for authentication to Active Directory on a pool of Windows
2003 domain controllers
Samba is used strictly for file access from Windows workstations to UNIX
file systems No other magic required
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
Kerberos5 1.5.4 was compiled without options using gcc 3.4.6 ./configure
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
samba 3.0.33 was compiled with the following options using gcc 3.4.6
./configure --with-ldap --with-ads=yes --with-pam
--enable-socket-wrapper --with-krb5=/usr/local/include/krb5.h
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
smb.conf:
[global]
security = ads
realm = <MYDOMAIN>.COM
workgroup = <MYDOMAIN>
encrypt passwords = yes
server string = %h Samba %v
smb ports = 445
disable netbios = yes
name resolve order = hosts
# In practice, avoid using log levels greater than 3 unless you are
working on the Samba source code # or temporarily debugging a specific
problem. Ensure that this directory exists before starting samba
log file = /var/log/samba/samba_log.%m
log level = 2
# This include statement will grab the share configuration information
from an external file
include = /usr/local/samba/lib/smb.conf.%h
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
smb.conf.hostname
[Test 1]
read only = no
browseable = yes
public = no
force directory mode = 0770
create mask = 0770
path = /opt/samba/test1
comment = %h Samba %v test1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
krb5.conf
[libdefaults]
ticket_lifetime = 2400
default_realm = MYDOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
aes256-cts arcfour-hmac-md5
dns_lookup_realm = true
dns_lookup_kds = true
[realms]
MYDOMAIN.COM = {
kds = dc01.mydomain.com
admin_server = dc01.mydomain.com
default_domain = MYDOMAIN.COM
}
[domain_realms]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
kdc.conf
[kdcdefaults]
kdc_ports = 88,750
[reamls]
MYDOMAIN.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}