samba - Feb 2006 - Problem cooperating with Windows and AD

Hi,

 

I'm having a problem getting my Windows machines to access shares in
Samba. When they browse to the Samba box it sometimes gives them an
error saying that they don't have permission or that the server is
unavailable. However this doesn't always happen and other times it lists
the shares. When I try to access the shares it just prompts for the
username/password over and over. I've tried Google and browsing around
the Samba doc and have spent hours and hours trying to fix this. I'm at
my wits end. Can anyone help?

 

I'm running Fedora Core 3 on the Samba server and upgraded Samba to
3.0.21b. Before I upgraded it was working most of the time; however, not
all the time, and there was an error in one of the logs. I researched
the error and found that it was resolved in a newer version of Samba, so
I upgraded. I'm running Windows Server 2003 SP1 using Active Directory
for domain authentication and running Samba in ADS security mode. All
Windows clients run XP Pro SP2. I'm using Webmin for remote
administration, but I also just login to the machine at times. I do use
Webmin to join the domain though.

 

Here are some of my configuration files:

 

 # Samba config file created using SWAT

# from 0.0.0.0 (0.0.0.0)

# Date: 2006/02/11 21:49:19

 

[global]

      workgroup = CHU

      realm = CHU.PARADISENT.COM

      netbios aliases = Zeus, zeus

      server string = Samba Server

      security = ADS

      client schannel = Yes

      server schannel = Yes

      null passwords = Yes

      password server = paradise.paradisent.com

      log file = /usr/local/samba/var/%m.log

      max log size = 50

      client signing = Yes

      server signing = Yes

      socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192

      load printers = No

      preferred master = No

      local master = No

      domain master = No

      dns proxy = No

      ldap ssl = no

      preload = shared website

      socket address = 192.168.0.20

      idmap uid = 10000-20000

      idmap gid = 10000-20000

      template shell = /bin/tcsh

      winbind separator = |

      cups options = raw

 

[shared]

      comment = Shared Folder

      path = /shared

      valid users = CHU|administrator, CHU|annie, CHU|jacob,
@CHU|Household

      read only = No

 

[jacob]

      comment = Jacob's Home Dir

      path = /home/jacob

      valid users = CHU|jacob

      read only = No

 

[root]

      comment = Root's Home Dir

      path = /root

      valid users = CHU|administrator, CHU|annie, CHU|jacob,
@BUILTIN|Administrators, "@CHU|Domain Admins", "@CHU|Enterprise
Admins"

      read only = No

 

[annie]

      comment = Annie's Home Dir

      path = /home/annie

      valid users = CHU|annie

      read only = No

 

[website]

      comment = Main Website

      path = /var/www/html

      valid users = CHU|administrator, CHU|annie, CHU|jacob,
@CHU|Household

      read only = No

 

 

#

# /etc/nsswitch.conf

#

 

passwd:           files winbind

shadow:           files

group:            files winbind

 

#hosts:     db files nisplus nis dns

hosts:      files dns

 

# Example - obey only what nisplus tells us...

#services:   nisplus [NOTFOUND=return] files

#networks:   nisplus [NOTFOUND=return] files

#protocols:  nisplus [NOTFOUND=return] files

#rpc:        nisplus [NOTFOUND=return] files

#ethers:     nisplus [NOTFOUND=return] files

#netmasks:   nisplus [NOTFOUND=return] files     

 

bootparams: nisplus [NOTFOUND=return] files

 

ethers:     files

netmasks:   files

networks:   files

protocols:  files

rpc:        files

services:   files

 

netgroup:   files

 

publickey:  nisplus

 

automount:  files

aliases:    files nisplus

 

 

#krb5.conf

 

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

 default_realm = CHU.PARADISENT.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 

[realms]

 CHU.PARADISENT.COM = {

  kdc = paradise.paradisent.com

  admin_server = paradise.paradisent.com

  default_domain = chu.paradisent.com

 }

 

[domain_realm]

 .example.com = CHU.PARADISENT.COM

 example.com = CHU.PARADISENT.COM

 

