[Samba] Can access shares by IP, not by hostname from Windows clients (AD, W2K8 R2, Linux, Samba 3.6.1, KRB)
Hello, I am running a Samba version 3.6.1 and since several months we can no longer access shares on that server by hostname. This only occurs for Windows clients (Windows 2008 R2, Windows 7). For Apple MacOS 10.5 and Linux clients, we can access the shares by \\ws86 using Active Directory registered passwords. For Windows, we must use \\192.168.172.26. Neither \\ws86 nor \\WS86 works. The only IP address of ws86 is 192.168.172.26. Netbios is also enabled, but of course there is an Active Directory environment. Active Directory is also used for security (see smb.conf). Winbind not running, smb and nmb are. Successfully kinit-ed and joined domain. Logging contains: [2012/01/06 21:16:11.824330, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! With debugging on level 15, typical errors include (samba log with level 15 is too large to post here): libads/kerberos_verify.c:248: krb5_rd_req_return_keyblock_from_keytab(host/ws86.invantive.local@INVANTIVE.LOCAL) failed: Wrong principal in request and libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Bad encryption type [2012/01/06 21:16:50.593758, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Bad encryption type [2012/01/06 21:16:50.593846, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [3] failed to decrypt with error Bad encryption type [2012/01/06 21:16:50.593929, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Bad encryption type [2012/01/06 21:16:50.594012, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Bad encryption type [2012/01/06 21:16:50.594094, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [3] failed to decrypt with error Bad encryption type I have tried various enctypes. Made changes to allowed enctypes on 2008 R2 active directory server. No success. Even with experience back to Samba 2.0, this is too hard for me. Can someone provide me with a hint or pointer? Regards, Guido -- [global] workgroup = INVANTIVE realm = INVANTIVE.LOCAL security = ads kerberos method=secrets and keytab template shell = /bin/ksh winbind use default domain = true winbind offline logon = false debuglevel=1 password server = ws54 winbind enum groups = yes winbind enum users = yes winbind nested groups = yes winbind separator = + server string = Samba %v interfaces = lo eth0 192.168.172.26/24 passdb backend = tdbsam dns proxy = yes cups options = raw username map = /etc/samba/smbusers [homes] comment = Home Directories browseable = no writable = yes inherit acls = yes delete readonly = yes create mask = 0600 directory mask = 0700 oplocks = yes force create mode = 0600 force directory mode = 0700 valid users = %S,INVANTIVE\Administrator,root,INVANTIVE\!gle3 force user = %S hide files = /desktop.ini/$RECYCLE.BIN/ include=/etc/samba/smb.conf.invantive -- root@ws86:/etc/samba# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 22 host/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 22 host/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 22 host/ws86.invantive.local@INVANTIVE.LOCAL (ArcFour with HMAC/md5) 22 host/ws86@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 22 host/ws86@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 22 host/ws86@INVANTIVE.LOCAL (ArcFour with HMAC/md5) 22 WS86$@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 22 WS86$@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 22 WS86$@INVANTIVE.LOCAL (ArcFour with HMAC/md5) 13 ws86/Administrator@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 13 ws86/Administrator@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 13 ws86/Administrator@INVANTIVE.LOCAL (ArcFour with HMAC/md5) 3 host/WS86@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 3 host/WS86@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 3 host/WS86@INVANTIVE.LOCAL (ArcFour with HMAC/md5) 22 ws86/ws86@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 22 ws86/ws86@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 22 ws86/ws86@INVANTIVE.LOCAL (ArcFour with HMAC/md5) 21 WS86$@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 21 WS86$@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 3 ws86/WS86@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 14 ws86/Administrator@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 14 ws86/Administrator@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 14 ws86/Administrator@INVANTIVE.LOCAL (ArcFour with HMAC/md5) 22 ws86/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 22 ws86/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with RS
Re: [Samba] issues with printing
