Melfi.Marcello@hydro.qc.ca
2004-Oct-14 19:28 UTC
[Samba] Getting errors while running Samba 3.0.7 with ADS security mode under MIT Kerberos
Hi, I compiled Samba 3.0.7, MIT Kerberos 1.3.5 and OpenLDAP 2.2.17. I did not notice any errors during compilation. I searched and found the #define HAVE_LDAP 1 and #define HAVE_KRB5 1 statements in the config.h file of Samba 3.0.7's include dir. So, ADS should be supported in the compiled Samba 3.0.7 version. Here is what I did up to now. As described in the How-To Samba doc, I created the /etc/krb5.conf file and I ran the "kinit USERNAME@REALM" command. I had to provide the password for USERNAME. When I run the "klist" command, I get the following output: ********************************************* Ticket cache: FILE:/tmp/krb5cc_0 <FILE:/tmp/krb5cc_0> Default principal: <USERNAME@REALM> Valid starting Expires Service principal 10/08/04 15:57:48 10/09/04 01:59:26 krbtgt/<REALM>@<REALM> renew until 10/09/04 15:57:48 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ********************************************* Is it OK or should I see more then just the TGT ticket? My understanding is that I ran the "kinit" command just to make sure that Kerberos was working between the Win2K3 server and the Samba machine. Am I right? Then, I joined successfully the Samba machine to the Win2K3 server's domain with the "net ads join -U Administrator%password" command. After starting Samba (i.e. only the smbd and nmbd processes), I tried to map a Samba share from a Windows XP Pro workstation from which I was already logged in with a user account defined in the Win2K3 server's domain. The first try (i.e. after a reboot of the workstation so that the cache was cleared) never works! At that point, a username/password box opened and I entered the username and password information of that same user I was logged in and it worked. It looks like the password was not OK the first time (I did the map from a Windows "CMD" console to get the error message)... When I look at the Samba log for that workstation (log=0 ... sorry!), I noticed the following error messages: ********************************************* [2004/10/08 17:31:34, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Transport endpoint is not connected [2004/10/08 17:31:34, 0] lib/util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Broken pipe [2004/10/08 17:31:34, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 4 bytes to socket 24: ERRNO = Broken pipe [2004/10/08 17:31:34, 0] lib/util_sock.c:send_smb(647) Error writing 4 bytes to client. -1. (Broken pipe) ********************************************* When the Samba share was established, it seemed to work OK. But today, I changed the log setting (i.e. log=2), I repeated the same steps and I noticed that there were some additional messages about NTLM being used the second time (i.e. after the username/password box)... See the following Samba log output: ********************************************* [2004/10/13 16:01:57, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/10/13 16:01:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) Username DEV-TESTAD.HYDRO.QC.CA\mv90ddmexp02$ is invalid on this system [2004/10/13 16:01:58, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/10/13 16:01:58, 2] smbd/service.c:make_connection_snum(314) user 'qc9999' (from session setup) not permitted to access this share (ddm_mv90data) [2004/10/13 16:01:58, 2] smbd/server.c:exit_server(571) Closing connections [2004/10/13 16:02:13, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Transport endpoint is not connected [2004/10/13 16:02:13, 0] lib/util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Broken pipe [2004/10/13 16:02:13, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 4 bytes to socket 24: ERRNO = Broken pipe [2004/10/13 16:02:13, 0] lib/util_sock.c:send_smb(647) Error writing 4 bytes to client. -1. (Broken pipe) [2004/10/13 16:02:13, 2] smbd/server.c:exit_server(571) Closing connections [2004/10/13 16:02:13, 2] libsmb/namequery.c:name_query(492) Got a positive name query response from 10.6.1.103 ( 10.6.1.103 ) [2004/10/13 16:02:13, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [QC9999] -> [ddmuser] -> [ddmuser] succeeded [2004/10/13 16:02:13, 1] smbd/service.c:make_connection_snum(648) mv90ddmexp02 (10.4.114.22) connect to service ddm_mv90data initially as user ddmuser (uid=40147, gid=30013) (pid 4162) *********************************************>From that, I can only guess that when I try to map the Samba share from theWindows XP Pro workstation, it fails and Samba seems to revert to the NTLM authentication... Is that possible? Here is my "krb5.conf" file: ********************************************* [libdefaults] default_realm = <REALM> [realms] <REALM> = { default_domain = <REALM> kdc = 10.6.1.103 } [domain_realm] .<kerberos server> = <REALM> <kerberos server> = <REALM> ********************************************* Here is my "smb.conf" file: ********************************************* [global] workgroup = DEV-TESTAD netbios name = HONDA server string = honda interfaces = <IP address of honda> 127.0.0.1 bind interfaces only = yes security = ads realm = <Domain of the Win2K3 server starting with "DEV-TESTAD."> allow trusted domains = yes encrypt passwords = yes password server = * wins support = no wins server = 10.6.1.103 username map = /usr/local/samba307ads/lib/usermap.txt case sensitive = yes preserve case = yes short preserve case = yes default case = upper log file = /usr/local/samba307ads/var/log.%m log level = 2 max log size = 50 load printers = no preferred master = false local master = no domain master = false dns proxy = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [ddm_mv90data] path = /path/of/the/share guest ok = no directory mask = 0770 create mask = 0660 browseable = no writeable = yes valid users = ddmuser ********************************************* Here is my "usermap.txt" file: ********************************************* ddmuser = qc9999 ********************************************* Any help would be very much appreciated at this point! Regards, Marcello
Possibly Parallel Threads
- winbind does not work+sernet package+samba 4.2
- Failed to join domain: failed to find DC for administrator@XYZ
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
- you have been logged on with a temporary profile_win7 client+samba 4+WinServ2012
- Windows7 client can not see samba server in "Network Discovery" window.