Hi all,
I've finally almost gotten my desired Samba+AD integration working: I've
joined a domain, AD users can login, kerberos works (keytab integration,
caching, etc.), etc.
However, this is only true as long as I hack my /etc/hosts
and /etc/samba/lmhosts files to trick Samba into always using my
networks Windows 2000 Active Directory Server. The second a Samba
command finds and attempts to use the 2003 server, it fails.
Workstation: Debian Sid, Samba 3.0.23d (pam_winbind, MIT kerberos)
Domain: TREMONT
Realm: tremont.local
AD Servers:
thsdc1/192.168.100.4 (Windows 2000)
thsdc2/192.168.100.6 (Windows 2003)
So both my hosts & lmhosts files point thsdc2 to thsdc1's IP address
which seems to trick Samba into always using thsdc1. thsdc1 is also
what I set all the appropriate /etc/krb5.conf settings to.
Here's the error message I get when attempting to use thsdc2 from pretty
much any Samba command (without hosts file hacks):
michael@schurter3-Linux:~$ net -U admin%PASSWORD -d8 ads status
...snip charset and parameter debugging info...
Netbios name list:-
my_netbios_names[0]="SCHURTER3-LINUX"
[2006/12/06 11:08:39, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.101.51 bcast=192.168.103.255
nmask=255.255.252.0
[2006/12/06 11:08:39, 6] libads/ldap.c:ads_find_dc(224)
ads_find_dc: looking for realm 'TREMONT.LOCAL'
[2006/12/06 11:08:39, 8] libsmb/namequery.c:get_sorted_dc_list(1551)
get_sorted_dc_list: attempting lookup using [ads]
[2006/12/06 11:08:39, 5] lib/gencache.c:gencache_init(61)
Opening cache file at /var/run/samba/gencache.tdb
[2006/12/06 11:08:39, 5] tdb/tdbutil.c:tdb_log(783)
tdb(unnamed): tdb_open_ex: could not open
file /var/run/samba/gencache.tdb: Permission denied
[2006/12/06 11:08:39, 5] lib/gencache.c:gencache_init(70)
gencache_init: Opening cache file /var/run/samba/gencache.tdb
read-only.
[2006/12/06 11:08:39, 5] libsmb/namequery.c:saf_fetch(105)
saf_fetch: failed to find server for "TREMONT.LOCAL" domain
[2006/12/06 11:08:39, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", *"
[2006/12/06 11:08:39, 5] libsmb/namecache.c:namecache_fetch(201)
name TREMONT.LOCAL#1C found.
[2006/12/06 11:08:39, 8] libsmb/namequery.c:get_dc_list(1441)
Adding 2 DC's from auto lookup
[2006/12/06 11:08:39, 4] libsmb/namequery.c:get_dc_list(1529)
get_dc_list: returning 2 ip addresses in an ordered list
[2006/12/06 11:08:39, 4] libsmb/namequery.c:get_dc_list(1530)
get_dc_list: 192.168.100.6:389 192.168.100.4:389
[2006/12/06 11:08:39, 5] libads/ldap.c:ads_try_connect(127)
ads_try_connect: sending CLDAP request to 192.168.100.6 (realm:
TREMONT.LOCAL)
[2006/12/06 11:08:39, 3] libads/ldap.c:ads_connect(287)
Connected to LDAP server 192.168.100.6
[2006/12/06 11:08:54, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Operations error
[2006/12/06 11:08:54, 2] utils/net.c:main(988)
return code = -1
The last few log messages show where the LDAP connection to the Windows
2003 server (thsdc2/192.168.100.6) fails.
Here's what it looks like when I force it to use my Windows 2000 Server:
$ net -U admin%PASSWORD -d8 -S thsdc1 ads status
...snip parameters & charset debugging info...
Netbios name list:-
my_netbios_names[0]="SCHURTER3-LINUX"
[2006/12/06 11:09:30, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.101.51 bcast=192.168.103.255
nmask=255.255.252.0
[2006/12/06 11:09:30, 5] libads/ldap.c:ads_try_connect(127)
ads_try_connect: sending CLDAP request to thsdc1 (realm:
TREMONT.LOCAL)
[2006/12/06 11:09:30, 5] lib/gencache.c:gencache_init(61)
Opening cache file at /var/run/samba/gencache.tdb
[2006/12/06 11:09:30, 5] tdb/tdbutil.c:tdb_log(783)
tdb(unnamed): tdb_open_ex: could not open
file /var/run/samba/gencache.tdb: Permission denied
[2006/12/06 11:09:30, 5] lib/gencache.c:gencache_init(70)
gencache_init: Opening cache file /var/run/samba/gencache.tdb
read-only.
[2006/12/06 11:09:30, 3] libads/ldap.c:ads_connect(287)
Connected to LDAP server 192.168.100.4
[2006/12/06 11:09:30, 4] libads/ldap.c:ads_current_time(2296)
time offset is 2 seconds
[2006/12/06 11:09:30, 4] libads/sasl.c:ads_sasl_bind(468)
Found SASL mechanism GSS-SPNEGO
...snipped successful kerberos auth & data returned...
Any ideas on why Win2000 works, but Win2003 fails?
Thanks!
Michael Schurter