Markus Iturriaga Woelfel
2011-Apr-17 23:02 UTC
[Samba] Samba AD member and connections from non-AD systems
Hi - I've scoured the mailing list archives as well as other help sources
online and haven't figured out what my problem is or what I'm doing
wrong. Any help would be greatly appreciated.
Scenario:
I have a samba 3.5.5 server running on CentOS 5.5. This system is a member of an
Active Directory domain. FYI, I am not the domain administrator, but I am an OU
admin and can create machine accounts inside a OU. This system is not meant to
provide winbind type services to the Unix sude but simply allow sharing of Unix
file systems to Windows systems while authenticating against the AD. Usernames
in Linux and in the AD are translated via a username map script.
If I understand the instructions at
https://wiki.samba.org/index.php/Samba%2C_Active_Directory_%26_LDAP correctly, I
don't have to run winbind in this scenario, however, I've tried this
with both winbind running and not running.
Connecting to services from AD member Windows systems works without any
problems. I can map Unix home areas and other shares and even the username
translation works fine. However, if I want to connect to the samba server from a
non-AD system, e.g. from another Linux system via smbclient or from a Mac, I get
a variety of errors. This leads me to believe there could be a problem with the
kerberos setup on the samba server.
If I don't run winbind, the error I get is:
session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
If I do start winbind, the error is:
session setup failed: NT_STATUS_ACCESS_DENIED
My smb.conf file is:
workgroup = UTK
server string = Samba %v
netbios name = SAMBA
client schannel = no
wins support = yes
dns proxy = yes
name resolve order = wins lmhosts hosts bcast
local master = yes
domain master = no
preferred master = no
enhanced browsing = yes
username map script = /etc/samba/netid_to_eecs.pl
client use spnego = no
security = ads
passdb backend = tdbsam
realm = UTK.TENNESSEE.EDU
password server = *
load printers = no
My /etc/krb5.conf file looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = UTK.TENNESSEE.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
UTK.TENNESSEE.EDU = {
kdc = a.b.c.d
kdc = e.f.g.h
(list of AD domain controller IP addresses)
}
[domain_realm]
.kerberos.server = UTK.TENNESSEE.EDU
.utk.tennessee.edu = UTK.TENNESSEE.EDU
utk.tennessee.edu = UTK.TENNESSEE.EDU
The kinit command appears to succeed and the system appears to be properly
joined to the domain:
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: miturria at UTK.TENNESSEE.EDU
Valid starting Expires Service principal
04/17/11 13:29:20 04/17/11 23:29:22 krbtgt/UTK.TENNESSEE.EDU at
UTK.TENNESSEE.EDU
renew until 04/18/11 13:29:20, Etype (skey, tkt): ArcFour with HMAC/md5,
ArcFour with HMAC/md5
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
samba ~ # net ads info
LDAP server: a.b.c.d
LDAP server name: domain.controller.name
Realm: UTK.TENNESSEE.EDU
Bind Path: dc=UTK,dc=TENNESSEE,dc=EDU
LDAP port: 389
Server time: Sun, 17 Apr 2011 18:57:44 EDT
KDC server: 160.36.76.183
Server time offset: 0
I'd be happy to post any log file excerpts that would help. Many of the
samba config file directives were put in because of similar-sounding problems
(e.g. client schannel and spnego). Here is a small excerpt of what happens if I
try this with winbind running.
[2011/04/17 18:52:35.141821, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is: [UTK]\[miturria]@[KILKENNY]
[2011/04/17 18:52:35.141859, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/04/17 18:52:35.141884, 3] smbd/uid.c:429(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/04/17 18:52:35.141915, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/04/17 18:52:35.145914, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/04/17 18:52:35.145932, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [miturria] -> [miturria]
FAILED with error NT_STATUS_ACCESS_DENIED
[2011/04/17 18:52:35.146031, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX)
NT_STATUS_ACCESS_DENIED
[2011/04/17 18:52:35.146635, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/04/17 18:52:35.146664, 3] smbd/connection.c:31(yield_connection)
Yielding connection to
[2011/04/17 18:52:35.146911, 3] smbd/server.c:902(exit_server_common)
Server exit (failed to receive smb request)
Any help would be greatly appreciated!
---
Markus A. Iturriaga Woelfel, IT Administrator
Electrical Engineering and Computer Science
University of Tennessee
203 Claxton Complex / 1122 Volunteer Blvd.
Knoxville, TN 37996-3450
miturria at eecs.utk.edu / (865) 974-3837
http://twitter.com/UTKEECSIT
Daniel Müller
2011-Apr-18 06:54 UTC
[Samba] Samba AD member and connections from non-AD systems
Why do you need a wins server in a ads; wins support = yes!!??
To login with smbclient to a ads the host need to be a trusted machine, as I
know.
-----------------------------------------------
EDV Daniel M?ller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im
Auftrag von Markus Iturriaga Woelfel
Gesendet: Montag, 18. April 2011 01:02
An: samba at lists.samba.org
Betreff: [Samba] Samba AD member and connections from non-AD systems
Hi - I've scoured the mailing list archives as well as other help sources
online and haven't figured out what my problem is or what I'm doing
wrong.
Any help would be greatly appreciated.
Scenario:
I have a samba 3.5.5 server running on CentOS 5.5. This system is a member
of an Active Directory domain. FYI, I am not the domain administrator, but I
am an OU admin and can create machine accounts inside a OU. This system is
not meant to provide winbind type services to the Unix sude but simply allow
sharing of Unix file systems to Windows systems while authenticating against
the AD. Usernames in Linux and in the AD are translated via a username map
script.
If I understand the instructions at
https://wiki.samba.org/index.php/Samba%2C_Active_Directory_%26_LDAP
correctly, I don't have to run winbind in this scenario, however, I've
tried
this with both winbind running and not running.
Connecting to services from AD member Windows systems works without any
problems. I can map Unix home areas and other shares and even the username
translation works fine. However, if I want to connect to the samba server
from a non-AD system, e.g. from another Linux system via smbclient or from a
Mac, I get a variety of errors. This leads me to believe there could be a
problem with the kerberos setup on the samba server.
If I don't run winbind, the error I get is:
session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
If I do start winbind, the error is:
session setup failed: NT_STATUS_ACCESS_DENIED
My smb.conf file is:
workgroup = UTK
server string = Samba %v
netbios name = SAMBA
client schannel = no
wins support = yes
dns proxy = yes
name resolve order = wins lmhosts hosts bcast
local master = yes
domain master = no
preferred master = no
enhanced browsing = yes
username map script = /etc/samba/netid_to_eecs.pl
client use spnego = no
security = ads
passdb backend = tdbsam
realm = UTK.TENNESSEE.EDU
password server = *
load printers = no
My /etc/krb5.conf file looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = UTK.TENNESSEE.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
UTK.TENNESSEE.EDU = {
kdc = a.b.c.d
kdc = e.f.g.h
(list of AD domain controller IP addresses)
}
[domain_realm]
.kerberos.server = UTK.TENNESSEE.EDU
.utk.tennessee.edu = UTK.TENNESSEE.EDU
utk.tennessee.edu = UTK.TENNESSEE.EDU
The kinit command appears to succeed and the system appears to be properly
joined to the domain:
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: miturria at UTK.TENNESSEE.EDU
Valid starting Expires Service principal
04/17/11 13:29:20 04/17/11 23:29:22
krbtgt/UTK.TENNESSEE.EDU at UTK.TENNESSEE.EDU
renew until 04/18/11 13:29:20, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
samba ~ # net ads info
LDAP server: a.b.c.d
LDAP server name: domain.controller.name
Realm: UTK.TENNESSEE.EDU
Bind Path: dc=UTK,dc=TENNESSEE,dc=EDU
LDAP port: 389
Server time: Sun, 17 Apr 2011 18:57:44 EDT
KDC server: 160.36.76.183
Server time offset: 0
I'd be happy to post any log file excerpts that would help. Many of the
samba config file directives were put in because of similar-sounding
problems (e.g. client schannel and spnego). Here is a small excerpt of what
happens if I try this with winbind running.
[2011/04/17 18:52:35.141821, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is: [UTK]\[miturria]@[KILKENNY]
[2011/04/17 18:52:35.141859, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/04/17 18:52:35.141884, 3] smbd/uid.c:429(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/04/17 18:52:35.141915, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/04/17 18:52:35.145914, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/04/17 18:52:35.145932, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [miturria] -> [miturria]
FAILED with error NT_STATUS_ACCESS_DENIED
[2011/04/17 18:52:35.146031, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX)
NT_STATUS_ACCESS_DENIED
[2011/04/17 18:52:35.146635, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/04/17 18:52:35.146664, 3] smbd/connection.c:31(yield_connection)
Yielding connection to
[2011/04/17 18:52:35.146911, 3] smbd/server.c:902(exit_server_common)
Server exit (failed to receive smb request)
Any help would be greatly appreciated!
---
Markus A. Iturriaga Woelfel, IT Administrator
Electrical Engineering and Computer Science
University of Tennessee
203 Claxton Complex / 1122 Volunteer Blvd.
Knoxville, TN 37996-3450
miturria at eecs.utk.edu / (865) 974-3837
http://twitter.com/UTKEECSIT
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba