samba - Jun 2005 - Problems after changing security = domain to security = ads

Hello all
I have a samba domain member authenticating to a w2k3 server, after installing 
SP1, there were problems, and a solution I found was to change to security = 
ads. This seemed to work fine, but today no-one can get their home drives, 
and some people are denied access to shares where the permissions on the 
files are rwx for the user.
I did not change anything other than the security line in smb.conf and 
rejoined the domain with `net ads join -U administrator` (this was 
successful)

I find this in the samba log when users try to connect:
[2005/06/06 13:16:17, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all 
old resources.
[2005/06/06 13:16:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

I can do `kinit Administrator@MY.DOMAIN.NET` and it returns no errors (but no 
success either - if I put in a wrong password, it gives an error though, so i 
guess this is ok)

Anyone have any ideas? or can I change back to security = domain with some 
other fix?

Thanks,
H
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20050606/e5f9533d/attachment.bin

On Monday 06 June 2005 13:22, Hamish wrote:
> Hello all
> I have a samba domain member authenticating to a w2k3 server, after
> installing SP1, there were problems, and a solution I found was to change
> to security = ads. This seemed to work fine, but today no-one can get their
> home drives, and some people are denied access to shares where the
> permissions on the files are rwx for the user.
> I did not change anything other than the security line in smb.conf and
> rejoined the domain with `net ads join -U administrator` (this was
> successful)
>
> I find this in the samba log when users try to connect:
> [2005/06/06 13:16:17, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> [2005/06/06 13:16:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>   Failed to verify incoming ticket!
>
> I can do `kinit Administrator@MY.DOMAIN.NET` and it returns no errors (but
> no success either - if I put in a wrong password, it gives an error though,
> so i guess this is ok)
>
> Anyone have any ideas? or can I change back to security = domain with some
> other fix?
>
> Thanks,
> H
It just keeps getting wierder:

[2005/06/06 17:46:49, 0] smbd/service.c:make_connection_snum(615)
  '/data1/fileroot/PersonalFiles/michael' does not exist or is not a 
directory, when connecting to [michael]

ls -la /data1/fileroot/PersonalFiles/michael/
total 3941
drwxrwx---+  15 root     domain users      720 Jun  3 15:14 .
drwxrwx---+  60 root     root         1448 Apr 27 11:13 ..
(File listing snipped)

So why does samba think that this is not a directory or that it does not 
exist? This is not the normal failure of this thread, but an interesting one!

PS:
SuSE 9.0
Version 3.0.14a-SUSE
2.6.5-10.0-default

If there is any other info that anyone wants please let me know.
Thanks,
H
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20050606/db49af2f/attachment.bin

On Monday 06 June 2005 13:22, Hamish wrote:
> Hello all
> I have a samba domain member authenticating to a w2k3 server, after
> installing SP1, there were problems, and a solution I found was to change
> to security = ads. This seemed to work fine, but today no-one can get their
> home drives, and some people are denied access to shares where the
> permissions on the files are rwx for the user.
> I did not change anything other than the security line in smb.conf and
> rejoined the domain with `net ads join -U administrator` (this was
> successful)
>
> I find this in the samba log when users try to connect:
> [2005/06/06 13:16:17, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> [2005/06/06 13:16:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>   Failed to verify incoming ticket!
>
> I can do `kinit Administrator@MY.DOMAIN.NET` and it returns no errors (but
> no success either - if I put in a wrong password, it gives an error though,
> so i guess this is ok)
>
> Anyone have any ideas? or can I change back to security = domain with some
> other fix?
>
> Thanks,
> H
PS I joined a test server (suse 9.2, Version 3.0.15pre2-0.1-SUSE) to the 
domain with security = ads, and it seems to be fine (homes work as expected). 
I did not test group membership problems - is there a fix for this in this 
version? (sorry bad phrasing)
Cheers,
H
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20050606/49296320/attachment.bin

On Monday 06 June 2005 13:22, Hamish wrote:
> Hello all
> I have a samba domain member authenticating to a w2k3 server, after
> installing SP1, there were problems, and a solution I found was to change
> to security = ads. This seemed to work fine, but today no-one can get their
> home drives, and some people are denied access to shares where the
> permissions on the files are rwx for the user.
> I did not change anything other than the security line in smb.conf and
> rejoined the domain with `net ads join -U administrator` (this was
> successful)
>
> I find this in the samba log when users try to connect:
> [2005/06/06 13:16:17, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> [2005/06/06 13:16:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>   Failed to verify incoming ticket!
>
> I can do `kinit Administrator@MY.DOMAIN.NET` and it returns no errors (but
> no success either - if I put in a wrong password, it gives an error though,
> so i guess this is ok)
>
> Anyone have any ideas? or can I change back to security = domain with some
> other fix?
>
> Thanks,
> H
Looks like this might be a lonely troubleshoot, but here is more for anyone 
who may experience similar symptoms... (and of course any kind people who 
throw in a suggestion or two)

I have narrowed this down to what seems to be incompatable auth methods:
In XPsp2, I go to \\smbserver\fred - this shows either an empty folder, or an 
error (I have hide unreadable = on, so this may be the cause)
With konqueror, (smbclient -V: Version 3.0.15pre2-0.1-SUSE) i can go to 
smb:/user@smbserver - i get a user/pass dialog, and then i can see the 
directory fine!

Is my logic right? The xp clients are using some other kind of auth or 
connection than smbclient does?

The windows clients work ok, but it seems that the files they need to be chmod 
740 at least (700, 710 does not work, file owned by user.domain users)

Rather than play around with permissions (that worked before the trouble 
started) I would like to see what xpsp2 and smbclient do differently - please 
could anyone help with this?

Thanks,
H
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20050607/eee79faa/attachment.bin