On 1/6/12 3:31 PM, "Jeremy Allison" wrote: > >The problem I can see from the pastebin is an authentication >issue. The client is trying to connect via a machine account. > >If you don't allow the machine account access to the print >share then it'll get access denied. > >The error above is the machine account not being present >on the box, so we can't allow such a user to connect. You >could set "map to guest = bad user", and allow guest >access to the print shares, or use a username map to >map the incoming machine account to another (known) >user, but the underlying problem here isn't in the print >subsystem. > >Jeremy. Jeremy, This is true. I would not have the issue (I suspect) if I used winbind. I read somewhere prior to Samba 3, machine account auths were dropped (I forget the exact wording). In my case (I want 3.6.x for the print notice setting due to client firewalls), I think the "fix" would be an option to ignore (or silently map to guest account?) machine account auth requests? I don't know the best fix.. I just fixed it by manually adding the accounts.. Ugh.. But now at least it works. Tom -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issues with printing
On Fri, Jan 06, 2012 at 02:06:26PM -0600, Dale Schroeder wrote: > On 01/05/2012 9:23 AM, Tom Ryan wrote: > >On 1/5/12 9:31 AM, "Tom Ryan" wrote: > > > >>[2012/01/05 09:18:54.928729, 3] auth/auth_util.c:1028(check_account) > >> Failed to find authenticated user DOMAIN\machinename$ via getpwnam(), > >>denying access. > >>[2012/01/05 09:18:54.929709, 2] auth/auth.c:319(check_ntlm_password) > >> check_ntlm_password: Authentication for user [machinename$] -> > >>[machinename$] FAILED with error NT_STATUS_NO_SUCH_USER > >>[2012/01/05 09:18:54.929807, 3] smbd/error.c:81(error_packet_set) > >> error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) > >>NT_STATUS_LOGON_FAILURE > >> > >>You might recall that we don't use winbind so I'm at a loss as to why this > >>happens sporadically and what I can do (short of editing the code) to work > >>around it. > >> > >> > >>Thoughts? > >Ok, so I have found out if I put > > > >DOMAIN\machinename$ > >And > >machinename$ > > > >In /etc/passwd > > > >Then everything works.. However, that really isn't acceptable. > > > >Does anyone have a solution?? > > Tom, > > As you've probably noticed, printing problems don't get a lot of > responses. I'm uncertain as to why. > I don't know what you've already checked, so I'll give a few generalities. > > Samba 3.6 had a rewrite of the printing code. If you haven't > already, you can read about it here: > http://www.samba.org/samba/history/samba-3.6.0.html > > There is at least 1 known printing bug, and I've experienced it. It > is found here: > https://bugzilla.samba.org/show_bug.cgi?id=8384 Yeah, that one got fixed for the next release. > Would guest access to the printing shares fix your problem? > guest ok = Yes > > If these suggestions are all strikeouts, perhaps post the global and > printing sections of your smb.conf. > Someone else may see something there. The problem I can see from the pastebin is an authentication issue. The client is trying to connect via a machine account. If you don't allow the machine account access to the print share then it'll get access denied. The error above is the machine account not being present on the box, so we can't allow such a user to connect. You could set "map to guest = bad user", and allow guest access to the print shares, or use a username map to map the incoming machine account to another (known) user, but the underlying problem here isn't in the print subsystem. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issues with printing
On Fri, Jan 6, 2012 at 3:06 PM, Dale Schroeder wrote: > Samba 3.6 had a rewrite of the printing code. If you haven't already, you > can read about it here: > http://www.samba.org/samba/history/samba-3.6.0.html With the winbind and printing issues I've seen with 3.6 my take is that it isn't quite ready for prime time. I dropped back to the 3.5 series and will look at it again when 3.6.2 is released. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issues with printing
On 01/05/2012 9:23 AM, Tom Ryan wrote: On 1/5/12 9:31 AM, "Tom Ryan" wrote: [2012/01/05 09:18:54.928729, 3] auth/auth_util.c:1028(check_account) Failed to find authenticated user DOMAIN\machinename$ via getpwnam(), denying access. [2012/01/05 09:18:54.929709, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [machinename$] -> [machinename$] FAILED with error NT_STATUS_NO_SUCH_USER [2012/01/05 09:18:54.929807, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE You might recall that we don't use winbind so I'm at a loss as to why this happens sporadically and what I can do (short of editing the code) to work around it. Thoughts? Ok, so I have found out if I put DOMAIN\machinename$ And machinename$ In /etc/passwd Then everything works.. However, that really isn't acceptable. Does anyone have a solution?? Tom, As you've probably noticed, printing problems don't get a lot of responses. I'm uncertain as to why. I don't know what you've already checked, so I'll give a few generalities. Samba 3.6 had a rewrite of the printing code. If you haven't already, you can read about it here: http://www.samba.org/samba/history/samba-3.6.0.html There is at least 1 known printing bug, and I've experienced it. It is found here: https://bugzilla.samba.org/show_bug.cgi?id=8384 Would guest access to the printing shares fix your problem? guest ok = Yes If these suggestions are all strikeouts, perhaps post the global and printing sections of your smb.conf. Someone else may see something there. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Member Server and authenticating trusted domain users
