I have a Samba-4 system running as an Active Directory server. It's working great: computers are joined to it, users are logged in, etc. Good job Samba developers, and thank you!
But of course I am not satisfied. Now I want to configure another server (well, a VM) as a file server using Samba-3.6.12. I want it to refer to the Samba4 server for all user authentication. My understanding of the documentation is that I set "server = ads" and join the samba3 system to my domain. I do not need to create any users/accounts on the Samba3 (fileserver) system. Am I right so far? But, it's not working -- it is not authenticating requests using the AD server. There are error messages coming out of Samba that I don't understand (no surprise there). I have read the relevant documentation, including the Domain Membership section, and I have followed the instructions here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member Here are the details. AD is Samba-4 running on samba-ad.allenlan.net (192.168.0.13). Fileserver is Samba-3.6.12 on smb-test-zone.allenlan.net (192.168.0.17). A Win7 PC named t110-win7-base.allenlan.net (192.168.0.93) is joined to the domain, user "allenlan\lallen" is logged in to it, and I attempt to map a share on the Samba-3.6.12 system using: # net use L: \\192.168.0.17\Lee this prompts for username (it should not), I enter "allenlan\lallen" (or " allenlan.net\lallen"), it prompts for password, and I enter that. The authentication fails - the log file is below. # cat /opt/local/etc/samba/smb.conf [global] workgroup = ALLENLAN server string = Samba %v (%h) realm = allenlan.net security = ads password server = 192.168.0.13 load printers = no guest account = guest (omitting the shares) # kinit administra...@allenlan.net # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: administra...@allenlan.net Issued Expires Principal May 24 19:44:08 2013 May 25 05:44:08 2013 krbtgt/allenlan....@allenlan.net # net ads join -U Administrator%password # net ads testjoin Join is OK # net ads info LDAP server: 192.168.0.13 LDAP server name: samba-ad.allenlan.net Realm: ALLENLAN.NET Bind Path: dc=ALLENLAN,dc=NET LDAP port: 389 Server time: Fri, 24 May 2013 19:44:36 UTC KDC server: 192.168.0.13 Server time offset: 0 # /opt/local/sbin/smbd -i -d3 -s /opt/local/etc/samba/smb.conf Maximum core file size limits now -3(soft) -3(hard) smbd version 3.6.12 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 uid=0 gid=0 euid=0 egid=0 lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/opt/local/etc/samba/smb.conf" Processing section "[global]" Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/opt/local/etc/samba/smb.conf" Processing section "[global]" Processing section "[Lee]" adding IPC service added interface net0 ip=192.168.0.17 bcast=192.168.0.255 netmask=255.255.255.0 loaded services Initialise the svcctl registry keys if needed. Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Initialise the eventlog registry keys if needed. Closed policy get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13" Successfully contacted LDAP server 192.168.0.13 get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13" get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13" Successfully contacted LDAP server 192.168.0.13 Connected to LDAP server samba-ad.allenlan.net ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] expiration Sat, 25 May 2013 05:46:13 UTC reloading printcap cache No Printers found!!! reload status: error waiting for connections Allowed connection from 192.168.0.93 (192.168.0.93) init_oplocks: initializing messages. Transaction 0 of length 159 (0 toread) switch message SMBnegprot (pid 85924) conn 0x0 Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [LANMAN1.0] Requested protocol [Windows for Workgroups 3.1a] Requested protocol [LM1.2X002] Requested protocol [LANMAN2.1] Requested protocol [NT LM 0.12] Requested protocol [SMB 2.002] Requested protocol [SMB 2.???] using SPNEGO Selected protocol NT LM 0.12 Transaction 1 of length 1622 (0 toread) switch message SMBsesssetupX (pid 85924) conn 0x0 wct=12 flg2=0xc807 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. Doing spnego session setup NativeOS=[] NativeLanMan=[] PrimaryDomain=[] reply_spnego_negotiate: Got secblob of size 1476 libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error Decrypt integrity check failed libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error Decrypt integrity check failed Found account name from PAC: lallen [] Kerberos ticket principal name is [lal...@allenlan.net] Username ALLENLAN\lallen is invalid on this system error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE Transaction 2 of length 1508 (0 toread) switch message SMBsesssetupX (pid 85924) conn 0x0 wct=12 flg2=0xc807 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. Doing spnego session setup NativeOS=[] NativeLanMan=[] PrimaryDomain=[] reply_spnego_negotiate: Got secblob of size 1362 libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error Decrypt integrity check failed libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error Decrypt integrity check failed Found account name from PAC: lallen [] Kerberos ticket principal name is [lal...@allenlan.net] Username ALLENLAN\lallen is invalid on this system error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE receive_smb_raw_talloc failed for client 192.168.0.93 read error = NT_STATUS_CONNECTION_RESET. Server exit (failed to receive smb request) This has had me stumped for several days. Thank you for any & all help. Lee Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba