Hi, I?m having much trouble on configuring Samba to work on an Active Directory environment. Using getent password I?m able to see AD?s users. wbinfo -u and wbinfo -g also work fine. When someone from a Windows try to access my Samba server, the smd password window is shown (I think that the autehntication would be transparent, wouldn't it ?), any password I provide is rejected: I tried AD users using either the plain username and the DOMAIN\username form. I tried also using my root password, without any success. The logs are saying: [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! Is there any special configuration I have to do on Active Directory to become AD authentication available to Samba ? I?ve already installed PAM and followed all intructions at samba.org, but is not working. Could someone please help me ? Thanks in advance, Lindolfo P.S.: I?ve already checked both servers? time, they are syncronized.
On Tue, 6 Jan 2004, samba_list wrote:> Hi, > > I?m having much trouble on configuring Samba to work on an Active > Directory > environment. > > Using getent password I?m able to see AD?s users. wbinfo -u and wbinfo -g > also work fine. > > When someone from a Windows try to access my Samba server, the smd > password > window is shown (I think that the autehntication would be transparent, > wouldn't it ?), any password I provide is rejected: I tried AD users using > either the plain username and the DOMAIN\username form. I tried also using > my root password, without any success. > > The logs are saying: > [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) > Failed to verify incoming ticket! > [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) > Failed to verify incoming ticket! > > Is there any special configuration I have to do on Active Directory to > become AD authentication available to Samba ?Almost certainly, you are running version 3.0.1, which as best I've been able to determine breaks kerberos ticket handling in the case of a Win2k/XP box trying to access SAMBA. I've reported the problem to the list, and several others have as well in recent times, but as yet, I haven't noticed a clear answer as to what is broken. One fellow said that he was testing 3.0.1 with the libads code changes reverted to 3.0.0, but I don't believe he's reported back yet. (I'd be *very* interested in beta testing that! :) What works for me is going to back to version 3.0.0. The reason that's not good for me is becuase I have a whole bunch of existing unix users that I want to map properly to existing windows users of the same names, and 3.0.1 is supposed to do that automaticly. If that's not a concern for you, then you might not have any reason to care which version you are running. I'm using the redhat RPMS, and doing this sequence successfully downgrades me from 3.0.1 -> 3.0.0: <ensure that you have an admin ticket with kinit, if you do the net ads leave/join bits...> net ads leave cp /etc/samba/smb.conf /etc/samba/smb.conf.bak /etc/rc.d/init.d/smb stop /etc/rc.d/init.d/winbind stop rpm -Uvh --force /usr/src/rpms/samba-3.0.0-2_rh9.i386.rpm cp /etc/samba/smb.conf.bak /etc/samba/smb.conf /etc/rc.d/init.d/smb start /etc/rc.d/init.d/winbind start net ads join The above process assumes that you've got the rpm file downloaded in /usr/src/rpms, that you have the right rpms for your system (in my case, rh9), and guarentees that your smb.conf file doesn't get accidentally wiped out. I'm don't believe that the "net ads leave/join" part is strictly necessary. I've just been doing it whenever I upgrade/downgrade out of pedantdry. My understanding is that it shouldn't be necessary, because the shared secrets/etc should be stored in the Samba TDB databases somewhere... In my case, simply changing to 3.0.0 immediately makes everything work, and going to 3.0.1 immediately mades everything break. If you want further confirmation that you are having the same problem I am, increase the logging level to something like 5, and look for "unknown key table type" errors shortly before the "Failed to verify ticket" error in your /var/log/samba/log.<workstation> file (assuming that you put your logs in the default linux location :) I hope that helps, Best Regards, -Cedric Puddy> I?ve already installed PAM and followed all intructions at samba.org, > but is > not working. > > Could someone please help me ? > > Thanks in advance, > > Lindolfo > > P.S.: I?ve already checked both servers? time, they are syncronized. > >-- - | CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services | 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157 \____________________________________________________________________ Cedric Puddy, IS Director cedric@thinkers.org PGP Key Available at: http://www.thinkers.org/cedric
Hi, As Cedric suggested (thank you very much, man !!), I?ve downgraded my Samba from 3.0.1 to 3.0.0 and it worked !! There?s no more "password asking" window and no more Kerboros ticket errors. Now I?m facing a new, weird problem: when my users can?t print 0(I?ve installed Cups to manage the Deskjet 840c), they receive an "access denied - unable to connect" error message when they try to print. From the Samba server box I can print using cat <somefile> > /dev/lp0. I?ve tried to change permissions, 777-ing both printer spool directory and /dev/lp0. The computer sharing options are: writable=yes, guest ok = yes, browseable = yes...etc). What is missing ?? Is there any config I?m forgetting ? Thanks in advance, Lindolfo Rodrigues ---------- Cabe?alho inicial ----------- De: Cedric Puddy <cedric@cadence.thinkers.org> Para: samba_list <samba_list@terra.com.br> C?pia: samba <samba@lists.samba.org> Data: Tue, 6 Jan 2004 19:42:27 -0500 (EST) Assunto: Re: [Samba] Samba + Active Directory> On Tue, 6 Jan 2004, samba_list wrote: > > > Hi, > > > > I?m having much trouble on configuring Samba to work on an Active > > Directory > > environment. > > > > Using getent password I?m able to see AD?s users. wbinfo -u andwbinfo -g> > also work fine. > > > > When someone from a Windows try to access my Samba server, the smd > > password > > window is shown (I think that the autehntication would be transparent, > > wouldn't it ?), any password I provide is rejected: I tried ADusers using> > either the plain username and the DOMAIN\username form. I triedalso using> > my root password, without any success. > > > > The logs are saying: > > [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) > > Failed to verify incoming ticket! > > [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) > > Failed to verify incoming ticket! > > > > Is there any special configuration I have to do on Active Directory to > > become AD authentication available to Samba ? > > Almost certainly, you are running version 3.0.1, which as best > I've been able to determine breaks kerberos ticket handling > in the case of a Win2k/XP box trying to access SAMBA. > > I've reported the problem to the list, and several others have > as well in recent times, but as yet, I haven't noticed a clear > answer as to what is broken. One fellow said that he was > testing 3.0.1 with the libads code changes reverted to 3.0.0, but > I don't believe he's reported back yet. (I'd be *very* interested > in beta testing that! :) > > What works for me is going to back to version 3.0.0. > The reason that's not good for me is becuase I have > a whole bunch of existing unix users that I want to > map properly to existing windows users of the same > names, and 3.0.1 is supposed to do that automaticly. > If that's not a concern for you, then you might not > have any reason to care which version you are running. > > I'm using the redhat RPMS, and doing this sequence > successfully downgrades me from 3.0.1 -> 3.0.0: > > <ensure that you have an admin ticket with > kinit, if you do the net ads leave/join > bits...> > net ads leave > cp /etc/samba/smb.conf /etc/samba/smb.conf.bak > /etc/rc.d/init.d/smb stop > /etc/rc.d/init.d/winbind stop > rpm -Uvh --force /usr/src/rpms/samba-3.0.0-2_rh9.i386.rpm > cp /etc/samba/smb.conf.bak /etc/samba/smb.conf > /etc/rc.d/init.d/smb start > /etc/rc.d/init.d/winbind start > net ads join > > The above process assumes that you've got the rpm file > downloaded in /usr/src/rpms, that you have the right > rpms for your system (in my case, rh9), and guarentees that > your smb.conf file doesn't get accidentally wiped out. > > I'm don't believe that the "net ads leave/join" part is > strictly necessary. I've just been doing it whenever I > upgrade/downgrade out of pedantdry. My understanding > is that it shouldn't be necessary, because the shared > secrets/etc should be stored in the Samba TDB databases > somewhere... > > In my case, simply changing to 3.0.0 immediately makes > everything work, and going to 3.0.1 immediately mades > everything break. > > If you want further confirmation that you are having > the same problem I am, increase the logging level to > something like 5, and look for "unknown key table type" > errors shortly before the "Failed to verify ticket" > error in your /var/log/samba/log.<workstation> file > (assuming that you put your logs in the default linux > location :) > > I hope that helps, > > Best Regards, > > -Cedric Puddy > > > I?ve already installed PAM and followed all intructions at samba.org, > > but is > > not working. > > > > Could someone please help me ? > > > > Thanks in advance, > > > > Lindolfo > > > > P.S.: I?ve already checked both servers? time, they are syncronized. > > > > > > -- > - > | CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services > | 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157 > \____________________________________________________________________ > Cedric Puddy, IS Director cedric@thinkers.org > PGP Key Available at: http://www.thinkers.org/cedric > >
>>> > [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)>>> > Failed to verify incoming ticket! >>> > >>> > Is there any special configuration I have to do on Active Directory to >>> > become AD authentication available to Samba ? > >> >> Almost certainly, you are running version 3.0.1, which as best >> I've been able to determine breaks kerberos ticket handling >> in the case of a Win2k/XP box trying to access SAMBA. > > >Can people seeing this please test 3.0.2pre1 and let me know >if it is fixed now? Thanks. I sent a messages yesterday, explaining that my setup now was working fine ... I have a few other things that I think need to be looked at, but they are minor issues .... Mailed Lee