Re: [Samba] samba 3.4.0: point'n'print does not work
Le mardi 28 juillet 2009 07:03:29, Ryan Suarez a écrit : Greetings, I upgraded my samba v3.2.4 to v3.4.0. Now point'n'print does not work. I get the error 'Windows cannot connect to the printer. Operation could not be completed (error 0x06f7)' when I try to connect to any printer share from a vista 32bit client. For me 3.4.0 has solved a lot of problem for click'and'print The only new thing was that I needed a share named prnproc$ which has the same definition than print$. At least can I upload all these drivers from HP which couldn't be added correctly before Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.4.0: point'n'print does not work
Le mardi 28 juillet 2009 16:55:08, vous avez écrit : Greetings, I upgraded my samba v3.2.4 to v3.4.0. Now point'n'print does not work. I get the error 'Windows cannot connect to the printer. Operation could not be completed (error 0x06f7)' when I try to connect to any printer share from a vista 32bit client. For me 3.4.0 has solved a lot of problem for click'and'print The only new thing was that I needed a share named prnproc$ which has the same definition than print$. At least can I upload all these drivers from HP which couldn't be added correctly before Emmanuel Thanks for the reply. hmm, haven't heard of a prnproc$ definition before. Where did you come across this? Couldn't find a reference to it on their site: http://us1.samba.org/samba/docs/man/manpages-3/smb.conf.5.html Yes nowhere in smb.conf and related I saw that. But logs from server during the first try to upload driver were referencing this share. googling around this , I saw some references related to print server, with the same directory structure After creating this share all went fine Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [HELP] Samba 3.0.23a pam_winbind says password expired
I'm getting the same issue except I can't log in because login only autorise to get a shell after the pass change. Any idea why PAM_WINBIND_NEW_AUTHTOK_REQD is sent ? (I have this problem since upgrading from 200 to 2003 (mixed mode) and samba-3.0.23a, using security=ads and winbind Emmanuel Le mardi 1 août 2006 10:27, Michael Gasch a écrit : hi, i just do some tests with a fresh compiled samba 3.0.23a. trying to authenticate against PAM with pam_winbind gives: Aug 1 09:59:21 humevo36 pam_winbind[27853]: pam_winbind: pam_sm_authenticate (flags: 0x) Aug 1 09:59:23 humevo36 pam_winbind[27853]: Verify user `gasch' Aug 1 09:59:23 humevo36 pam_winbind[27853]: enabling cached login flag Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' granted access Aug 1 09:59:23 humevo36 pam_winbind[27853]: Password has expired (Password was last set: 1154074953, the policy says it should expire here 1154074952 (now it's: 1154419163) Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' OK Aug 1 09:59:23 humevo36 pam_winbind[27853]: pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Aug 1 09:59:23 humevo36 pam_winbind[27853]: user 'gasch' needs new password Aug 1 09:59:27 humevo36 su: FAILED SU (to gasch) gasch on /dev/pts/3 there´s no password policy on the domain controller (samba 3.0.14a, debian): [EMAIL PROTECTED]:~# pdbedit -d 0 -P maximum password age account policy value for maximum password age is 4294967295 [EMAIL PROTECTED]:~# pdbedit -d 0 -P password history account policy value for password history is 0 some samba-ldap attributes on PDC for user gasch: sambaLogonTime: 1130931254 sambaPwdMustChange: 2147483647 sambaPasswordHistory: sambaAcctFlags: [UX ] sambaKickoffTime: 1204325940 sambaPwdCanChange: 1154074953 sambaPwdLastSet: 1154074953 i can provide you with a level 10 debug log of winbindd offline (700kb) if requested. btw: it worked fine with 3.0.20b RPM from SuSE. any ideas? thx in advance! smb.conf [global] workgroup = DOMAIN server string = Samba v3 # username map = /etc/samba/username.map time server = yes log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1 unix extensions = No printcap name = cups os level = 32 interfaces = lo eth0 vmnet1 vmnet8 bind interfaces only = yes wins server = 192.168.x.y preferred master = No local master = No domain master = No dns proxy = No panic action = /usr/share/samba/panic-action %d idmap backend = idmap_rid:DOMAIN=1-1 idmap uid = 1-1 idmap gid = 1-1 winbind offline logon = yes winbind separator = '\' winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind trusted domains only = no winbind cache time = 60 security = domain allow trusted domains = no template shell = /bin/bash template homedir = /home/%U invalid users = root pam (common-auth) = authrequiredpam_env.so # following also tried without arguments authsufficient pam_winbind.so debug try_first_pass cached_login authrequiredpam_unix2.so use_first_pass -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] double segfault in smbd 3.0.21a
Hi I'm able to reproduce a segfault in smbd, with security=ads , using normal login or kerberos. samba 3.0.21a compiled from source, on debian stable. here are the backtrace: For the kerberos part, using smbclient //server/share -k Using host libthread_db library /lib/tls/libthread_db.so.1. `system-supplied DSO at 0xe000' has disappeared; keeping its symbols. [Thread debugging using libthread_db enabled] [New Thread 1077522240 (LWP 26945)] 0x4020f3ae in waitpid () from /lib/tls/libc.so.6 #0 0x4020f3ae in waitpid () from /lib/tls/libc.so.6 #1 0x401a4d12 in system () from /lib/tls/libc.so.6 #2 0x081fc648 in smb_panic2 () #3 0x081fc5bb in smb_panic () #4 0x081e9cf3 in fault_report () #5 0x081e9d68 in sig_fault () #6 signal handler called #7 0x401ce487 in fseek () from /lib/tls/libc.so.6 #8 0x400ae2cc in krb5_ktfile_get_next () from /usr/lib/libkrb5.so.3 #9 0x400add4c in krb5_kt_next_entry () from /usr/lib/libkrb5.so.3 #10 0x08275daf in ads_keytab_verify_ticket () #11 0x08276828 in ads_verify_ticket () #12 0x080b4802 in reply_spnego_kerberos () #13 0x080b5738 in reply_spnego_negotiate () #14 0x080b5db0 in reply_sesssetup_and_X_spnego () #15 0x080b62c6 in reply_sesssetup_and_X () #16 0x080dda92 in switch_message () #17 0x080ddb42 in construct_reply () #18 0x080dde8e in process_smb () #19 0x080debe9 in smbd_process () #20 0x0828850b in main () For the normal login, i.e. smbclient //server/share -U username Using host libthread_db library /lib/tls/libthread_db.so.1. `system-supplied DSO at 0xe000' has disappeared; keeping its symbols. [Thread debugging using libthread_db enabled] [New Thread 1077522240 (LWP 26935)] 0x4020f3ae in waitpid () from /lib/tls/libc.so.6 #0 0x4020f3ae in waitpid () from /lib/tls/libc.so.6 #1 0x401a4d12 in system () from /lib/tls/libc.so.6 #2 0x081fc648 in smb_panic2 () #3 0x081fc5bb in smb_panic () #4 0x081e9cf3 in fault_report () #5 0x081e9d68 in sig_fault () #6 signal handler called #7 0x4000770a in _dl_unload_cache () from /lib/ld-linux.so.2 #8 0x40007edf in _dl_lookup_symbol () from /lib/ld-linux.so.2 #9 0x4026fdb9 in __libc_dlclose () from /lib/tls/libc.so.6 #10 0x4000c016 in _dl_catch_error () from /lib/ld-linux.so.2 #11 0x4026fc68 in __libc_dlsym () from /lib/tls/libc.so.6 #12 0x4024db81 in __nss_lookup_function () from /lib/tls/libc.so.6 #13 0x4024d8c3 in __nss_next () from /lib/tls/libc.so.6 #14 0x4020eb49 in getpwnam_r () from /lib/tls/libc.so.6 #15 0x4020e441 in getpwnam () from /lib/tls/libc.so.6 #16 0x081ec962 in sys_getpwnam () #17 0x081f0a7f in getpwnam_alloc () #18 0x081eefbb in Get_Pwnam_internals () #19 0x081ef29c in Get_Pwnam_alloc () #20 0x082385ca in smb_getpwnam () #21 0x08238489 in fill_sam_account () #22 0x08238854 in make_server_info_info3 () #23 0x08233f98 in check_winbind_security () #24 0x08230f88 in check_ntlm_password () #25 0x0823a036 in auth_ntlmssp_check_password () #26 0x08115054 in ntlmssp_server_auth () #27 0x08114480 in ntlmssp_update () #28 0x0823a36e in auth_ntlmssp_update () #29 0x080b592a in reply_spnego_auth () #30 0x080b5e0d in reply_sesssetup_and_X_spnego () #31 0x080b62c6 in reply_sesssetup_and_X () #32 0x080dda92 in switch_message () #33 0x080ddb42 in construct_reply () #34 0x080dde8e in process_smb () #35 0x080debe9 in smbd_process () #36 0x0828850b in main () and here my smb.conf: # ./testparm Load smb config files from /usr/local/samba/lib/smb.conf Processing section [web$] Loaded services file OK. WARNING: passdb expand explicit = yes is deprecated 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DPTINFO realm = DPTINFO.URS.LOCAL server string = %h server (Extranet, Samba %v) security = ADS allow trusted domains = No passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . use kerberos keytab = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No ldap admin dn = cn=admin,dc=iutinfo,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=iutinfo,dc=local panic action = /usr/share/samba/panic-action %d idmap backend = ldap:ldap://ldap.urs.fr idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/%U template shell = /bin/bash winbind separator = + winbind cache time = 0 winbind use default domain = Yes invalid users = root -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] double segfault in smbd 3.0.21a
After regenerating my keytab (net ads keytab flush net ads keytab create) the two crash are gone. Emmanuel Le Mardi 10 Janvier 2006 01:06, Blindauer Emmanuel a écrit : Hi I'm able to reproduce a segfault in smbd, with security=ads , using normal login or kerberos. samba 3.0.21a compiled from source, on debian stable. here are the backtrace: For the kerberos part, using smbclient //server/share -k Using host libthread_db library /lib/tls/libthread_db.so.1. `system-supplied DSO at 0xe000' has disappeared; keeping its symbols. [Thread debugging using libthread_db enabled] [New Thread 1077522240 (LWP 26945)] 0x4020f3ae in waitpid () from /lib/tls/libc.so.6 #0 0x4020f3ae in waitpid () from /lib/tls/libc.so.6 #1 0x401a4d12 in system () from /lib/tls/libc.so.6 #2 0x081fc648 in smb_panic2 () #3 0x081fc5bb in smb_panic () #4 0x081e9cf3 in fault_report () #5 0x081e9d68 in sig_fault () #6 signal handler called #7 0x401ce487 in fseek () from /lib/tls/libc.so.6 #8 0x400ae2cc in krb5_ktfile_get_next () from /usr/lib/libkrb5.so.3 #9 0x400add4c in krb5_kt_next_entry () from /usr/lib/libkrb5.so.3 #10 0x08275daf in ads_keytab_verify_ticket () #11 0x08276828 in ads_verify_ticket () #12 0x080b4802 in reply_spnego_kerberos () #13 0x080b5738 in reply_spnego_negotiate () #14 0x080b5db0 in reply_sesssetup_and_X_spnego () #15 0x080b62c6 in reply_sesssetup_and_X () #16 0x080dda92 in switch_message () #17 0x080ddb42 in construct_reply () #18 0x080dde8e in process_smb () #19 0x080debe9 in smbd_process () #20 0x0828850b in main () For the normal login, i.e. smbclient //server/share -U username Using host libthread_db library /lib/tls/libthread_db.so.1. `system-supplied DSO at 0xe000' has disappeared; keeping its symbols. [Thread debugging using libthread_db enabled] [New Thread 1077522240 (LWP 26935)] 0x4020f3ae in waitpid () from /lib/tls/libc.so.6 #0 0x4020f3ae in waitpid () from /lib/tls/libc.so.6 #1 0x401a4d12 in system () from /lib/tls/libc.so.6 #2 0x081fc648 in smb_panic2 () #3 0x081fc5bb in smb_panic () #4 0x081e9cf3 in fault_report () #5 0x081e9d68 in sig_fault () #6 signal handler called #7 0x4000770a in _dl_unload_cache () from /lib/ld-linux.so.2 #8 0x40007edf in _dl_lookup_symbol () from /lib/ld-linux.so.2 #9 0x4026fdb9 in __libc_dlclose () from /lib/tls/libc.so.6 #10 0x4000c016 in _dl_catch_error () from /lib/ld-linux.so.2 #11 0x4026fc68 in __libc_dlsym () from /lib/tls/libc.so.6 #12 0x4024db81 in __nss_lookup_function () from /lib/tls/libc.so.6 #13 0x4024d8c3 in __nss_next () from /lib/tls/libc.so.6 #14 0x4020eb49 in getpwnam_r () from /lib/tls/libc.so.6 #15 0x4020e441 in getpwnam () from /lib/tls/libc.so.6 #16 0x081ec962 in sys_getpwnam () #17 0x081f0a7f in getpwnam_alloc () #18 0x081eefbb in Get_Pwnam_internals () #19 0x081ef29c in Get_Pwnam_alloc () #20 0x082385ca in smb_getpwnam () #21 0x08238489 in fill_sam_account () #22 0x08238854 in make_server_info_info3 () #23 0x08233f98 in check_winbind_security () #24 0x08230f88 in check_ntlm_password () #25 0x0823a036 in auth_ntlmssp_check_password () #26 0x08115054 in ntlmssp_server_auth () #27 0x08114480 in ntlmssp_update () #28 0x0823a36e in auth_ntlmssp_update () #29 0x080b592a in reply_spnego_auth () #30 0x080b5e0d in reply_sesssetup_and_X_spnego () #31 0x080b62c6 in reply_sesssetup_and_X () #32 0x080dda92 in switch_message () #33 0x080ddb42 in construct_reply () #34 0x080dde8e in process_smb () #35 0x080debe9 in smbd_process () #36 0x0828850b in main () and here my smb.conf: # ./testparm Load smb config files from /usr/local/samba/lib/smb.conf Processing section [web$] Loaded services file OK. WARNING: passdb expand explicit = yes is deprecated 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DPTINFO realm = DPTINFO.URS.LOCAL server string = %h server (Extranet, Samba %v) security = ADS allow trusted domains = No passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . use kerberos keytab = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No ldap admin dn = cn=admin,dc=iutinfo,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=iutinfo,dc=local panic action = /usr/share/samba/panic-action %d idmap backend = ldap:ldap://ldap.urs.fr idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/%U template shell = /bin/bash winbind separator = + winbind cache time = 0 winbind use default domain = Yes invalid users = root -- To unsubscribe from this list go
Re: [Samba] apache authentication using ad kerberos
Some help to finish your document: For linux browser, it works same: you can add you server to network-negotiate-auth.trusted-uris in firefox (file all.js), and if you already have a ticket on your linux computer, it will be passed to the website by your browser, you'll get the same behaviour as under window. konqueror works too, I have some problems with mozilla 1.7.3, didn't test galeon too To get the ticket I have switched all my linux computer to authentificate on kerberos. So all users have a krb5 ticked when they have logged in. Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Changing AD passwords from Unix box
Le Lundi 9 Mai 2005 18:32, john a écrit : I have set up my linux system to authenticate against usernames and passwords on a win2k3 AD server. This seems to work fine, users are able to login to the linux using ssh, brows home directories, login at the console If you are using AD , and are running in navite mode, you can use kerberos to do that. I suppose that you have so your kerberos already configured. a kpasswd should be suffisant to change your password in this case. Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind vs pam_krb5/nss_ldap
I've installed samba+winbind for 2k users. I had set up my stations tu use winbind for all, and the backend used is ldap. Now with a little more infos, I will probably change the authentification on computers to use krb5 + credential caching, so ppl will get a kerberos ticket and get SSO like for windows users. For changing their password, it works with kerberos, with kpasswd [EMAIL PROTECTED] What isn't working is the change password at first login set up by windows, but I didn't get further into that, only removed that. Le Lundi 21 Mars 2005 04:46, AD. a écrit : Hi all, I am just after some opinions about the pros and cons of winbind compared to the 'standard' kerberos and ldap methods. I've have already got single sign on working with pam_krb5 and nss_ldap (using SASL/GSSAPI) against SBS 2003 (with MSSFU 3.0) using Debian Sarge as clients/'member servers', and integration of Samba is the next bit I'm looking at. The impressions I get are (corrections welcome): Winbind should be a bit simpler to set up than the pam/nss option, and mean a bit less work entering UIDs and GIDs etc into Active Directory and generating keytabs etc. Using the standard kerberos/ldap methods should give more flexibility for integrating with other unix based services eg consistent uid mapping between machines (when using Active Directory at least) etc. Winbind users need to log on using DOMAIN\USER, while pam_krb5 users just need to use USER for their default realm. Or am I wrong about that one? Winbind users can change their AD password while pam_krb5 users can't (at this stage). Now for some questions... Is it possible or is there any value in using both winbind and pam_krb5/nss_ldap together? How would they integrate? If it's even possible, what would I miss out on if not using winbind? I presume there still needs to be some sort of SID mapping going on for Samba to do its stuff? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD, smb 3.0.6, ticket: Request is a replay
I have some problems with samba 3.0.6, AD domain in mixed mode, and kerberos MIT 1.3.2: Sometime when a user want to access a chare, he's getting a wrong password message. Looking further in logs, the problem is here: ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Request is a replay The only solution I've found to resolve this issue is to remove all tickets on clients with klist.exe purge and to re-access the share. Has someone found something to resolve this issue ? Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Idmap backend for winbind
Le lundi 27 Septembre 2004 14:25, Josh T a écrit : File /etc/ldap/slapd.conf: don't forget index, or you will run into trouble after some entries index objectClass eq index cnpres,sub,eq index snpres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Le vendredi 10 Septembre 2004 22:28, Gerald (Jerry) Carter a écrit :
Tom, I'm not completely willing to cross this out as a redhat
specific issue. I've sen at least one specific report
with debian (krb 1.3.4 and samba 3.0.6 both compiled locally).
However, krb5 is tricky to debug remotely like this :-\
Can anyone shed any more light on any more platforms? Other
than debian and redhat?
Yes!
I've spend some hours on looking on version used on other compulters, and I
have an Aurora sparc with kerberos 1.3.2, samba compiled from sources 3.0.6
with patch on winbind.
Here is the logs when I mount my share \\sparc\user:
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [17] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(177)
ads_verify_ticket: enc type [3] decrypted message !
[2004/09/11 15:09:14, 10] passdb/secrets.c:secrets_named_mutex_release(716)
secrets_named_mutex: released mutex for replay cache mutex
[2004/09/11 15:09:14, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(386)
Got KRB5 session key of length 8
*
the same part, on debian (same samba 3.0.6 + winbind patch, same smb.conf, but
krb1.3.4) \\debian\user
[2004/09/11 15:10:18, 10] passdb/secrets.c:secrets_named_mutex(702)
secrets_named_mutex: got mutex for replay cache mutex
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10] passdb/secrets.c:secrets_named_mutex_release(714)
secrets_named_mutex: released mutex for replay cache mutex
[2004/09/11 15:10:18, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
ads_verify_ticket: krb5_rd_req with auth failed (Succès)
[2004/09/11 15:10:18, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/09/11 15:10:18, 3] smbd/error.c:error_packet(129)
error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
note the :
[2004/09/11 15:10:18, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
ads_verify_ticket: krb5_rd_req with auth failed (Succes)
There is probably a problem here too.
The krb5.conf on the sparc:
**
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DPTINFO.URS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
DPTINFO.URS.LOCAL = {
kdc = canard.u-strasbg.fr:88
admin_server = canard.u-strasbg.fr:749
default_domain = u-strasbg.fr
[domain_realm]
u-strasbg.fr = DPTINFO.URS.LOCAL
.u-strasbg.fr = DPTINFO.URS.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
the krb5 on the debian:
***
libdefaults]
default_realm = DPTINFO.URS.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Le vendredi 10 Septembre 2004 21:39, Gerald (Jerry) Carter a écrit : I spent some time on this today without any luck reproducing the problem. My test server was SuSE 9.1 pro however with heimdal 0.6.1rc3. I've looked more on kerberos: you are using heimdal implementation, other reporter seems to have MIT. looking more on my previous post and googling about the error on the debian computer, Decrypt integrity check failed: A thread on kerberos ML on june has some issues between heimdal and MIT implementation about decrypting a ticket: http://mailman.mit.edu/pipermail/kerberos/2004-June/005552.html The problem is perhaps related only to MIT implementation, -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Le samedi 11 Septembre 2004 15:28, Blindauer Emmanuel a écrit : have an Aurora sparc with kerberos 1.3.2, samba compiled from sources 3.0.6 with patch on winbind. My fault, the binaries are 3.0.3pre2 and not 3.0.6 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Le dimanche 05 Septembre 2004 13:38, Christian Merrill a écrit : Running into a lot of people upgrading to the 3.0.6 package that all of a sudden begin to experience the Failed to verify incoming ticket! errors etc., that are generally associated with a kerberos package incompatibility. I'm running more tests with 3.0.5 instead of 3.0.6, and it seems that 3.0.5 has some problems too. Sometime, a share can't be mounted, when username, pass is given, but if DOMAIN\username, pass is given the share can be used.! I'll try to increase the level of logs, but I can't make a lot of changer per day, because this is a prod server. Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Re: UID and GID's
Le vendredi 10 Septembre 2004 23:17, Tom a écrit : Ok, I entered all that stuff in. I also created a samba user in AD and delegated control to the ou idmap to it. I did the smbpasswd -w command and entered all the entries I needed in smb.conf Do I have to set up anything in the ldap.conf? it works kinda, I'm getting the following errors in my winbind.log file: [2004/09/10 16:25:27, 0] sam/idmap_ldap.c:ldap_allocate_id(413) ldap_allocate_id: single sambaUnixIdPool object not found What does it create in the ou Imap? Will I be able to see the entries when using the Active Directory MMC on the domain controllers? you need to create your ldap with correct entries, I got them by using the classical howto about using samba+ldap to be a domain server. you don't need all entries in ldap, only the Idmap. using ldapbrower, my Idmap is: ou = Idmap objectClass = organizationalUnit objectClass = sambaUnixIdPool this ldap tree is fully disconnected from AD, you won't see it in mmc. wbinfo -u works getent passwd doesn't work, well it only lists the /etc/passwd stuff Normal, wbinfo uses winbind directly like doing a net user, but getent passwd will use the nsswitch.conf, and must be able to create all entries for having a working system. as soon you will have a working ldap backend, getent passwd will show you more entries (It will generate the maping at this time, I like to do a getent passwd on server when I add some users to be sure that all is working fine after adding some users. Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: BUG 1717 [was Re: [Samba] Re: Samba 3.0.6 Problems w/AD and Kerberos]
I've done a log level = 10 test
I've tried to mount my share, 4 times.
all four have failed.
attached are log from smbd, krb5.conf and smb.conf
(PS: hide dot files isn't working for me...)
Emmanuel
[libdefaults]
default_realm = DPTINFO.URS.LOCAL
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
DPTINFO.URS.LOCAL = {
kdc = canard.u-strasbg.fr
admin_server = canard.u-strasbg.fr
}
[domain_realm]
.u-strasbg.fr = DPTINFO.URS.LOCAL
u-strasbg.fr = DPTINFO.URS.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = true
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: BUG 1717 [was Re: [Samba] Re: Samba 3.0.6 Problems w/AD and Kerberos]
Le samedi 11 Septembre 2004 00:17, Blindauer Emmanuel a écrit :
attached are log from smbd, krb5.conf and smb.conf
[global]
workgroup = DPTINFO
server string = %h server (Samba %v)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 10
syslog = 0
panic action = /usr/share/samba/panic-action %d
obey pam restrictions = yes
log level = 10
security = ads
realm = DPTINFO.URS.LOCAL
password server = *
use sendfile = no
;encrypt passwords = true
;passdb backend = tdbsam guest
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
%n\n .
