samba - Jul 2004 - Samba-W3K-ADS

Versions:

OS: Redhat ES Linux 3.0
Windows OS: Windows 2003 & Active Directory
Samba: samba-3.0.5rc1-2_rh9.i386.rpm
Kerberos: krb5-1.3.4-i686-pc-linux-gnu.tar
Using Windbind: Yes

Objective:

Allow Samba/Linux server to authenticate off of active directory to access
Samba shares.

Problem:

I can get to some shares, but not to the user home shares.  When trying to
access a user home share I get prompted for a password even though I have
already connected to other shares with the same user name.  And even if I
enter the username and password, access is denied.  I am currently trying
this by doing a 'net use * \\ip address\home share'.

Smb.conf

[global] 
workgroup = DOMAIN 
netbios name = RCRH03 
server string = RCRH03
security = ADS
realm = DOMAIN.COM 
password server = 10.1.1.28
wins server = 10.1.1.28
client use spnego = yes
client signing = yes
encrypt passwords = yes
printcap name = cups 
disable spoolss = Yes 
show add printer wizard = No 
idmap uid = 15000-20000 
idmap gid = 15000-20000 
winbind separator = + 
winbind use default domain = Yes 
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
use sendfile = Yes 
printing = cups 
ldap suffix = "dc=domain, dc=com"
winbind cache time = 0
log level = 10
log file = /var/log/samba.log
max log size = 5000000
debug timestamp = yes


[homes] 
comment = Home Directories 
valid users = %U 
path = /home/%D/%U
public = Yes 
read only = No 
browseable = No 

[apps] 
comment = OSCAR 
path = /apps 
valid users = @dev, @REDHAT
admin users = @dev, @REDHAT
read only = No
browseable = Yes 
 
[printers] 
comment = All Printers 
path = /var/spool/samba 
printer admin = root 
create mask = 0600 
guest ok = Yes 
printable = Yes 
use client driver = Yes 
browseable = No 

[public]
comment = test
path = /spare
read only = No
browseable = Yes

_____________________________________________________________________
This message has been checked for all known viruses by the MessageLabs Virus
Scanning Service for Chronimed, Inc.

My testing has shown that when using "security = ads" and specifying 
\\ipaddress\share, Kerberos fails with "PRINCIPAL_UNKNOWN" and auth
then
falls through (in my case, either NTLMv1 or NTLMv2 - I have tested with 
both).  So maybe you should try it with your hostname, or hostname.FQDN, 
and check out what happens with ethereal.  Maybe your fall-through 
auth-n is failing (easy to do with NTLMv2).

Of course, these results are specific to my test environment, so maybe 
this is not pervasive behavior.

Eric Roseme
Hewlett-Packard

Ben Schmaus wrote:
> Versions:
> 
> OS: Redhat ES Linux 3.0
> Windows OS: Windows 2003 & Active Directory
> Samba: samba-3.0.5rc1-2_rh9.i386.rpm
> Kerberos: krb5-1.3.4-i686-pc-linux-gnu.tar
> Using Windbind: Yes
> 
> Objective:
> 
> Allow Samba/Linux server to authenticate off of active directory to access
> Samba shares.
> 
> Problem:
> 
> I can get to some shares, but not to the user home shares.  When trying to
> access a user home share I get prompted for a password even though I have
> already connected to other shares with the same user name.  And even if I
> enter the username and password, access is denied.  I am currently trying
> this by doing a 'net use * \\ip address\home share'.
> 
> Smb.conf
> 
> [global] 
> workgroup = DOMAIN 
> netbios name = RCRH03 
> server string = RCRH03
> security = ADS
> realm = DOMAIN.COM 
> password server = 10.1.1.28
> wins server = 10.1.1.28
> client use spnego = yes
> client signing = yes
> encrypt passwords = yes
> printcap name = cups 
> disable spoolss = Yes 
> show add printer wizard = No 
> idmap uid = 15000-20000 
> idmap gid = 15000-20000 
> winbind separator = + 
> winbind use default domain = Yes 
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%D/%U
> template shell = /bin/bash
> use sendfile = Yes 
> printing = cups 
> ldap suffix = "dc=domain, dc=com"
> winbind cache time = 0
> log level = 10
> log file = /var/log/samba.log
> max log size = 5000000
> debug timestamp = yes
> 
> 
> [homes] 
> comment = Home Directories 
> valid users = %U 
> path = /home/%D/%U
> public = Yes 
> read only = No 
> browseable = No 
> 
> [apps] 
> comment = OSCAR 
> path = /apps 
> valid users = @dev, @REDHAT
> admin users = @dev, @REDHAT
> read only = No
> browseable = Yes 
>  
> [printers] 
> comment = All Printers 
> path = /var/spool/samba 
> printer admin = root 
> create mask = 0600 
> guest ok = Yes 
> printable = Yes 
> use client driver = Yes 
> browseable = No 
> 
> [public]
> comment = test
> path = /spare
> read only = No
> browseable = Yes
> 
> _____________________________________________________________________
> This message has been checked for all known viruses by the MessageLabs
Virus Scanning Service for Chronimed, Inc.