Hi,
I'm trying to join my Linux file server to an AD domain. I've looked at
several different documents describing how to do this, but I still am not
able to get everything to work correctly.
I am able to join my domain, but I cannot use smbclient to connect to
another file server in the domain, nor can I connect to the samba server from
my desktop PC.
My kerberos tickets seem to be in order:
$ kinit mtkelly@MY.BIG.DOMAIN.LOC
Password for mtkelly@MY.BIG.DOMAIN.LOC:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mtkelly@MY.BIG.DOMAIN.LOC
Valid starting Expires Service principal
10/19/04 12:26:21 10/19/04 22:26:25 krbtgt/MY.BIG.DOMAIN.LOC@MY.BIG.DOMAIN.LOC
renew until 10/19/04 13:26:21
$ smbclient -U mtkelly@my.big.domain.loc -k //fs02/Share
session setup failed: NT_STATUS_LOGON_FAILURE
Even with debug enabled, I don't get any clues:
$ smbclient -U mtkelly@my.big.domain.loc -k -d 4 //fs02/Share
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter local master = no
doing parameter realm = MY.BIG.DOMAIN.LOC
doing parameter password server = 10.109.40.128
doing parameter workgroup = MYDOMAIN
doing parameter netbios name = FS01
handle_netbios_name: set global_myname to: FS01
doing parameter encrypt passwords = yes
doing parameter security = ads
doing parameter log file = /var/log/samba.log
doing parameter server string = ""
doing parameter winbind separator = +
doing parameter winbind uid = 10000-20000
doing parameter winbind gid = 10000-20000
doing parameter template shell = /bin/bash
doing parameter wins server = 10.109.40.128
doing parameter client use spnego = no
doing parameter use spnego = yes
pm_process() returned Yes
added interface ip=10.109.40.77 bcast=10.109.41.255 nmask=255.255.254.0
Client started (version 3.0.7-2.FC2).
Connecting to 10.109.40.59 at port 445
session request ok
Serverzone is 25200
session setup failed: NT_STATUS_LOGON_FAILURE
/var/log/samba.log has three error messages which might be related to my
problem:
[2004/10/19 11:46:21, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No credentials cache found)
[2004/10/19 11:51:31, 1] libads/ldap.c:ads_connect(251)
Failed to get ldap server info
[2004/10/19 12:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
My smb.conf:
[global]
local master = no
realm = MY.BIG.DOMAIN.LOC
password server = 10.109.40.128
workgroup = MYDOMAIN
netbios name = FS01
encrypt passwords = yes
security = ads
log file = /var/log/samba.log
server string = ""
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
wins server = 10.109.40.128
client use spnego = no
use spnego = yes
[Share]
comment = Share
browseable = yes
writable = yes
guest ok = no
path = /smb/share
I'm running Fedora Core 2, Samba Version 3.0.7-2.FC2, and kernel
2.6.5-1.358.
Active Directory lives on 10.109.40.128.
The samba server is FS01 at 10.109.40.77.
A windows fileserver is FS02 at 10.109.40.59.
Does anyone have any suggestions about what I might do to get samba working
correctly?
Thanks,
Mike
(:
--
--------Mike@PirateHaven.org-----------------------The_glass_is_too_big--------
I had to add the following lines to the [libdefaults] section of my
/etc/krb5.conf file to get it working:
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
This assumes you are trying to connect to a Win2K Domain Controller. I
don't know if it works with a 2003 server.
Also, since your kinit was successful, the -U parameter is unnecessary
when using smbclient -k.
ex. smbclient -k //fs02/Share
Kevin
-----Original Message-----
From: Mike Kelly [mailto:mike@piratehaven.org]
Sent: Tuesday, October 19, 2004 2:42 PM
To: samba@lists.samba.org
Subject: [Samba] Samba and Active Directory
Hi,
I'm trying to join my Linux file server to an AD domain. I've looked at
several different documents describing how to do this, but I still am
not
able to get everything to work correctly.
I am able to join my domain, but I cannot use smbclient to connect to
another file server in the domain, nor can I connect to the samba server
from
my desktop PC.
My kerberos tickets seem to be in order:
$ kinit mtkelly@MY.BIG.DOMAIN.LOC
Password for mtkelly@MY.BIG.DOMAIN.LOC:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mtkelly@MY.BIG.DOMAIN.LOC
Valid starting Expires Service principal
10/19/04 12:26:21 10/19/04 22:26:25
krbtgt/MY.BIG.DOMAIN.LOC@MY.BIG.DOMAIN.LOC
renew until 10/19/04 13:26:21
$ smbclient -U mtkelly@my.big.domain.loc -k //fs02/Share
session setup failed: NT_STATUS_LOGON_FAILURE
Even with debug enabled, I don't get any clues:
$ smbclient -U mtkelly@my.big.domain.loc -k -d 4 //fs02/Share
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter local master = no
doing parameter realm = MY.BIG.DOMAIN.LOC
doing parameter password server = 10.109.40.128
doing parameter workgroup = MYDOMAIN
doing parameter netbios name = FS01
handle_netbios_name: set global_myname to: FS01
doing parameter encrypt passwords = yes
doing parameter security = ads
doing parameter log file = /var/log/samba.log
doing parameter server string = ""
doing parameter winbind separator = +
doing parameter winbind uid = 10000-20000
doing parameter winbind gid = 10000-20000
doing parameter template shell = /bin/bash
doing parameter wins server = 10.109.40.128
doing parameter client use spnego = no
doing parameter use spnego = yes
pm_process() returned Yes
added interface ip=10.109.40.77 bcast=10.109.41.255 nmask=255.255.254.0
Client started (version 3.0.7-2.FC2).
Connecting to 10.109.40.59 at port 445
session request ok
Serverzone is 25200
session setup failed: NT_STATUS_LOGON_FAILURE
/var/log/samba.log has three error messages which might be related to my
problem:
[2004/10/19 11:46:21, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No credentials cache found)
[2004/10/19 11:51:31, 1] libads/ldap.c:ads_connect(251)
Failed to get ldap server info
[2004/10/19 12:01:00, 1]
nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist
My smb.conf:
[global]
local master = no
realm = MY.BIG.DOMAIN.LOC
password server = 10.109.40.128
workgroup = MYDOMAIN
netbios name = FS01
encrypt passwords = yes
security = ads
log file = /var/log/samba.log
server string = ""
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
wins server = 10.109.40.128
client use spnego = no
use spnego = yes
[Share]
comment = Share
browseable = yes
writable = yes
guest ok = no
path = /smb/share
I'm running Fedora Core 2, Samba Version 3.0.7-2.FC2, and kernel
2.6.5-1.358.
Active Directory lives on 10.109.40.128.
The samba server is FS01 at 10.109.40.77.
A windows fileserver is FS02 at 10.109.40.59.
Does anyone have any suggestions about what I might do to get samba
working
correctly?
Thanks,
Mike
(:
--
--------Mike@PirateHaven.org-----------------------The_glass_is_too_big-
-------
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
On Tue, Oct 19, 2004 at 03:05:52PM -0500, Michael Wray wrote:> Make sure signed traffic is disabled on the AD server (at least for traffic > from your samba) under domain and local policies. And that LM,NTLM,&NTLM2 > when negotiated are enabled on the AD server. >Unfortuntely, the signed traffic setting affects the entire domain, and I don't think that I will be able to sell my company's AD admins on decreasing company-wide security for a single branch office server. I read this message which says that samba 3 supports signing, and that it doesn't need to be disabled in AD. http://lists.samba.org/archive/samba/2003-October/000341.html Is this mesage inaccurate?> Also check your log.winbindd file for errors. (usually > /var/log/log.winbindd or /var/log/samba/log.winbindd some servers have > both.) >I have /var/log/samba/winbindd.log, which consistantly states: [2004/10/19 11:46:21, 1] nsswitch/winbindd.c:main(854) winbindd version 3.0.7-2.FC2 started. Copyright The Samba Team 2000-2004 Thanks, Mike (: -- --------Mike@PirateHaven.org-----------------------The_glass_is_too_big--------