socket options = TCP_NODELAY
winbind cache time = 0
allow trusted domains = no
winbind separator = +
winbind use default domain = yes
idmap backend = ldap:ldap://oie.u-strasbg.fr
idmap uid = 1-2
idmap gid = 1-2
ldap suffix = dc=iutinfo,dc=local
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=iutinfo,dc=local
winbind enum users = yes
winbind enum groups = yes
template homedir = /data/home/%U
template shell = /bin/false
[homes]
path = /data/home/%U
comment = Home Directories
browseable = yes
writable = yes
create mask = 0775
directory mask = 0775
hide dot files = yes
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = yes
writable = no
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[libdefaults]
default_realm = DPTINFO.URS.LOCAL
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
DPTINFO.URS.LOCAL = {
kdc = canard.u-strasbg.fr
admin_server = canard.u-strasbg.fr
}
[domain_realm]
.u-strasbg.fr = DPTINFO.URS.LOCAL
u-strasbg.fr = DPTINFO.URS.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = true
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: UID and GID's
Le mercredi 8 Septembre 2004 22:37, Tom a écrit : ok, so how do I do that? Do I take out: idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 and add: ldap idmap suffix = ou=Idmap,dc=samba,dc=org No you must keep the uid/gid ranges. you must add some entries for ldap too, and create an adapted ldap server. the relevant section in my smb.conf is: idmap backend = ldap:ldap://the.ldap.server idmap uid = 1-2 idmap gid = 1-2 ldap suffix = dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=domain,dc=local Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Le dimanche 5 Septembre 2004 17:44, Christian Merrill a écrit : My customers are using 1.2.X packages but this sounds identical to the problem they are seeing. The effect of all this is the classic I can browse to shares by \\ip.address\share_name but when I try to browse by \\netbios_name\share_name I get prompted for a account/password and these errors start popping up in the logs Emmanuel does this problem also go away for you when you revert to an older samba release? Unfortunaly, I've tested last night, and it was working. but today looking in logs, I see that I continue to get some Failed to verify incoming ticket!. I had a look with user user getting problems: they don't see a problem despide the error in logs. So: With 3.0.5, I see in logs: [2004/09/09 10:03:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! [2004/09/09 10:03:56, 1] smbd/service.c:make_connection_snum(619) computername (xxx.xxx.xxx.xxx) connect to service username initially as username DOMAIN+username (uid=15903, gid=10153) (pid 29624) [2004/09/09 10:03:56, 1] smbd/service.c:close_cnum(801) computername (xxx.xxx.xxx.xxx) closed connection to service username The user has only opened the share in explorer, no errors With 3.0.6, I only see in logs a lot of Failed to verify incoming ticket! and the user cannot see his share. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Le dimanche 05 Septembre 2004 13:38, Christian Merrill a écrit : Running into a lot of people upgrading to the 3.0.6 package that all of a sudden begin to experience the Failed to verify incoming ticket! errors etc., that are generally associated with a kerberos package incompatibility. However many of these people are running later versions of kerberos *and* reverting to a previous version of Samba appears to fix the issue. Is there something new setting wise that has taken place, is something really wrong with this new package, or is this all just a strange coincidence? Christian I confirm the problem: I'm running win2k SP4, AD, mixed mode, no other special conf. the samba is 3.0.6, compiled from sources. I use winbind too. winbind has some krb5_cc_get_principal failed (No credentials cache found) but nothing special. but the samba daemon get, for some users, smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket and this prevent user from acceding their share. the used kerberos is 1.3.4 The 2000 domain has been started from scratch, no NT4 migration. Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] UID and GID's
Le mercredi 08 Septembre 2004 20:08, Tom a écrit : Is it possible to have the same uid and gid mappings on multiple machines? This is for NFS mounting. I've searched around and it's not clear to me if it possible. I'm running samba 3.0.6-2, and I have everything working for ADS. Also, I installed SFU so there is a uid and gid field in the AD schema, is there any way I can tell samba to use that instead of using the idmap uid = 16777216-33554431 declaration? thanks, -tom I'm sharing /home like you probably want: users are in AD, winbind does the uid-gid-sid mapping. I don't use SFU, but the ldap backend to store the mapping, and all winbind uses this mapping, so the mapping is unique. I don't know if it is possible to used the uid/sid from SFU directly Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
I'll add something more about this problem, but I don't know if is is related to: my users can't mount 2 share on two differents domain all the time (one share is a 2.2.x samba, the other is the 3.0.6 samba). Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
