Samba Version: 3.0.0
Linux Version: Redhat 8
Kernel: 2.4.18-19.8.0smp
Kerberos: Mit 1.3.1
Windows Version: 2003 running in mixed mode (though we will be switching to
native mode soon)
The system was initially set up to hit the NT4 Domain and was authenticating to
the domain.
The NT 4 domain was upgraded to 2003 running in mixed mode. The Samba server
could still authenticate to the domain with security=domain set. We will be
switching the 2003 domain over to native mode soon so the the Samba server needs
to be able to authenticate to the AD before we can.
I downloaded and built MIT Kerberos v1.3.1 and then rebuilt Samba with winbind,
msdfs, smbwrapper, smbmount, syslog, and utmp.
I set up the smb.conf as shown below
I configured my krb5.conf as shown below.
I start smbd, nmbd and winbindd
The I do a kinit administrator@lfs.mydomain.org
it prompts me for and I type in my 2003 administrator password and it is happy.
klist show a valid (I think) ticket.
I then type 'net ads join' and I get the message "Joined
SRALHOME' to realm 'LFS.MYDOMAIN.ORG'
wbinfo -g and wbinfo -u return the user and group info from the 2003 domain
wbinfo -t says 'checking the trust secret via RPC calls succeeded.
I then go to an XP box that is on the domain where I am logged in as dshare and
type in % net use * \\sralhome\dshare
It prompts me for a password I try using dshare and I get a 1326 error, logon
failure: uknown username or bad password
I can find no information in the logs associated with this request.
I try 'net use * \\sralhome\dshare /user:dshare' and get the same thing.
In the logs I see
'getpwnam lfs.mydomian.org+dshare'
followed by
'invalid data size key [SEQNUM/LFS]
but later on I see
'Searh for (|(sAMAccountname=dshare)
(userPrincipalName=dshare@lfs.mydomain.org)) gave 1 replies
and it apprears to find my sid and a wchache_save_name_to_sid mapping.
It does the several times but each time eventually ends with
'read 0 bytes. Need 1568 more for a full request'
read failed on sock 18, pid 7669: EOF.
This 'read failed error always occurs after a call to
nsswitch/winbindd.c:winbind_client_read(462)' the number is always 462.
If I do a 'net view \\sralhome' I get a 'system error 5 has
occurred'
I can find no evidence of this in the logs either. It seems that I must specify
/user in my net use command to see somthing in the log. Of course, I don't
really know what to look for other than the username that is requestin the
service and this should be included as the logged in user, I think
I also am unable to connect to \\sralhome\test which allows guest access using
the dshare account either.
If I do a 'net view \\sralhome' from the 2003 AD box (logged on as
Administrator) it works. The appreance of the logs is as above but dshare is
replace with administrator and there are no 'read failed on sock'
errors.
If I do a 'net use \\sralhome\test from the 2003 AD box (logged on as
Administrator) it works.
If I do a 'net view \\sralhome\test /user:dshare' it prompts me for a
password and then fails. The logs show the use of NTLM CRAP authentication and
a NT_STATUS_WRONG_PASSWORD (PAM:4). There were no NTLM CRAP messages in the
previous attemps.
If I do a 'net view \\sralhome\test /user:dshare@LFS.MYDOMAIN.ORG it prompts
me for a password and then fails. The logs show the use of NTLM CRAP
authentication and a NT_STATUS_NO_SUCH_USER.
Now if I go back to the XP machine and try to use the Administrator user instead
'net use \\sralhome\test /user:administrator' The logs show the use of
NTLM CRAP authentication and a NT_STATUS_WRONG_PASSWORD (PAM:4).
It appears that it is trying to use two different types of authentication
depending on where I try my net use command from and if the /user option is
selected.
I am sort of stumped on where to go now. I am out of ideas on what to look for
and where to check. How could the 2003 mixed mode affect this? My next step is
probably to set up a 2003 server in native mode and see what happens.
smb.conf
[global]
encrypt passwords = yes
workgroup = LFS
realm = LFS.MYDOMAIN.ORG
netbios name = SRALHOME
server string = Home Server
security = ads
client signing = yes
server signing = yes
client use spnego = yes
#winbind configuration
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/$U
template shell = /bin/bash
log level = 10
log file = /var/log/samba/log.smbd
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
delete user script = /usr/sbin/userdel
# wins support = No
# ldap ssl = no
[test]
comment = For testing only, please
path = /usr/local/samba/tmp
read only = No
guest ok = Yes
[dshare]
comment = Dale's test
path = /home/dshare
read only = No
guest ok = No
valid users = dshare #dshare is a valid 2003 AD account
kbr5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = LFS.MYDOMAIN.ORG
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
LFS.MYDOMAIN.ORG = {
kdc = AD1.LFS.MYDOMAIN.ORG
default_domain = LFS.MYDOMAIN.ORG
kpasswd_server = AD1.LFS.MYDOMAIN.ORG
admin_server = AD1.LFS.MYDOMAIN.ORG
}
[domain_realm]
.lfs.mydomain.org = LFS.MYDOMAIN.ORG
lfs.mydomain.org = LFS.MYDOMAIN.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