Hello, I have a samba 3.6.1 (Debian testing) member server in a Windows 2K8 Domain with the name DomaA. The DomA PDC trusts a second Win2K3 domain controller responsible for DomB. All users from DomA can access the samba server without problems. Now I want to allow users from the trusted domain DomB to access the samba server. When a user tries to authenticate the smb/cifs login to the share fails, I get the following winbind log in log.wb-DOMB [2012/01/06 10:51:17.018523, 3] libsmb/cliconnect.c:1840(cli_session_setup_spnego) got principal=pdc$@DOMB [2012/01/06 10:51:17.018673, 10] libads/kerberos.c:191(kerberos_kinit_password_ext) kerberos_kinit_password: as SAMBA-1$@NETTETAL.PIERBURG.LOCAL using [MEMORY:cliconnect] as ccache and config [(null)] [2012/01/06 10:51:18.553682, 3] libsmb/cliconnect.c:1883(cli_session_setup_spnego) cli_session_setup_spnego: using target hostname not SPNEGO principal [2012/01/06 10:51:18.553770, 3] libsmb/cliconnect.c:1927(cli_session_setup_spnego) cli_session_setup_spnego: guessed server principal=cifs/pdc.DOMB@DOMB [2012/01/06 10:51:18.553805, 2] libsmb/cliconnect.c:1433(cli_session_setup_kerberos_send) Doing kerberos session setup [2012/01/06 10:51:19.058406, 1] libsmb/clikrb5.c:799(ads_krb5_mk_req) ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/pdc.DOMB@DOMB (Server not found in Kerberos database) In my smb.conf I enabled: allow trusted domains = yes In my krb5.conf I configured: DOMB = { kdc = PDC@DOMB:88 admin_server = PDC@DOMB default_domain = DOMB } Testing kinit works: kinit username@DOMB is successfull. So my question ist: am I missing something? Thanks in advance for any help-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Integrate windows ADS Connection
I got samba with winbind and pam to integrate with windows 2008 ADS. I am able to net ads join and also see the users and groups via wbinfo. But my samba connection is not working and not showing when I try to mount in windows. No errors pop up under smbstatus. Below is the smb.conf [GLOBAL] workgroup = ARCH realm = ARCH.LOCAL netbios name = ARCHPROJFC password server = 192.168.1.40 preferred master = no server string = %h server (Samba %v, Ubuntu) encrypt passwords = yes enable privileges = Yes # dns proxy = no log level = 3 log file = /var/log/samba/%m max log size = 50 security = ADS printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind separator = + idmap uid = 600-2 idmap gid = 600-2 ;template primary group = "Domain Users" template homedir = /home/%D/%U template shell = /bin/bash [WORKSPACE] comment = Home Direcotries path = /home/%D/%U/Workspace valid users = ARCH+Administrator read only = No browseable = yes writable = yes [PRINTERS] comment = All Printers path = /var/spool/cups browseable = no printable = yes guest ok = yes public = yes On Wed, Jan 4, 2012 at 9:31 AM, Jessica Guynn wrote: > Used likewise-open because was following a tutorial on that same site. So > better change to winbind? > > On Wed, Jan 4, 2012 at 7:40 AM, Volker Lendecke > wrote: > >> On Wed, Jan 04, 2012 at 07:29:11AM -0800, Jessica Guynn wrote: >> > Forgot to add, using likewise-open to add the ubuntu machine to the >> windows >> > ads. >> > >> > On Wed, Jan 4, 2012 at 7:20 AM, Jessica Guynn >> wrote: >> > >> > > Creating a samba connection through windows 2008 ADS. I was able to >> add >> > > my ubuntu machine as a member of the windows 2008 domain but after >> > > following this tutorial to create the samba connection >> > > >> http://www.ubuntugeek.com/how-to-integrate-windows-active-directory-and-samba-in-ubuntu.htmlI >> > > can no longer login with domain users. My nsswitch.conf, krb5.conf, >> and >> > > smb.conf files are pasted in: http://pastebin.com/VKphVVwg >> >> Can you try to take likewise-open out of the picture? Samba >> with winbind has excellent domain membership features. What >> are the specific likewise open features that you require >> that winbind can not provide to you? >> >> With best regards, >> >> Volker Lendecke >> >> -- >> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen >> phone: +49-551-37-0, fax: +49-551-37-9 >> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen >> http://www.sernet.de, mailto:kont...@sernet.de >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba