RE: [Samba] *samba3 ports
iptables -L -v will show you which rules are being triggered (when the service is started). Its possible its hitting the implicit deny all for the input rule, try adding some logging to your rules. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Faisal, Emir (KPC) Sent: 21 October 2003 07:19 To: [EMAIL PROTECTED] Subject: [Samba] *samba3 ports Dear netters, My linux box is installed with samba 3.0.0 and joined with NT domain (w2k based). Samba are working fine, until I filter the incoming traffic using iptables (v1.2.7a) on default RedHat 9 kernel 2.4.20-8, using these rules: [EMAIL PROTECTED] root]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.2.7a on Sun Oct 12 19:36:36 2003 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:100] [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -p icmp -j ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT [0:0] -A INPUT -p udp -m state --state NEW -m multiport --dports 135,netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds -j ACCEPT [0:0] -A INPUT -p tcp -m state --state NEW -m multiport --dports 135,netbios-ssn,microsoft-ds -j ACCEPT COMMIT # Completed on Sun Oct 12 19:36:36 2003 [EMAIL PROTECTED] root]# when these rules is activated, i can't access my linux shares and my linux return these error: \\samba\sharename is not accessible. There are currently no logon servers available to service the logon request. the error will gone when i deactivated the iptables. What is gone wrong ? salam, ef -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Error: Cannot find KDC for requested realm
No, this isn't required. If you don't kinit first, 'net' does it for you, using the password is asks for. My mistake - I apologise. For some reason klist only showed one ticket unless I did a kinit first. -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: 17 October 2003 12:00 To: Gavin Davenport Cc: Gerald (Jerry) Carter; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Samba] Error: Cannot find KDC for requested realm On Fri, 2003-10-17 at 20:43, Gavin Davenport wrote: You must authenticate using kinit first, and then net ads join with no arguments. then start winbindd and smb. The issue is exactly as jerry points out - the kerberos libs can't find the KDC, and without that, we can go nowhere. I've posted extensively about this - search the archives. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jonathan Villa wrote: [global] workgroup = OURDOMAIN security = ADS realm = OURDOMAIN.com password server = OURSERVER When I try to join the domain I do the following: ./net ads join -w OURDOMAIN -U administrator and the response is this kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot find KDC for requested realm This is a krb5 lib thing. Either hardcode the KDCs in /etc/krb5.conf or enable DNS SRV lookups in the krb5 libs. Hope this helps. -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Error: Cannot find KDC for requested realm
You must authenticate using kinit first, and then net ads join with no arguments. then start winbindd and smb. I've posted extensively about this - search the archives. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jonathan Villa wrote: [global] workgroup = OURDOMAIN security = ADS realm = OURDOMAIN.com password server = OURSERVER When I try to join the domain I do the following: ./net ads join -w OURDOMAIN -U administrator and the response is this kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot find KDC for requested realm This is a krb5 lib thing. Either hardcode the KDCs in /etc/krb5.conf or enable DNS SRV lookups in the krb5 libs. Hope this helps. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] RE: SPAM
I have to say I've had a massive increase (like 200 hundred swen.A mails in the last 24 hours) since I (re)joined the samba list. I don't think its a fault of the list, but I'm curious as to why I've had such an increase. I used to get about 1 virussed mail a month before I joined. Its irritating, but it would be naive of me to blame this list. Gavs -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: domain groups accessing samba share
