I recently upgraded a backup fileserver used for testing purposes from
samba-3.0.10 to the current samba-3.0.11 using the FreeBSD portupgrade.
The fileserver is setup in a W2K AD. The fileserver uses Winbind to get
AD accounts and shares are created on the Samba server. Worked fine
until the upgrade.
Here is a copy of the current smb.conf
[global]
unix charset = LOCALE
workgroup = DOMAIN
realm = DOMAIN.COM
server string = Backup Server
security = ADS
hosts allow = IP Address. 127.
log file = /var/log/samba/log.%m
max log size = 50
log level = 5
syslog = 0
ldap ssl = no
enable privileges = no # added this to test with new samba
version. I have tried it with set to yes or left out. Same results.
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "DOMAIN\Domain Users"
template shell = /usr/local/bin/bash
winbind use default domain = yes
interfaces = IP Address/24
local master = no
domain master = no
preferred master = no
admin users = "DOMAIN\Administrator"
valid users = "DOMAIN\Domain Users"
dos filemode = yes
[homes]
comment = Home Directories
valid users = %S
read only = no
browseable = no
[www]
comment = web directories
path = /home/username
read only = no
browseable = yes
force user = username
When I try to connect to the share www from a Windows machine in the
domain, I get a standard can't connect error. When I try connecting by
computer name \\COMPUTER , I am prompted for a username and password,
none of which works.
After turning on full logging, I receive the following errors in:
Computer trying to connect logfile:
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
ads_secrets_verify_ticket: enc type [16] failed to decrypt with error
Message size is incompatible with encryption type
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
ads_secrets_verify_ticket: enc type [5] failed to decrypt with error
Decrypt integrity check failed
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
Decrypt integrity check failed
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
ads_secrets_verify_ticket: enc type [2] failed to decrypt with error
Decrypt integrity check failed
[2005/02/08 08:28:21, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(201)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error
Decrypt integrity check failed
[2005/02/08 08:28:21, 3] libads/kerberos_verify.c:ads_verify_ticket(313)
ads_verify_ticket: krb5_rd_req with auth failed (Unknown error: 0)
[2005/02/08 08:28:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2005/02/08 08:28:21, 3] smbd/error.c:error_packet(105)
error string = Invalid argument
[2005/02/08 08:28:21, 3] smbd/error.c:error_packet(129)
error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Winbind Logfile:
[2005/02/08 08:33:32, 5] nsswitch/winbindd_ads.c:trusted_domains(842)
trusted_domains: Could not open a connection to DOMAIN for
PIPE_NETLOGON (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
Smbd Logfile:
No listed errors.
I can:
-kinit administrator@DOMAIN.COM obtain a ticket
-klist view ticket details
-wbinfo -u enumerate users
-wbinfo -g enumerate groups
-wbinfo -r username get user groups
-net ads leave
-net ads join -U administrator
All of the above give no errors at all.
System specs:
FreeBSD 5.2.1-RELEASE #0:
heimdal-0.6.3_2 (configured with LDAP)
samba-3.0.11,1 (configured with LDAP, ADS, WINBIND, ACL_SUPPORT and
UTMP)
openldap-client-2.2.23
If I try to chown on the Samba Server chown administrator or chown
DOMAIN\administrator or if I try to chgrp a domain group, I get an
invalid argument error, which is usually given when winbind is having
problems. I could do this previously before the upgrade. When I do that
the winbind log has the following errors:
[2005/02/08 11:03:01, 5] nsswitch/winbindd_ads.c:trusted_domains(842)
trusted_domains: Could not open a connection to DOMAIN for
PIPE_NETLOGON (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
[2005/02/08 11:03:05, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[49820]: request interface version
[2005/02/08 11:03:05, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[49820]: request location of privileged pipe
[2005/02/08 11:03:05, 5] nsswitch/winbindd.c:winbind_client_read(477)
read failed on sock 20, pid 49820: EOF
[2005/02/08 11:03:05, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(126)
[49820]: getpwnam administrator
[2005/02/08 11:03:05, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user 'administrator' does not exist
[2005/02/08 11:03:05, 5] nsswitch/winbindd.c:winbind_client_read(477)
read failed on sock 21, pid 49820: EOF
For the sake of argument, I tried this on another machine that was
similarly configured. After the upgrade, the result was the same as the
above.
So is there are bug in the latest release or does it have to do with
some of the new features in samba-3.0.11?
Any help would be appreciated.
Thanks,
Mark Irving