[kdc]

 profile = /var/kerberos/krb5kdc/kdc.conf

 

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

 }

 

 

Here are some items of interest from the logs:

 

192.168.0.5.log (similar errors in other logs)

[2006/02/11 21:06:59, 0] lib/debug.c:reopen_logs(597)

  Unable to open new log file /usr/local/samba/var/paradise.log:
Permission denied

[2006/02/11 21:07:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(286)

  Username CHU|PARADISE$ is invalid on this system

[2006/02/11 21:07:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(286)

  Username CHU|PARADISE$ is invalid on this system

[2006/02/11 21:07:01, 1] smbd/sesssetup.c:reply_spnego_kerberos(286)

  Username CHU|PARADISE$ is invalid on this system

[2006/02/11 21:07:01, 1] smbd/sesssetup.c:reply_spnego_kerberos(286)

  Username CHU|PARADISE$ is invalid on this system

[2006/02/11 21:07:01, 1] smbd/sesssetup.c:reply_spnego_kerberos(286)

  Username CHU|PARADISE$ is invalid on this system

[2006/02/11 21:07:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(286)

  Username CHU|PARADISE$ is invalid on this system

[2006/02/11 21:07:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(286)

  Username CHU|PARADISE$ is invalid on this system

 

Log.nmbd

[2006/02/11 00:28:23, 0] nmbd/nmbd.c:terminate(58)

  Got SIGTERM: going down...

[2006/02/11 00:29:19, 0] nmbd/nmbd.c:main(727)

  Netbios nameserver version 3.0.21b started.

  Copyright Andrew Tridgell and the Samba Team 1992-2006

[2006/02/11 00:35:17, 0] nmbd/nmbd.c:terminate(58)

  Got SIGTERM: going down...

[2006/02/11 00:35:17, 0] libsmb/nmblib.c:send_udp(791)

  Packet send failed to 192.168.0.255(138) ERRNO=Invalid argument

[2006/02/11 00:38:46, 0] nmbd/nmbd.c:main(727)

  Netbios nameserver version 3.0.21b started.

  Copyright Andrew Tridgell and the Samba Team 1992-2006

[2006/02/11 20:57:46, 0] nmbd/nmbd.c:main(727)

  Netbios nameserver version 3.0.21b started.

  Copyright Andrew Tridgell and the Samba Team 1992-2006

[2006/02/11 21:22:33, 0] nmbd/nmbd.c:terminate(58)

  Got SIGTERM: going down...

[2006/02/11 21:22:34, 0] nmbd/nmbd.c:main(727)

  Netbios nameserver version 3.0.21b started.

  Copyright Andrew Tridgell and the Samba Team 1992-2006

 

Smbd.log

[2006/02/11 20:57:45, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(195)

  startsmbfilepwent_internal: file /usr/local/samba/private/smbpasswd
did not exist. File successfully created.

[2006/02/11 20:58:12, 0] lib/util_sock.c:get_peer_addr(1225)

  getpeername failed. Error was Transport endpoint is not connected

[2006/02/11 20:58:12, 0] lib/util_sock.c:get_peer_addr(1225)

  getpeername failed. Error was Transport endpoint is not connected

[2006/02/11 21:06:56, 0] lib/util_sock.c:get_peer_addr(1225)

  getpeername failed. Error was Transport endpoint is not connected

 

Paradise.log

[2006/02/11 21:06:56, 0] lib/util_sock.c:write_data(557)

  write_data: write failure in writing to client 192.168.0.5. Error
Connection reset by peer

[2006/02/11 21:06:56, 0] lib/util_sock.c:send_smb(765)

  Error writing 4 bytes to client. -1. (Connection reset by peer)

 

Tama.log

[2006/02/11 20:58:14, 0] lib/util_sock.c:write_data(557)

  write_data: write failure in writing to client 0.0.0.0. Error
Connection reset by peer

[2006/02/11 20:58:14, 0] lib/util_sock.c:send_smb(765)

  Error writing 4 bytes to client. -1. (Connection reset by peer)

 

Log.wb-CHU

[2006/02/05 20:17:59, 0] nsswitch/winbindd_dual.c:child_read_request(49)

  Got invalid request length: 0

[2006/02/10 23:09:04, 0] nsswitch/winbindd_dual.c:child_read_request(49)

  Got invalid request length: 0

[2006/02/11 00:35:17, 0] nsswitch/winbindd_dual.c:child_read_request(49)

  Got invalid request length: 0

[2006/02/11 19:57:04, 0] nsswitch/winbindd_dual.c:child_read_request(49)

  Got invalid request length: 0

[2006/02/11 21:27:13, 0] nsswitch/winbindd_dual.c:child_read_request(49)

  Got invalid request length: 0

 

Here's the output from wbinfo and getent:

[root@zeus ~]$ wbinfo -u

CHU|administrator

CHU|guest

CHU|paradise$

CHU|krbtgt

CHU|iusr_paradise

CHU|iwam_paradise

CHU|jacob

CHU|8fd34871-30cc-4e8f-8

CHU|euq_paradise

CHU|annie

CHU|radicalannie$

CHU|tamaold$

CHU|dcs_paradise

CHU|tama$

CHU|aquarius$

CHU|zeus$

[root@zeus ~]$ wbinfo -g

CHU|domain computers

CHU|domain controllers

CHU|schema admins

CHU|enterprise admins

CHU|cert publishers

CHU|domain admins

CHU|domain users

CHU|domain guests

CHU|group policy creator owners

CHU|ras and ias servers

CHU|dnsadmins

CHU|dnsupdateproxy

CHU|iis_wpg

CHU|debugger users

CHU|exchange domain servers

CHU|exchange enterprise servers

CHU|smex admin group

CHU|household

[root@zeus ~]$ getent passwd

root:x:0:0:root:/root:/bin/tcsh

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

news:x:9:13:news:/etc/news:

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

rpm:x:37:37::/var/lib/rpm:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash

ident:x:98:98::/home/ident:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

pcap:x:77:77::/var/arpwatch:/sbin/nologin

apache:x:48:48:Apache:/var/www:/sbin/nologin

squid:x:23:23::/var/spool/squid:/sbin/nologin

webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin

xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

gdm:x:42:42::/var/gdm:/sbin/nologin

jacob:x:500:500:Jacob Lear:/home/jacob:/bin/tcsh

clamav:x:501:501:Clam AntiVirus:/home/clamav:/sbin/nologin

pcguest:x:502:502:::/sbin/nologin

annie:x:503:504:Anne Gaines:/home/annie:/bin/tcsh

mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash

named:x:25:25:Named:/var/named:/sbin/nologin

[root@zeus ~]$ getent group

root:x:0:root

bin:x:1:root,bin,daemon

daemon:x:2:root,bin,daemon

sys:x:3:root,bin,adm

adm:x:4:root,adm,daemon

tty:x:5:

disk:x:6:root

lp:x:7:daemon,lp

mem:x:8:

kmem:x:9:

wheel:x:10:root

mail:x:12:mail

news:x:13:news

uucp:x:14:uucp

man:x:15:

games:x:20:

gopher:x:30:

dip:x:40:

ftp:x:50:

lock:x:54:

nobody:x:99:

users:x:100:

dbus:x:81:

floppy:x:19:

vcsa:x:69:

nscd:x:28:

rpm:x:37:

haldaemon:x:68:

utmp:x:22:

netdump:x:34:

slocate:x:21:

ident:x:98:

sshd:x:74:

rpc:x:32:

rpcuser:x:29:

nfsnobody:x:65534:

mailnull:x:47:

smmsp:x:51:

pcap:x:77:

apache:x:48:

squid:x:23:

webalizer:x:67:

xfs:x:43:

ntp:x:38:

gdm:x:42:

jacob:x:500:

clamav:x:501:

pcguest:x:502:

webmaster:x:503:root,jacob,annie

annie:x:504:

mysql:x:101:

named:x:25:

 

 

Let me know if you need any more information, and thanks in advance for
any help you can offer. =)

 

-Jacob.