Covington, Chris
2005-May-06 19:10 UTC
[Samba] issues with 3.0.14a domain member after 2003 dc upgrade
Hello list,
Recently I've rebuilt our Windows 2000 DCs to Windows 2003 SP1 DCs that
my 3.0.14a, mit-krb5-1.3.6, openldap-2.1.30 Gentoo box is a part of.
Since then, on the Samba box I can getent group, getent passwd, wbinfo
-t, wbinfo -g, wbinfo -u, etc. properly but anyone who accesses the
shares on the Samba member server gets prompted for a password.
The logs are as follows:
[2005/05/06 14:25:49, 0] lib/util_sock.c:read_socket_data(384)
read_socket_data: recv failure for 4. Error = Connection reset by peer
[2005/05/06 14:42:05, 0] lib/util_sock.c:read_socket_data(384)
read_socket_data: recv failure for 4. Error = Connection reset by peer
or:
[2005/05/06 08:51:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username DOMAIN\user is invalid on this system
[2005/05/06 08:51:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username DOMAIN\SERVER$ is invalid on this system
[2005/05/06 14:59:02, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993)
api_pipe_bind_req: unknown auth type 9 requested.
My krb5.conf looks like the following:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = dc1.example.com:88
kdc = dc2.example.com:88
}
My smb.conf looks like the following:
[global]
netbios name = VIDEODROME
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = DOMAIN
os level = 20
winbind enum groups = yes
winbind use default domain = yes
client use spnego = yes
password server = *
preferred master = no
log file = /var/log/samba/log.%m
encrypt passwords = yes
dns proxy = no
realm = EXAMPLE.COM
security = ADS
wins server = dc1.example.com dc2.example.com
wins proxy = no
[checkpoint]
valid users = "DOMAIN\IT"
path = /var/platform/host/docs
public = no
writable = yes
forceuser = cchamberlain
I've tried: removing the machine from the domain and adding it back in,
adding client use spnego = yes to smb.conf, using heimdal instead of
mit-krb5, specifying the default encryption types of windows 2003 in
krb5.conf:
# default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
# default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
# forwardable = true
# proxiable = true
# dns_lookup_realm = true
# dns_lookup_kdc = true
# permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des-cbc-md4 des3-cbc-sha1 des-cbc-md4
All to no avail. Does anyone have any suggestions?
thanks
---
Chris Covington
IT
Plus One Health Management
75 Maiden Lane Suite 801
NY, NY 10038
646-312-6269
http://www.plusoneactive.com
Covington, Chris
2005-May-09 18:32 UTC
[Samba] issues with 3.0.14a domain member after 2003 dc upgrade
> Hello list, > > Recently I've rebuilt our Windows 2000 DCs to Windows 2003 > SP1 DCs that my 3.0.14a, mit-krb5-1.3.6, openldap-2.1.30 > Gentoo box is a part of. > Since then, on the Samba box I can getent group, getent > passwd, wbinfo -t, wbinfo -g, wbinfo -u, etc. properly but > anyone who accesses the shares on the Samba member server > gets prompted for a password. > > The logs are as follows: > > [2005/05/06 14:25:49, 0] lib/util_sock.c:read_socket_data(384) > read_socket_data: recv failure for 4. Error = Connection > reset by peer > [2005/05/06 14:42:05, 0] lib/util_sock.c:read_socket_data(384) > read_socket_data: recv failure for 4. Error = Connection > reset by peer > > or: > > [2005/05/06 08:51:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username DOMAIN\user is invalid on this system > [2005/05/06 08:51:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) > Username DOMAIN\SERVER$ is invalid on this system > [2005/05/06 14:59:02, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) > api_pipe_bind_req: unknown auth type 9 requested. > > My krb5.conf looks like the following: > > [libdefaults] > default_realm = EXAMPLE.COM > > [realms] > EXAMPLE.COM = { > kdc = dc1.example.com:88 > kdc = dc2.example.com:88 > } > > My smb.conf looks like the following: > > [global] > netbios name = VIDEODROME > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > idmap uid = 10000-20000 > winbind enum users = yes > winbind gid = 10000-20000 > workgroup = DOMAIN > os level = 20 > winbind enum groups = yes > winbind use default domain = yes > client use spnego = yes > password server = * > preferred master = no > log file = /var/log/samba/log.%m > encrypt passwords = yes > dns proxy = no > realm = EXAMPLE.COM > security = ADS > wins server = dc1.example.com dc2.example.com > wins proxy = no > > [checkpoint] > valid users = "DOMAIN\IT" > path = /var/platform/host/docs > public = no > writable = yes > forceuser = cchamberlain > > I've tried: removing the machine from the domain and adding > it back in, adding client use spnego = yes to smb.conf, using > heimdal instead of mit-krb5, specifying the default > encryption types of windows 2003 in > krb5.conf: > # default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > # default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 > # forwardable = true > # proxiable = true > # dns_lookup_realm = true > # dns_lookup_kdc = true > # permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > des-cbc-md4 des3-cbc-sha1 des-cbc-md4 > > All to no avail. Does anyone have any suggestions?Does anyone have any suggestions as to what this could be? I've seen similar posts in the archive go unresponded, and I'm wondering if perhaps this is an unsupported configuration. --- Chris Covington IT Plus One Health Management 75 Maiden Lane Suite 801 NY, NY 10038 646-312-6269 http://www.plusoneactive.com