samba - Jul 2006 - Can't access Samba server with NetBIOS Name but OK with IP

Hi, folks

I installed samba 3.0.21b-2 with winbind on a Fedora 5 server. I edited 5 files
(show below) and join Windows AD by "net join ADS" command.

It worked in the first month. I could access to folders with appropriate
permission. Then I found I couldn't access to the server by keying-in
"\\smbservername". A pop-up Windows box say "Incorrect password
or unknown user". I tried domain\domain-username, domain-username,
userNo-in-getent-passwd but none of them worked. However, if I use its IP
address such as \\10.10.10.2, it worked as normal. I check DNS record. They all
exist in the DNS server. I even key in the DNS record in all hosts file. But no
difference.

I also noticed one thing. When I use Windows XP I check the security tag of the
folder shared on this FC5. I can see AD username, AD group name and everyone
which stand for user, group and others. All check-boxed in front of these
username, groupname and everyone are un-checked even if I can access the
folders.

What did I do wrong? Shall I edit /etc/pam.d/login file as well? How?

Here is my current /etc/pam.d/login
#%PAM-1.0
auth       required     pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth

Thanks for any comment,
 
Yujie



======Fstab=====
LABEL=/home             /home                   ext3    defaults,acl        1 2



======Nsswitch.conf======
passwd:     files winbind
shadow:     files
group:      files winbind
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   nisplus
publickey:  nisplus
automount:  files nisplus
aliases:    files nisplus


=================Krb5.conf============
[libdefaults]
 default_realm = COMPANY.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
[realms]
 COMPANY.COM = {
  kdc = adserver.company.com:88
  admin_server = adserver.company.com:749
  default_domain = company.com
 }
[domain_realm]
 .example.com = COMPANY.COM
 example.com = COMPANY.COM
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


=============/etc/samba/smb.conf===============
   security = ADS   
   template shell = /bin/false
   template homedir = /home/%D/%U
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   enhanced browsing = no
   winbind use default domain = yes


===============hosts=============10.10.10.2           fc5.company.com fc5

Hi,

I suspect, that you're AD connection fails (by whatever reason).

If you are using the IP address the client falls back to NTLM 
authentication.

The reason is, that the client requests a ticket at the AD-Server for 
e.g. 10.1.2.3. This machine is not known on the AD-Server and replies 
with a "I don't have a ticket for this machine" to the client.

Then the client tries to use NTLM authentication with the Samba server 
and might succeed.
If the client receives a ticket - and the ticket verification fails, the 
client says "access denied".

~ Martin

Yujie Liang wrote:
> Hi, folks
> 
> I installed samba 3.0.21b-2 with winbind on a Fedora 5 server. I edited 5
files (show below) and join Windows AD by "net join ADS" command.
> 
> It worked in the first month. I could access to folders with appropriate
permission. Then I found I couldn't access to the server by keying-in
"\\smbservername". A pop-up Windows box say "Incorrect password
or unknown user". I tried domain\domain-username, domain-username,
userNo-in-getent-passwd but none of them worked. However, if I use its IP
address such as \\10.10.10.2, it worked as normal. I check DNS record. They all
exist in the DNS server. I even key in the DNS record in all hosts file. But no
difference.
> 
> I also noticed one thing. When I use Windows XP I check the security tag of
the folder shared on this FC5. I can see AD username, AD group name and everyone
which stand for user, group and others. All check-boxed in front of these
username, groupname and everyone are un-checked even if I can access the
folders.
> 
> What did I do wrong? Shall I edit /etc/pam.d/login file as well? How?
> 
[...]


-- 
Martin Zielinski             mz@seh.de
Software Development
SEH Computertechnik GmbH     www.seh.de