Kristy,
I put up some ideas and things to think about in-line. I hope it helps
out. Does anyone in the group coding for samba4 have anything to weigh in
as well, esp the smb.conf and documentation issues?
On Fri, 4 Dec 2009, Kristy Kallback-Rose wrote:
> Date: Fri, 4 Dec 2009 16:11:55 -0500
> From: Kristy Kallback-Rose <kallbac at indiana.edu>
> To: samba at lists.samba.org
> Subject: [Samba] smbtorture config issue?
>
> Hello,
>
> I'm trying to run smbtorture against another system. I have installed
> version 4.0.0alpha9 locally. The remote system is registered with ADS as:
Any reason you are using samba4 for this testing? Documentation is pretty
scarce.
>
> distinguishedName: CN=bl-uits-cictest,CN=Computers,DC=ads,DC=iu,DC=edu
> name: bl-uits-cictest
> dNSHostName: bl-uits-cictest.ads.iu.edu
> servicePrincipalName: HOST/bl-uits-cictest.ads.iu.edu
> servicePrincipalName: HOST/BL-UITS-CICTEST
>
> The server itself is cictest.cic.iu.edu, and I can connect to the
> remote server with smbclient as such:
> smbclient -s /usr/local/samba/etc/smb.conf -n bl-uits-cictest.ads.iu.edu
> -Ukallbac //cictest.cic.iu.edu/projects Password:
> Domain=[ADS] OS=[Unix] Server=[Samba 3.2.11-ctdb-65]
> smb: \> quit
This is using ntlmv2 if you have that directive in your smb.conf and not
kerberos.
client use ntlmv2 = yes
>
>
> The problem is this:
>
> 1) smbtorture complains about the ads security setting:
> /usr/local/samba/bin/smbtorture --realm=ads.iu.edu -T samba3 -d 3 -W ADS
> --netbiosname=BL-UITS-CICTEST -U cictestuser3
//cictest.cic.iu.edu/projects
> RAW-QFSINFO
> lp_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/etc/smb.conf"
> Processing section "[global]"
> Unknown enumerated value 'ADS' for 'security'
> params.c:pm_process() - Failed. Error returned from params.c:parse().
>
> I have tried both ads and ADS, it doesn't seem to like either
I no longer see the directive "security" mentioned in samba4, but I do
see
statements similar to "server-role" which may cover for security.
http://wiki.samba.org/index.php/Samba4/HOWTO#Step_4:_Provision_Samba4
Not only is there no directive in the regular man pages (samba 3) for
"server-role", but last I looked there was question as to whether the
traditional smb.conf file would be used when samba4 would be released:
http://lists.samba.org/archive/samba-technical/2005-March/039741.html
>
> 2) smbtorture proceeds to complain as such:
> Server is not registered with our KDC: Miscellaneous failure (see text):
> Server (cifs/cictest.cic.iu.edu at ADS.IU.EDU) unknown
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed to parse:
> NT_STATUS_INVALID_PARAMETER
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> Server is not registered with our KDC: Miscellaneous failure (see text):
> Server (cifs/cictest.cic.iu.edu at ADS.IU.EDU) unknown
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed to parse:
> NT_STATUS_INVALID_PARAMETER
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> Password for [ADS\cictestuser3]:
>
> Fwiw, my krb5.conf has a default realm of ADS.IU.EDU as well as a realms
> section for ADS.IU.EDU I can provide other information if it would be
> helpful.
Does your server have a cifs principal (ie
cifs/fqdn.domain.edu at ADS.IU.EDU) for either bl-uits-cictest.ads.iu.edu or
cictest.cic.iu.edu? It seems to be wanting to get the principal for
"cifs/cictest.cic.iu.edu at ADS.IU.EDU".
>
> Can anyone offer some suggestions to troubleshoot this?
>
> Many thanks,
> Kristy
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
---Robert Freeman-Day
---------------
I would really like you to be on my side,
but the side you show me isn't what I had in mind.
-Judybats
GPG Public Key:
http:keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36