Christoph Scheeder
2004-May-12 08:38 UTC
[Samba] starnge Auth problem in w2k Domain with ADS
Hi, my Situation: a w2k-server set in mixed mode as ADS-Server,a debian machine with latest stable samba compiled self with ADS-support. samba machine joined to ADS-Domain succesfully, winbindd installed and configured, all w2k users and groups visible on samba-server. Browsing and connecting to w2k-server and samba-server from the samba server with smbclient and -k option works fine for all accounts in the w2k-domain and the localy on the samba server defined users. If i try to access the samba server from a w2k-client in the domain i get a prompt for user and password. If i supply a domain-account i get a failure, if i supply a local samba-server-account all works fine. Where should i look to solve this problem? C.Scheeder
Hi ! I'm having the same problem when I want to access my shares on the samba ADS member server. I, too, have successfully joined the domain and I can log on the domain using a 2000 user account from the samba itself. But as for you, I am prompted for a user and pass when accessing my shares from a 2000 client in the network neighborhood. Be strong, we are two in this mess... Thanks for reading Bertram>From: Christoph Scheeder <christoph.scheeder@scheeder.de> >To: samba@lists.samba.org >Subject: [Samba] starnge Auth problem in w2k Domain with ADS >Date: Wed, 12 May 2004 10:37:51 +0200 > >Hi, >my Situation: >a w2k-server set in mixed mode as ADS-Server,a debian machine with >latest stable samba compiled self with ADS-support. >samba machine joined to ADS-Domain succesfully, winbindd installed and >configured, all w2k users and groups visible on samba-server. >Browsing and connecting to w2k-server and samba-server from the samba >server with smbclient and -k option works fine for all accounts in the >w2k-domain and the localy on the samba server defined users. >If i try to access the samba server from a w2k-client in the domain i >get a prompt for user and password. If i supply a domain-account i get >a failure, if i supply a local samba-server-account all works fine. > >Where should i look to solve this problem? >C.Scheeder > >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba_________________________________________________________________ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/
Hi Christoph, you have come to the wrong group. Not that this question does not belong here, its just that nobody is willing to answer it! 4 questions so far in May have been about this topic (mine: http://lists.samba.org/archive/samba/2004-May/085521.html) , and many more earlier months. And there are surprisingly few replys. I _don't_ think it's because it's a RTFM question, or is adressed in such detail so many times that people just can't be bothered answering it. I think its because they don't wanna touch it (they meaning the people that have written/worked with these parts of Samba)! The best reference I have been able to find so far, in my 6 day quest, to do the same thing as you want to do is: http://www.linuxquestions.org/questions/showthread.php?s=&threadid=161506 But this did not work for me... Though it is apperently working for some. Some go so far as to say thet samba can't do what you want we want it to do in our case. I used both Heimdal 0.6.2 (I have a 2003 server I auth. against, and the Samba docs say that Heimdal must be used with 2003.) and the MIT 1.3.3 kerbos and both 3.0.3 and 3.0.4 Samba. I see that one person has sendt a "Me too" mail in reply to you already. :) Will the real Samba community please stand up?! YS Anders Berg At 10:37 12.05.2004 +0200, Christoph Scheeder wrote:>Hi, >my Situation: >a w2k-server set in mixed mode as ADS-Server,a debian machine with >latest stable samba compiled self with ADS-support. >samba machine joined to ADS-Domain succesfully, winbindd installed and >configured, all w2k users and groups visible on samba-server. >Browsing and connecting to w2k-server and samba-server from the samba >server with smbclient and -k option works fine for all accounts in the >w2k-domain and the localy on the samba server defined users. >If i try to access the samba server from a w2k-client in the domain i >get a prompt for user and password. If i supply a domain-account i get >a failure, if i supply a local samba-server-account all works fine. > >Where should i look to solve this problem? >C.Scheeder > >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba***************************************************************** Denne fotnoten bekrefter at denne e-postmeldingen ble skannet av MailSweeper og funnet fri for virus. ***************************************************************** This footnote confirms that this email message has been swept by MailSweeper for the presence of computer viruses. *****************************************************************
Too bad, it's not working for me... But no problem, I'll try the next samba versions until it matchs ! Rock isn't over, Samba Team ! (And will never be !) Bertram>From: Anders Berg <andersb@vg.no> >To: Christoph Scheeder ><christoph.scheeder@scheeder.de>,samba@lists.samba.org >Subject: Re: [Samba] starnge Auth problem in w2k Domain with ADS >Date: Wed, 12 May 2004 11:40:29 +0200 > >Hi Christoph, > >you have come to the wrong group. >Not that this question does not belong here, its just that nobody is >willing to answer it! > >4 questions so far in May have been about this topic (mine: >http://lists.samba.org/archive/samba/2004-May/085521.html) , and many more >earlier months. >And there are surprisingly few replys. > >I _don't_ think it's because it's a RTFM question, or is adressed in such >detail so many times that people just can't be bothered answering it. >I think its because they don't wanna touch it (they meaning the people that >have written/worked with these parts of Samba)! > >The best reference I have been able to find so far, in my 6 day quest, to >do the same thing as you want to do is: >http://www.linuxquestions.org/questions/showthread.php?s=&threadid=161506 > >But this did not work for me... Though it is apperently working for some. >Some go so far as to say thet samba can't do what you want we want it to do >in our case. > >I used both Heimdal 0.6.2 (I have a 2003 server I auth. against, and the >Samba docs say that Heimdal must be used with 2003.) and the MIT 1.3.3 >kerbos and both 3.0.3 and 3.0.4 Samba. > >I see that one person has sendt a "Me too" mail in reply to you already. :) > >Will the real Samba community please stand up?! > >YS >Anders Berg > >At 10:37 12.05.2004 +0200, Christoph Scheeder wrote: >>Hi, >>my Situation: >>a w2k-server set in mixed mode as ADS-Server,a debian machine with >>latest stable samba compiled self with ADS-support. >>samba machine joined to ADS-Domain succesfully, winbindd installed and >>configured, all w2k users and groups visible on samba-server. >>Browsing and connecting to w2k-server and samba-server from the samba >>server with smbclient and -k option works fine for all accounts in the >>w2k-domain and the localy on the samba server defined users. >>If i try to access the samba server from a w2k-client in the domain i >>get a prompt for user and password. If i supply a domain-account i get >>a failure, if i supply a local samba-server-account all works fine. >> >>Where should i look to solve this problem? >>C.Scheeder >> >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: http://lists.samba.org/mailman/listinfo/samba > > > > >***************************************************************** >Denne fotnoten bekrefter at denne e-postmeldingen ble >skannet av MailSweeper og funnet fri for virus. >***************************************************************** >This footnote confirms that this email message has been swept by >MailSweeper for the presence of computer viruses. >***************************************************************** > >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba_________________________________________________________________ Hotmail : un compte GRATUIT qui vous suit partout et tout le temps ! http://g.msn.fr/FR1000/9493
I too have similar problems that haven't been answered. I have kerberos functioning and I can kinit a user on the samba box and access a Windows share, but cannot connect from a Windows workstation to a samba share that has share permissions on it (file permissions are set to 777 for testing). The problem I see in the logs is related to rid's and sid's. The logs (set to level 10) shows the kerberos ticket is decrypted, but later the rid and sid are displayed and do not match the rid and sid of the user connecting to the share. Since they don't match the actual user, they don't match the any of the sid's in the ACL for the share, which then denies access to the share. Same result on 3.0.2a and 3.0.3. I have not yet tried 3.0.4. Maybe you have the same problem. My post: http://groups.google.com/groups?hl=en&lr=&threadm=1FxIM-8aM-21%40gated-a t.bofh.it&rnum=4&prev=/groups%3Fhl%3Den%26lr%3D%26q%3DAden%2Bsamba Jerry was kind enough to make a couple of suggestions, but they did not solve the problem. Steve Aden Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Wednesday, May 12, 2004 9:37 AM To: Anders Berg Cc: samba@lists.samba.org; Christoph Scheeder Subject: Re: [Samba] starnge Auth problem in w2k Domain with ADS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anders Berg wrote: | Hi Christoph, | | you have come to the wrong group. Not that this | question does not belong here, its just that nobody is | willing to answer it! | | 4 questions so far in May have been about this topic | (mine: http://lists.samba.org/archive/samba/2004-May/085521.html) , | and many more earlier months. And there are surprisingly | few replys. | | I _don't_ think it's because it's a RTFM question, or is | adressed in such detail so many times that people just can't | be bothered answering it. I think its because they don't wanna | touch it (they meaning the people that have written/worked with | these parts of Samba)! ... | I used both Heimdal 0.6.2 (I have a 2003 server I auth. | gainst, and the Samba docs say that Heimdal must be used with 2003.) | and the MIT 1.3.3 kerbos and both 3.0.3 and 3.0.4 Samba. | | I see that one person has sendt a "Me too" mail in reply | to you already. :) | | Will the real Samba community please stand up?! I'll assume that your not just trolling for an answer. For the record, you will always have better luck with MIT krb5 1.3.x and Heimdal 0.6.1 or later. Both supprt the type 23 enc type used by Windows 200x. There are a couple of likely reasons why you are prompted for a password: (a) the krb5 ticket cannot be verfied (possibly due to an improper kerberos setup on the Samba box) (b) getpwnam() fails for the user (see logs for instances of 'Gwt_Pwnam did not') If you can connect to the share using the server's IP address but IP address, this is indicative of a krb5 configuration error somewhere. When usiong the IP address, the client will revert to the NTLMSSP mechanism during session setup (rather than sending a krb5 ticket). cheers, jerry - ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "...a hundred billion castaways looking for a home." ----------- Sting -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAoiiBIR7qMdg1EfYRAqEfAKDUJcAixHjuvoZE4vGL1YYk4oMLXgCgofYP dSNA4Je5YQ0MIiY6dTeHyS0=mqvS -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba _____________________________________________________ This message was content-scanned by IXC Shield Powered by GatewayDefender - BH09f02c59.00000001.mml
Gerald (Jerry) Carter
2004-May-12 20:38 UTC
[Samba] starnge Auth problem in w2k Domain with ADS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've just uploaded a patch to the bug report at ~ https://bugzilla.samba.org/show_bug.cgi?id=1315 that should fix the winbindd failure people are experiencing in 3.0.4. It fixes things for me here, but i would appreciate some more testing. Let me know how it goes cheers, jerry - ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "...a hundred billion castaways looking for a home." ----------- Sting -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAooscIR7qMdg1EfYRAvq8AKCKaCEvgh0SOv/TsI5Jdi1SdJ4bPACfW3fj GFQsQ7/6SkI6uAQ7zocmlDA=0aiv -----END PGP SIGNATURE-----