Hiya Tim, Thanks for helping. Can you post your smb.conf /etc/pam.d/login wbinfo -g wbinfo -u getent passwd getent group Here we go: # Global parameters [global] workgroup = MYDOMAIN realm = MYNETWORK.ISP.CO.UK server string = Linux Samba Server security = ADS password server = bashful log level = 3 log file = /var/log/samba/log.%m max log size = 100 smb ports = 445 announce as = NT Workstation name resolve order = host bcast wins server = 10.0.0.104 client signing = Yes server signing = Yes client use spnego = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 10 preferred master = No local master = No domain master = No dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash # winbind separator = + winbind cache time = 2 # winbind use default domain = Yes comment = Redhat 7.1 Samba hosts allow = 127., 10.0.0. [homes] comment = Home Directories read only = No browseable = No [Software] comment = Software Library path = /mnt/largeprimary/software # valid users = @MYNETWORK.ISP.CO.UK\Domain Users # Admin users = @MYNETWORK.ISP.CO.UK\gavdav [EMAIL PROTECTED] /root]# more /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so wbinfo -u [EMAIL PROTECTED] /root]# wbinfo -u MYDOMAIN\gavdav MYDOMAIN\Guest MYDOMAIN\Administrator MYDOMAIN\krbtgt MYDOMAIN\SUPPORT_388945a0 MYDOMAIN\fbloggs snip wbinfo -g [EMAIL PROTECTED] /root]# wbinfo -g MYDOMAIN\Domain Computers MYDOMAIN\Cert Publishers MYDOMAIN\Domain Users MYDOMAIN\Domain Guests MYDOMAIN\RAS and IAS Servers MYDOMAIN\Group Policy Creator Owners MYDOMAIN\Schema Admins MYDOMAIN\Enterprise Admins MYDOMAIN\Domain Admins MYDOMAIN\Domain Controllers snip [EMAIL PROTECTED] /root]# getent passwd root:x:0:0:root:/root:/bin/bash snip xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false gdm:x:42:42::/home/gdm:/bin/bash gavdav:x:500:500:Gavin Davenport:/home/gavdav:/bin/bash named:x:200:200:Nameserver:/var/named:/bin/false vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin [EMAIL PROTECTED] /root]# getent group root:x:0:root snip nobody:x:99: users:x:100:gavdav snip xfs:x:43: gdm:x:42: gavdav:x:500: vcsa:x:69: getent and setent are listing local users and groups. What do I need to change in /etc/pam.d/login to fix it ? Where should I be looking for help ? Thanks very much Gavin Davenport -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: domain groups accessing samba share
Ok - I replaced my /etc/pam.d/login with the one you've posted. getent still lists me just local machine users and groups. Trying to attach to the machine results in this in the hosts samba log: Doing spnego session setup NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] Got OID 1 2 840 48018 1 2 2 Got OID 1 2 840 113554 1 2 2 Got OID 1 3 6 1 4 1 311 2 2 10 Got secblob of size 1235 Ticket name is [EMAIL PROTECTED] Username gavdav is invalid on this system error string = No such file or directory error packet at smbd/sesssetup.c(220) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE timeout_processing: End of file from client (client has disconnected). setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Closing connections Yielding connection to yield_connection: tdb_delete for name failed with error Record does not exist. Server exit (normal exit) Still stuck - what should I have in /etc/pam_smb.conf, and /etc/pam.d/system-auth ?? smb.conf now: # Global parameters [global] workgroup = MYDOMAIN realm = MYNETWORK.ISP.CO.UK server string = Revolver security = ADS password server = bashful log level = 3 log file = /var/log/samba/log.%m max log size = 100 smb ports = 139 445 announce as = NT Workstation name resolve order = host bcast client signing = Yes server signing = Yes client use spnego = Yes use spnego = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 10 preferred master = No local master = No domain master = No dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind cache time = 2 winbind use default domain = Yes template homedir = /home/%D/%U template shell = /bin/bash winbind enum users = yes winbind enum groups = yeS comment = Redhat 8.0 Samba hosts allow = 127., 10.0.0. [homes] comment = Home Directories read only = No browseable = No [usr-local] path = /usr/local read only = Yes valid users = @MYNETWORK.ISP.CO.UK\Domain Users Admin users = @MYNETWORK.ISP.CO.UK\gavdav ### Re: domain groups accessing samba share Hi Gavin, This is what I have for my /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so nodelay use_first_pass auth sufficient /lib/security/pam_krb5.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient /lib/security/pam_winbind.so accountsufficient /lib/security/pam_krb5.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so And when I issue getent group or getent passwd it lists both local and ADS users. Regards, Luke -Original Message- From: Gavin Davenport [mailto:[EMAIL PROTECTED] Sent: 15 October 2003 09:05 To: [EMAIL PROTECTED] Cc: Tim Jordan, Network Services Subject: RE: [Samba] Re: domain groups accessing samba share Hiya Tim, Thanks for helping. Can you post your smb.conf /etc/pam.d/login wbinfo -g wbinfo -u getent passwd getent group Here we go: # Global parameters [global] workgroup = MYDOMAIN realm = MYNETWORK.ISP.CO.UK server string = Linux Samba Server security = ADS password server = bashful log level = 3 log file = /var/log/samba/log.