Juan José Muñoz
2003-Dec-01 12:35 UTC
[Samba] access samba 3.0 shares from Win2K, Win3K, WinXPProf. using netbios name
Hi: I have a Windows 2003 Server Enterprise Ed. as Domain controller, an its current domain functional level is 'Windows Server 2003'. Also, I have a RedHat Linux 7.3 server with SaMBa (tested with rpm samba-3.0.0-2, and compiling the samba source code). I'd joined the linux server to the AD tree without problems, access from it to the Win2003 shared resources too, but I have problems when try to access to the SaMBa resources from the Win2K, Win3K, WinXPProf machines. The things I can do are: - obtain a kerberos ticket: kinit ADMINISTRATOR@DOMAIN - join to the domain using this ticket: smb ads join -k - obtain a domain user or group list: wbinfo -u/-s - obtain an entire list of the users or groups (Unix+Domain): getent passwd/group - access from linux server with the kerberos ticket to the Win2003 Server shares: smblicent //SERVER/share -k - Access from Win9x/WinMe/WinXP Home clients to the linux/samba shares, using the linux name or ip, with the network browser or the net use command. - Access from Win2K, Win3K, WinXPProf clients to the linux/samba shares, ONLY USING THE LINUX IP with the network browser or the net use command (net use * \\ip\share) Things I CAN'T do: ----------------- - Access from Win2K, Win3K, WinXPProf clients to the linux/samba shares, ONLY USING THE LINUX NETBIOS NAME with the network browser or the net use command (net use * \\name\share) - access from linux server with the kerberos ticket to the linux+samba shares: smblicent //SERVER/share -k The problem seems to be in the client access to the samba shares with th kerberos ticket authentication. When a win9x/winME client access to a share, the authentication mode used is NTLM, and I have not problems with it, and occurs the same ussing the IP instead the name with any client. When I use a kerberos ticket obtained in the linux machine to access win2003 resources, I have no probles neither. But when I try to access linux shares with the kerberos authentication method, I have problems. How can I beat this problem?? These are my machines: ->Windows 2003 Server Enterprise Edition Name: w2003srv.ns1.abcdom REALM: NS1.ABCDOM WORKGROUP: NS1 ->RedHat Linux 7.3 Name: rhd Samba 3.0.0 compiled openldap-2.1.22 and Kerberos 1.3.1 del MIT (Also tested with samba 3.0.0-2 rpm package) These are my configuration files: /etc/krb5.conf -------------- [logging] default = FILE:/var/log/krb5/libs.log kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/admin.log [libdefaults] ticket_lifetime = 24000 default_realm = NS1.ABCDOM forwardable = true proxiable = true [realms] NS1.ABCDOM = { kdc = w2003srv.ns1.abcdom default_domain = ns1.abcdom } [domain_realm] .ns1.abcdom = NS1.ABCDOM ns1.abcdom = NS1.ABCDOM /etc/nsswitch.conf ------------------ passwd: files compat winbind nisplus shadow: files nisplus group: files compat winbind nisplus hosts: files nisplus dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files nisplus rpc: files services: files nisplus netgroup: files nisplus publickey: nisplus automount: files nisplus aliases: files nisplus /etc/samba/smb.conf ------------------- workgroup = NS1 realm = NS1.ABCDOM security = ADS password server = w2003srv.ns1.abcdom username map = /etc/samba/smbusers os level = 10 dns proxy = No idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash winbind separator = + winbind use default domain = Yes # Recurso compartido para pruebas [tmp] comment = Temporary file space path = /tmp read only = no public = yes /etc/samba/smbusers ------------------- root=Administrator Also: - I have the nobody user on the linux server - 'ldd /usr/sbin/smbd | grep krb5' returns: libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x40014000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x40026000) - 'smbclient -L localhost -U%' works fine - 'kinit ADMINISTRATOR@NS1.ABCDOM' works too - 'klist' returns: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ADMINISTRATOR@NS1.ABCDOM Valid starting Expires Service principal 11/26/03 10:58:05 11/26/03 20:58:13 rbtgt/NS1.ABCDOM@NS1.ABCDOM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached - 'net ads join' without '-U administrator' works returning: Using short domain name -- NS1 Joined 'RHD' to realm 'NS1.ABCDOM' - from Windows 2003 Server command line: 'net use * \\rhd\tmp' asks me from user and password authentication, and fails with the message: "The password or the username is invalid for \\rhd\tmp" 'net use * \\192.168.0.24\tmp' works fine without prompting user and password authentication - with the browser happens the same, using name fails, but with ip, works fine. ---Publicidad-------------------------------------------------------- ?nete a los miles de sin pareja en Meetic... ?te vas a enamorar! http://www.iespana.es/_reloc/email.meetic ---Publicidad-------------------------------------------------------- Juega con Ventura24.es, loter?a inteligente y multiplica tus posibilidades!! http://www.iespana.es/_reloc/email.ventura
Juan José Muñoz
2003-Dec-03 08:41 UTC
[Samba] access samba 3.0 shares from Win2K, Win3K, WinXPProf. using netbios name
Hi: I have a Windows 2003 Server Enterprise Ed. as Domain controller, an its current domain functional level is 'Windows Server 2003'. Also, I have a RedHat Linux 7.3 server with SaMBa (tested with rpm samba-3.0.0-2, and compiling the samba source code). I'd joined the linux server to the AD tree without problems, access from it to the Win2003 shared resources too, but I have problems when try to access to the SaMBa resources from the Win2K, Win3K, WinXPProf machines. The things I can do are: - obtain a kerberos ticket: kinit ADMINISTRATOR@DOMAIN - join to the domain using this ticket: smb ads join -k - obtain a domain user or group list: wbinfo -u/-s - obtain an entire list of the users or groups (Unix+Domain): getent passwd/group - access from linux server with the kerberos ticket to the Win2003 Server shares: smblicent //SERVER/share -k - Access from Win9x/WinMe/WinXP Home clients to the linux/samba shares, using the linux name or ip, with the network browser or the net use command. - Access from Win2K, Win3K, WinXPProf clients to the linux/samba shares, ONLY USING THE LINUX IP with the network browser or the net use command (net use * \\ip\share) Things I CAN'T do: ----------------- - Access from Win2K, Win3K, WinXPProf clients to the linux/samba shares, ONLY USING THE LINUX NETBIOS NAME with the network browser or the net use command (net use * \\name\share) - access from linux server with the kerberos ticket to the linux+samba shares: smblicent //SERVER/share -k The problem seems to be in the client access to the samba shares with th kerberos ticket authentication. When a win9x/winME client access to a share, the authentication mode used is NTLM, and I have not problems with it, and occurs the same ussing the IP instead the name with any client. When I use a kerberos ticket obtained in the linux machine to access win2003 resources, I have no probles neither. But when I try to access linux shares with the kerberos authentication method, I have problems. How can I beat this problem?? These are my machines: ->Windows 2003 Server Enterprise Edition Name: w2003srv.ns1.abcdom REALM: NS1.ABCDOM WORKGROUP: NS1 ->RedHat Linux 7.3 Name: rhd Samba 3.0.0 compiled openldap-2.1.22 and Kerberos 1.3.1 del MIT (Also tested with samba 3.0.0-2 rpm package) These are my configuration files: /etc/krb5.conf -------------- [logging] default = FILE:/var/log/krb5/libs.log kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/admin.log [libdefaults] ticket_lifetime = 24000 default_realm = NS1.ABCDOM forwardable = true proxiable = true [realms] NS1.ABCDOM = { kdc = w2003srv.ns1.abcdom default_domain = ns1.abcdom } [domain_realm] .ns1.abcdom = NS1.ABCDOM ns1.abcdom = NS1.ABCDOM /etc/nsswitch.conf ------------------ passwd: files compat winbind nisplus shadow: files nisplus group: files compat winbind nisplus hosts: files nisplus dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files nisplus rpc: files services: files nisplus netgroup: files nisplus publickey: nisplus automount: files nisplus aliases: files nisplus /etc/samba/smb.conf ------------------- workgroup = NS1 realm = NS1.ABCDOM security = ADS password server = w2003srv.ns1.abcdom username map = /etc/samba/smbusers os level = 10 dns proxy = No idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash winbind separator = + winbind use default domain = Yes # Recurso compartido para pruebas [tmp] comment = Temporary file space path = /tmp read only = no public = yes /etc/samba/smbusers ------------------- root=Administrator Also: - I have the nobody user on the linux server - 'ldd /usr/sbin/smbd | grep krb5' returns: libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x40014000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x40026000) - 'smbclient -L localhost -U%' works fine - 'kinit ADMINISTRATOR@NS1.ABCDOM' works too - 'klist' returns: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ADMINISTRATOR@NS1.ABCDOM Valid starting Expires Service principal 11/26/03 10:58:05 11/26/03 20:58:13 rbtgt/NS1.ABCDOM@NS1.ABCDOM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached - 'net ads join' without '-U administrator' works returning: Using short domain name -- NS1 Joined 'RHD' to realm 'NS1.ABCDOM' - from Windows 2003 Server command line: 'net use * \\rhd\tmp' asks me from user and password authentication, and fails with the message: "The password or the username is invalid for \\rhd\tmp" 'net use * \\192.168.0.24\tmp' works fine without prompting user and password authentication - with the browser happens the same, using name fails, but with ip, works fine. ---Publicidad-------------------------------------------------------- Juega con Ventura24.es, loter?a inteligente y multiplica tus posibilidades!! http://www.iespana.es/_reloc/email.ventura ---Publicidad-------------------------------------------------------- ?nete a los miles de sin pareja en Meetic... ?te vas a enamorar! http://www.iespana.es/_reloc/email.meetic