Hamish
2005-Jun-06 12:21 UTC
[Samba] Problems after changing security = domain to security = ads
Hello all I have a samba domain member authenticating to a w2k3 server, after installing SP1, there were problems, and a solution I found was to change to security = ads. This seemed to work fine, but today no-one can get their home drives, and some people are denied access to shares where the permissions on the files are rwx for the user. I did not change anything other than the security line in smb.conf and rejoined the domain with `net ads join -U administrator` (this was successful) I find this in the samba log when users try to connect: [2005/06/06 13:16:17, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2005/06/06 13:16:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! I can do `kinit Administrator@MY.DOMAIN.NET` and it returns no errors (but no success either - if I put in a wrong password, it gives an error though, so i guess this is ok) Anyone have any ideas? or can I change back to security = domain with some other fix? Thanks, H -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20050606/e5f9533d/attachment.bin
Hamish
2005-Jun-06 16:52 UTC
[Samba] Problems after changing security = domain to security = ads
On Monday 06 June 2005 13:22, Hamish wrote:> Hello all > I have a samba domain member authenticating to a w2k3 server, after > installing SP1, there were problems, and a solution I found was to change > to security = ads. This seemed to work fine, but today no-one can get their > home drives, and some people are denied access to shares where the > permissions on the files are rwx for the user. > I did not change anything other than the security line in smb.conf and > rejoined the domain with `net ads join -U administrator` (this was > successful) > > I find this in the samba log when users try to connect: > [2005/06/06 13:16:17, 2] smbd/sesssetup.c:setup_new_vc_session(608) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all > old resources. > [2005/06/06 13:16:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > > I can do `kinit Administrator@MY.DOMAIN.NET` and it returns no errors (but > no success either - if I put in a wrong password, it gives an error though, > so i guess this is ok) > > Anyone have any ideas? or can I change back to security = domain with some > other fix? > > Thanks, > HIt just keeps getting wierder: [2005/06/06 17:46:49, 0] smbd/service.c:make_connection_snum(615) '/data1/fileroot/PersonalFiles/michael' does not exist or is not a directory, when connecting to [michael] ls -la /data1/fileroot/PersonalFiles/michael/ total 3941 drwxrwx---+ 15 root domain users 720 Jun 3 15:14 . drwxrwx---+ 60 root root 1448 Apr 27 11:13 .. (File listing snipped) So why does samba think that this is not a directory or that it does not exist? This is not the normal failure of this thread, but an interesting one! PS: SuSE 9.0 Version 3.0.14a-SUSE 2.6.5-10.0-default If there is any other info that anyone wants please let me know. Thanks, H -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20050606/db49af2f/attachment.bin
Hamish
2005-Jun-06 16:55 UTC
[Samba] Problems after changing security = domain to security = ads
On Monday 06 June 2005 13:22, Hamish wrote:> Hello all > I have a samba domain member authenticating to a w2k3 server, after > installing SP1, there were problems, and a solution I found was to change > to security = ads. This seemed to work fine, but today no-one can get their > home drives, and some people are denied access to shares where the > permissions on the files are rwx for the user. > I did not change anything other than the security line in smb.conf and > rejoined the domain with `net ads join -U administrator` (this was > successful) > > I find this in the samba log when users try to connect: > [2005/06/06 13:16:17, 2] smbd/sesssetup.c:setup_new_vc_session(608) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all > old resources. > [2005/06/06 13:16:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > > I can do `kinit Administrator@MY.DOMAIN.NET` and it returns no errors (but > no success either - if I put in a wrong password, it gives an error though, > so i guess this is ok) > > Anyone have any ideas? or can I change back to security = domain with some > other fix? > > Thanks, > HPS I joined a test server (suse 9.2, Version 3.0.15pre2-0.1-SUSE) to the domain with security = ads, and it seems to be fine (homes work as expected). I did not test group membership problems - is there a fix for this in this version? (sorry bad phrasing) Cheers, H -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20050606/49296320/attachment.bin
Hamish
2005-Jun-07 09:57 UTC
[Samba] Problems after changing security = domain to security = ads
On Monday 06 June 2005 13:22, Hamish wrote:> Hello all > I have a samba domain member authenticating to a w2k3 server, after > installing SP1, there were problems, and a solution I found was to change > to security = ads. This seemed to work fine, but today no-one can get their > home drives, and some people are denied access to shares where the > permissions on the files are rwx for the user. > I did not change anything other than the security line in smb.conf and > rejoined the domain with `net ads join -U administrator` (this was > successful) > > I find this in the samba log when users try to connect: > [2005/06/06 13:16:17, 2] smbd/sesssetup.c:setup_new_vc_session(608) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all > old resources. > [2005/06/06 13:16:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > > I can do `kinit Administrator@MY.DOMAIN.NET` and it returns no errors (but > no success either - if I put in a wrong password, it gives an error though, > so i guess this is ok) > > Anyone have any ideas? or can I change back to security = domain with some > other fix? > > Thanks, > HLooks like this might be a lonely troubleshoot, but here is more for anyone who may experience similar symptoms... (and of course any kind people who throw in a suggestion or two) I have narrowed this down to what seems to be incompatable auth methods: In XPsp2, I go to \\smbserver\fred - this shows either an empty folder, or an error (I have hide unreadable = on, so this may be the cause) With konqueror, (smbclient -V: Version 3.0.15pre2-0.1-SUSE) i can go to smb:/user@smbserver - i get a user/pass dialog, and then i can see the directory fine! Is my logic right? The xp clients are using some other kind of auth or connection than smbclient does? The windows clients work ok, but it seems that the files they need to be chmod 740 at least (700, 710 does not work, file owned by user.domain users) Rather than play around with permissions (that worked before the trouble started) I would like to see what xpsp2 and smbclient do differently - please could anyone help with this? Thanks, H -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20050607/eee79faa/attachment.bin