%m max log size = 100 smb ports = 445 announce as = NT Workstation name resolve order = host bcast wins server = 10.0.0.104 client signing = Yes server signing = Yes client use spnego = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 10 preferred master = No local master = No domain master = No dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash # winbind separator = + winbind cache time = 2 # winbind use default domain = Yes comment = Redhat 7.1 Samba hosts allow = 127., 10.0.0. [homes] comment = Home Directories read only = No browseable = No [Software] comment = Software Library path = /mnt/largeprimary/software # valid users = @MYNETWORK.ISP.CO.UK\Domain Users # Admin users = @MYNETWORK.ISP.CO.UK\gavdav [EMAIL PROTECTED] /root]# more /etc/pam.d/login #%PAM-1.0
RE: [Samba] Re: domain groups accessing samba share
Hi there Make this: valid users = @LABOR\domain admins write list = @LABOR\domain admins write useres = @LABOR\domain admins What if the domain user doesn't have a local user on the unix machine ? How do I get round that ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John H Terpstra Sent: 14 October 2003 02:18 To: Tim Jordan, Network Services Cc: [EMAIL PROTECTED] Subject: [Samba] Re: domain groups accessing samba share On Mon, 13 Oct 2003, Tim Jordan, Network Services wrote: Hey John, I've been working on this most the day. Just can't seem to nail it down! (Yes sir I did read the How To) Winbind is working fine - I can: wbinfo -g wbinfo -u getent passwd getent group Problem is when I try to use a domain group on a Samba share I get a username and password prompt; although, nothing seems to get me in! Please advise #Samba 3.0 running under Gentoo1.4 [global] workgroup = LABOR realm = LABOR.AK server string = Samba3 on ANC-Gentoo1.4 security = ADS password server = passwordserver log file = /usr/local/samba/var/log.%m max log size = 50 socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 0 preferred master = No local master = No domain master = No dns proxy = No wins server = win_server_ip idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/winnt/%D/%U template shell = /bin/bash [Linux Software] comment = Open Source Software path = /home/tim/Linux Software valid users = @LABOR\domain admins read only = No -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Active directory groups and shares.
Hi there I don't think I completely understand how to configure the shares to honour and use domain groups - I don't think it is at the moment. I don't know how to get samba to show me the domain information being used to work out share permissions. In this case, my userid is in the Domain Admins group and I want write access to the software share. smbstatus appears to be showing me login credentials that look like the unix id/group on the host. I also have a local (unix) machine account ( group)using the same login name, which it appears to be using: smbstatus: [EMAIL PROTECTED] /root]# smbstatus Processing section [homes] Processing section [Software] Samba version 3.0.1pre1 PID Username Group Machine --- 2136 gavdavgavdav10.0.0.28(10.0.0.28) Service pid machine Connected at --- gavdav2136 10.0.0.28 Sun Oct 12 09:45:41 2003 Locked files: PidDenyMode Access R/WOplock Name -- 2136 DENY_WRITE 0x2019f RDWR EXCLUSIVE+BATCH /home/gavdav/pstfile.pst Sun Oct 12 09:46:30 2003 smbstatus is listing (I think) my unix account. Why doesn't it say my primary group is 'Domain Admins' ?? What have I forgotten ? Also, how does samba decide whether to write logfiles as $logdir/log.ip.add.re.ss or as $logdir/log.hostname ? Gavin Davenport * My smb.conf # Global parameters [global] workgroup = MYDOMAIN realm = MYNETWORK.ISP.CO.UK server string = Linux Samba Server security = ADS password server = bashful log level = 3 log file = /var/log/samba/log.%m max log size = 100 smb ports = 445 announce as = NT Workstation name resolve order = host bcast wins server = 10.0.0.104 client signing = Yes server signing = Yes client use spnego = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 10 preferred master = No local master = No domain master = No dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash # winbind separator = + winbind cache time = 2 # winbind use default domain = Yes comment = Redhat 7.1 Samba hosts allow = 127., 10.0.0. [homes] comment = Home Directories read only = No browseable = No [Software] comment = Software Library path = /mnt/largeprimary/software valid users = @MYNETWORK.ISP.CO.UK\Domain Users Admin users = @MYNETWORK.ISP.CO.UK\Domain Admins * I was working from these hints :) In order to make it work, I had to take out the lines winbind use default domain = yes, and winbind seperator = + and then fully specify the domain group in my share definition as such: [shared] path = /svr/shared valid users = @TESTSYS\shared (or @TESTSYS\Domain Users if there are spaces in the group) writeable = yes browseable = yes force group = TESTSYS\shared I think this could be a bug that it does not accept only valid users = shared while winbind use default domain = yes. It appears that samba is not correctly matching the group the domain controllers group. The + is not a good seperator because if you read about the valid users directive, it uses a + to specify a unix group. Hope this helps someone! Rich -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Ldap.h missing in samba-3.0.0
configure: error: ldap.h is needed for LDAP support You need the openldap-devel package for ldap.h I think. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kenny Mann Sent: 08 October 2003 19:45 To: [EMAIL PROTECTED] Subject: [Samba] Ldap.h missing in samba-3.0.0 I have downloaded samba-3.0.0.tar.bz2 (and samba-latest.tar.gz) and attempted to run ./configure --with-ldapsam --with-winbind --with-pam_smbpass --with-smbmount --with-ads --with-ldap Only to find that ./configure complains of a missing ldap.h file. Does anyone else have this issue? I'm trying to do a simple setup to having a Linux box communicate to my Windows 2000 Server PDC, which runs Active Directory. Am I doing something stupid here? I've also tried getting samba-3.0.0 from the salckware.org packages (I run slackware 9.1) and using their package tool to install it via that method, however I have failed getting this to work. After I failed using the Samba documentation, I googled around and found this site: http://info.ccone.at/INFO/Samba/index.html It's been very useful. Here is the last snippets of the './configure --with-ldapsam --with-winbind --with-pam_smbpass --with-smbmount --with-ads --with-ldap': checking for root... yes checking for iface AIX... no checking for iface ifconf... got 2 interfaces: eth0 IP=192.168.0.43 NETMASK=255.255.255.0 lo IP=127.0.0.1 NETMASK=255.0.0.0 yes checking for setresuid... OK yes checking for working mmap... yes checking for ftruncate needs root... no checking for fcntl locking... yes checking for broken (glibc2.1/x86) 64 bit fcntl locking... no checking for 64 bit fcntl locking... yes checking for st_blocks in struct stat... yes checking for st_blksize in struct stat... yes checking for broken RedHat 7.2 system header files... no checking for broken nisplus include files... yes checking whether to use smbwrapper... no checking whether to use AFS clear-text auth... no checking whether to use AFS fake-kaserver... no checking whether to use DFS clear-text auth... no checking for LDAP support... yes checking ldap.h usability... no checking ldap.h presence... no checking for ldap.h... no checking lber.h usability... no checking lber.h presence... no checking for lber.h... no configure: error: ldap.h is needed for LDAP support After taking out the --with-ldap and attmepting to re-run configure, I get: checking for LDAP support... auto checking ldap.h usability... no checking ldap.h presence... no checking for ldap.h... no checking lber.h usability... no checking lber.h presence... no checking for lber.h... no configure: WARNING: ldap.h is needed for LDAP support checking for Active Directory and krb5 support... yes configure: error: Active Directory Support requires LDAP support Any ideas or suggestions would be extremely appreciated. -- --Kenny Mann -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Redhat and windows 2003 Active directory authentication
No, it's a bug. Please file it in bugzilla. Basically, we look in the path for krb5-config before we consult that parameter. Done. https://bugzilla.samba.org/show_bug.cgi?id=600parameter. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Not able to invoke swat
I am able to invoke swat from http://moon:901 http://moon:901/ but I am not able to invoke from mars. If I put http://moon:901 http://moon:901/ from the mars web browser I am getting the error page cannot be displayed look at /etc/xinetd/swat file. the default 'allow' (if you're using xinetd) is only localhost. add your local network/mask and restart swat. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Rehat Samba 3.0.0 and MIT KRb 1.3.1 build problems.
Hi there Because I can't work out how to get the samba 3 SRPM to honour my preferred krb5 path, I have had to resort to installing the 1.3.1 libraries from http://www.crypto-publish.org/dist/mit-kerberos5/krb5-1.3.1.tar.gz into the directories used by the redhat RPM files (/usr/kerberos) This gets some way through the build, but fails when linking Compiling lib/smbldap.c Compiling smbd/server.c Linking bin/smbd libsmb/clikrb5.o: In function `ads_krb5_mk_req': libsmb/clikrb5.o(.text+0x2a8): undefined reference to `krb5_cc_get_principal' libads/krb5_setpw.o: In function `ads_krb5_set_password': libads/krb5_setpw.o(.text+0x130d): undefined reference to `krb5_cc_get_principal' libads/kerberos.o: In function `kerberos_kinit_password': libads/kerberos.o(.text+0x15f): undefined reference to `krb5_cc_initialize' libads/kerberos.o(.text+0x17b): undefined reference to `krb5_cc_store_cred' libads/kerberos.o(.text+0x193): undefined reference to `krb5_cc_close' libads/kerberos.o(.text+0x1dd): undefined reference to `krb5_cc_close' libads/kerberos_verify.o: In function `free_keytab': libads/kerberos_verify.o(.text+0x1d): undefined reference to `krb5_kt_close' collect2: ld returned 1 exit status make: *** [bin/smbd] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.95539 (%build) I'm stuck. 1. I can't successfully install krb 1.3.1 RPMs (lots of changes to the RPM contents - see other mails) 2. Samba doesn't work properly against a 2003 AD server with the 1.2.x krb libs present on redhat systems (fix is to use 1.3.1 krb libs) 3. The --with-krb5= entry in the spec file is either ignored in the configure script, or it prefers the system krb5 libs 4. When I install krb 1.3.1 on top of the system krb 1.2.4, samba wont build (see above) Heelp. Is there a way I can let samba use system krb5 libs, but maybe compile and install heimdal 0.6 somewhere to be linked ??? Gavin Davenport -Original Message- From: Gavin Davenport [mailto:[EMAIL PROTECTED] Sent: 09 October 2003 09:44 To: [EMAIL PROTECTED] Subject: RPM build not honouring contents of SPEC file. Hi there (redhat 7.1 OS, Samba 3.0.0, against 2003 ADS server) I built the MIT kerberos libraries from using ./configure --prefix/usr/local/kerberos --exec-prefix=/usr/local/kerberos I now have these in /usr/local/kerberos. I set the--with-krb5 in the spec file: --with-libsmbclient \ --with-krb5=/usr/local/kerberos \ --with-ads \ --with-ldap then [EMAIL PROTECTED] SPECS]# rpmbuild -bb samba3.spec snip + '[' '!' -f configure ']' + CFLAGS=-O2 -march=i386 -mcpu=i686 + ./configure --prefix=/usr --localstatedir=/var --with-configdir=/etc/samba - -with-privatedir=/etc/samba --with-fhs --with-quotas --with-smbmount --with- pam --with-pam_smbpass --with-syslog --with-utmp --with-sambabook=/usr/share /swat/using_samba --with-swatdir=/usr/share/swat --with-libsmbclient --with- krb5=/usr/local/kerberos --with-ads --with-ldap !!gets it right here!!snip checking whether LDAP support is used... yes checking for Active Directory and krb5 support... yes !!then looks in the wrong place!! checking for krb5-config... /usr/kerberos/bin/krb5-config checking for working krb5-config... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi_generic.h usability... yes checking gssapi/gssapi_generic.h presence... yes checking for gssapi/gssapi_generic.h... yes checking gssapi/gssapi.h usability... yes checking gssapi/gssapi.h presence... yes checking for gssapi/gssapi.h... yes checking com_err.h usability... yes checking com_err.h presence... yes checking for com_err.h... yes snip checking whether Active Directory and krb5 support is used... yes Why is it doing this ?? I can go and change the configure script to get it built - but I thought I'd let someone know. Am I doing it wrong ?? Gavin Davenport -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Rehat Samba 3.0.0 and MIT KRb 1.3.1 build problems.
I've just tried installing the prebuilt binary rh8_i386 RPM from: ftp://ftp.mirror.ac.uk/sites/ftp.samba.org/Binary_Packages/RedHat/RPMS/i386/ 8.0/samba-3.0.0-2_rh8.i386.rpm on my redhat 8.0 machine. It suffers the same (SMB signing) problem as one built from the SRPM:- running winbindd -i -vv got [EMAIL PROTECTED] Doing kerberos session setup signing_good: SMB signature check failed on seq 1! SMB Signature verification failed on incoming packet! scanning trusted domain list Samba 3.0.0 worked first time on the freebsd machine with heimdal 0.6. I can't for the life of me get redhat to work. Gavin Davenport -Original Message- From: Gavin Davenport [mailto:[EMAIL PROTECTED] Sent: 09 October 2003 15:38 To: [EMAIL PROTECTED] Subject: Rehat Samba 3.0.0 and MIT KRb 1.3.1 build problems. Hi there Because I can't work out how to get the samba 3 SRPM to honour my preferred krb5 path, I have had to resort to installing the 1.3.1 libraries from http://www.crypto-publish.org/dist/mit-kerberos5/krb5-1.3.1.tar.gz into the directories used by the redhat RPM files (/usr/kerberos) This gets some way through the build, but fails when linking Compiling lib/smbldap.c Compiling smbd/server.c Linking bin/smbd libsmb/clikrb5.o: In function `ads_krb5_mk_req': libsmb/clikrb5.o(.text+0x2a8): undefined reference to `krb5_cc_get_principal' libads/krb5_setpw.o: In function `ads_krb5_set_password': libads/krb5_setpw.o(.text+0x130d): undefined reference to `krb5_cc_get_principal' libads/kerberos.o: In function `kerberos_kinit_password': libads/kerberos.o(.text+0x15f): undefined reference to `krb5_cc_initialize' libads/kerberos.o(.text+0x17b): undefined reference to `krb5_cc_store_cred' libads/kerberos.o(.text+0x193): undefined reference to `krb5_cc_close' libads/kerberos.o(.text+0x1dd): undefined reference to `krb5_cc_close' libads/kerberos_verify.o: In function `free_keytab': libads/kerberos_verify.o(.text+0x1d): undefined reference to `krb5_kt_close' collect2: ld returned 1 exit status make: *** [bin/smbd] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.95539 (%build) I'm stuck. 1. I can't successfully install krb 1.3.1 RPMs (lots of changes to the RPM contents - see other mails) 2. Samba doesn't work properly against a 2003 AD server with the 1.2.x krb libs present on redhat systems (fix is to use 1.3.1 krb libs) 3. The --with-krb5= entry in the spec file is either ignored in the configure script, or it prefers the system krb5 libs 4. When I install krb 1.3.1 on top of the system krb 1.2.4, samba wont build (see above) Heelp. Is there a way I can let samba use system krb5 libs, but maybe compile and install heimdal 0.6 somewhere to be linked ??? Gavin Davenport -Original Message- From: Gavin Davenport [mailto:[EMAIL PROTECTED] Sent: 09 October 2003 09:44 To: [EMAIL PROTECTED] Subject: RPM build not honouring contents of SPEC file. Hi there (redhat 7.1 OS, Samba 3.0.0, against 2003 ADS server) I built the MIT kerberos libraries from using ./configure --prefix/usr/local/kerberos --exec-prefix=/usr/local/kerberos I now have these in /usr/local/kerberos. I set the--with-krb5 in the spec file: --with-libsmbclient \ --with-krb5=/usr/local/kerberos \ --with-ads \ --with-ldap then [EMAIL PROTECTED] SPECS]# rpmbuild -bb samba3.spec snip + '[' '!' -f configure ']' + CFLAGS=-O2 -march=i386 -mcpu=i686 + ./configure --prefix=/usr --localstatedir=/var --with-configdir=/etc/samba - -with-privatedir=/etc/samba --with-fhs --with-quotas --with-smbmount --with- pam --with-pam_smbpass --with-syslog --with-utmp --with-sambabook=/usr/share /swat/using_samba --with-swatdir=/usr/share/swat --with-libsmbclient --with- krb5=/usr/local/kerberos --with-ads --with-ldap !!gets it right here!!snip checking whether LDAP support is used... yes checking for Active Directory and krb5 support... yes !!then looks in the wrong place!! checking for krb5-config... /usr/kerberos/bin/krb5-config checking for working krb5-config... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi_generic.h usability... yes checking gssapi/gssapi_generic.h presence... yes checking for gssapi/gssapi_generic.h... yes checking gssapi/gssapi.h usability... yes checking gssapi/gssapi.h presence... yes checking for gssapi/gssapi.h... yes checking com_err.h usability... yes checking com_err.h presence... yes checking for com_err.h... yes snip checking whether Active Directory and krb5 support is used... yes Why is it doing this ?? I can go and change the configure script to get it built - but I thought I'd let someone know. Am I doing it wrong ?? Gavin Davenport -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Problem with swat on new installation
netstat -an | grep LIST if there's an entry for *.901 the service is listening. should also be things written into $logdir/log.swat I think. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel Alsén Sent: 06 October 2003 23:31 To: [EMAIL PROTECTED] Subject: [Samba] Problem with swat on new installation Hi! Just subscribed to this list and already need some help :) I just installed Samba (samba-3.0.0-2_rh8.i386.rpm) and have some trouble getting swat to work. When trying to open localhost:901 (or 'hostname':901 or 127.0.0.1:901, i've tried them all ;) ) i get: 'An error occured while loading (whatever adress i used) Connection to host (whatever adress i used) is broken' Is there anything i should look for? I've tried tweaking stuff back and forwards but am stuck now. Is there any way i can reach swat other than by browser url? Thanks! - Daniel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Still having touble with Redhat 7.1 and windows 2003 DC authentication.
Hi there. I've been trying to coax a redhat 7.1 and 8.0 system to accept new krb RPMs without resorting to --nodeps. Unsuccessfully. There seems to have been a major change between a krb5-libs-1.2.4x RPM and a krb5-libs-1.3.1x RPM - including that a 1.3 RPM does NOT provide a /usr/kerberos/lib/libcom_err.so.3.0. Lots of things seem to depend on this krb5 .so being present (including openssh, cyrus-sasl, nss-ldap). I stripped back what I could, but when the next things to be uninstalled to break the dependency chain were packagess like 'passwd' - I stopped. I managed to find this from rpmfind: * Wed Jun 18 2003 Nalin Dahyabhai [EMAIL PROTECTED] 1.3-0.beta.4 - test update to 1.3 beta 4 - ditch statglue build option - krb5-devel requires e2fsprogs-devel, which now provides libss and libcom_err I have had to upgrade my e2fsprogs(devel) to suit this. I finally chose to resort to a --nodeps upgrade of the krb5 and cyrus-sasl packages on the redhat 8.0 machine I also symlinked the libcome_err.so so it can be found in the libpath: -rwxr-xr-x1 root root 9699 Oct 8 15:03 /lib/libcom_err.so.2.1 lrwxrwxrwx1 root root 17 Oct 8 15:10 /lib/libcom_err.so.2 - libcom_err.so.2.1 lrwxrwxrwx1 root root 17 Oct 8 21:03 /lib/libcom_err.so.3 - libcom_err.so.2.1 so sshd starts without complaint. As this .so used to be provided by krb-libs-1.2.x, can anyone shed any light on why this is now offered by e2fsprogs ? It seems krb5-devel-1.3.1 contains a subset of whats in krb5-devel-1.2.4-11, and files are delivered into different places, e.g. : 1.2.4x - /usr/kerberos/include/krb5.h 1.3.1x = /usr/include/krb5.h. There are a number of other files in krb5-1.2.4 that are now not in krb5-1.3.1 and dispersed across other (rawhide) RPMs, meaning the SRPM build doesn't find the krb5.h and fails. I don't know if any other redhat users have succeeded in getting samba 3.0.0 talking to a 2003 ADS server - I think this is really unpleasant. BTW - when I installed MIT krb5 from http://www.crypto-publish.org/dist/mit-kerberos5/krb5-1.3.1.tar.gz I specified it in the samba3.spec file delivered by the src rpm. (using --with-krb5=/usr/local/kerberos \) (where I installed it) I don't know whether the rpmbuild process prefers to use the system resident krb5 stuff (at /usr/kerberos) but it ignored the krb installation I specified. Is that a (build) bug or did I do it wrong ?? Gavin Davenport -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] file sharing over Internet
Thats a very bad idea as thats how lots of windows virusses try to spread :) Have a look at SSH; you can login, copy files, run remote sessions, all reasonably securely. You can probably tunnel a samba connection through an ssh connection too :) Gavs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of CHEUNG Chi Wai, Chris Sent: 07 October 2003 08:01 To: '[EMAIL PROTECTED]' Subject: [Samba] file sharing over Internet Hi, I have setup a Samba in Local network and working perfect. I want to release my share over Internet so that my PC at home can access this share at the RUN \\MYIPADDRESS. Is it possible? Cris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Still having touble with Redhat 7.1 and windows 2003 DC authentication.
Hi there I'm still going round in circles trying to get winbindd authentication against a 2003 server working. I have what appears to be the same problem as: http://www.ssite.org/articles/view.aspx?class=2articleid=2 There's something wrong with the SMB Packet signing on this machine. In parallel, I succcessfully built and have got working samba-devel on FreeBSD 5.1 against the same ADS. I used these hints: http://www.mail-archive.com/[EMAIL PROTECTED]/msg33123.html and it works (using a pretty much identical smb.conf) Key additions are: client signing = Yes server signing = Yes client use spnego = Yes The box I'm having trouble with is a redhat 7.1 box. I've upgraded the standard 7.1 RPMs re. krb pam from: [EMAIL PROTECTED] samba]# rpm -qa | grep krb pam_krb5-1.31-1 krb5-libs-1.2.2-24 krb5-workstation-1.2.2-24 krb5-devel-1.2.2-24 krbafs-1.0.5-1 krbafs-utils-1.0.5-1 to: pam_krb5-1.55-1 krb5-libs-1.2.2-24 krb5-workstation-1.2.2-24 krb5-devel-1.2.2-24 krbafs-1.0.9-2 krbafs-devel-1.0.9-2 krbafs-utils-1.0.9-2 Using some SRPMs from rh7.3. I don't know how to work out what version of Heimdal is within these packages which samba-3 has linked to. I have read that 2003 server requires heimdal 1.6 or older, so I went and got that, compiled and built it (from: ftp://ftp.pdc.kth.se/pub/heimdal/src/) This built me a heimdal subdirectory (I wanted it seperate), which I then configured in the samba.spec file: --with-krb5=/usr/local/heimdal. but the Samba3 srpm wouldn't compile with this version of heimdal - there seemed to be lots of bits missing. smbclient works ok from the Redhat box against the XP, 2003 or FreeBSD SMB Servers, domain authentication works for that. No clients can attach to the redhat server, they all seem to fail for SMB packet signing reasons. I don't really want to change the DC settings, the BSD box works, I'd like to RedHat box to work too :) I would like to know which RPM supplies the right version of heimdal for 2003AD authentication to work, right now I don't know which bit to look at. Anyone got to the end of this struggle with a redhat box this age ?? Winbindd -i -vv shows: client_check_incoming_message: BAD SIG: wanted SMB signature of [000] 08 CE A3 BF F9 D5 1E 09 .Σ¿ùÕ.. client_check_incoming_message: BAD SIG: got SMB signature of [000] 91 F7 B2 53 5B CA EB 3F .÷²S[Êë? signing_good: SMB signature check failed on seq 1! SMB Signature verification failed on incoming packet! failed kerberos session setup with NT_STATUS_OK anonymous connection attempt to BASHFUL from POTATO failed anonymous session setup with NT_STATUS_OK trusted_domains: Could not open a connection to GDA-ADSL.DEMON.CO.UK for PIPE_NETLOGON (NT_STATUS_UNSUCCESSFUL) convert_string_allocate: Conversion error: Illegal multibyte sequence(Ì) convert_string_allocate: Conversion error: Illegal multibyte sequence(Ì) rescan_trusted_domains: Can't find my own domain! Is this a software version thing or is the PDC signing the SMB packets with an old host key ?? Has anyone done ADS authentication on a Redhat 7.1 box/samba 3.0.0 host ?? Gavin Davenport p.s. I've just tried the same build on a redhat 8.0 box. Thats failing for the same reason. Is it a password thing ?? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0 Windows 2003 server ADS
suspect winbindd is bound to ADS as 'anonymous', which I imagine gives the account read only and limited rights to do things. Does winbindd need to authenticate to the PDC with a specific (krb5) identify ? How do I set that up ? I can't successfully run kadmin [EMAIL PROTECTED] samba]# kadmin Authenticating as principal Administrator/[EMAIL PROTECTED] with password. kadmin: Client not found in Kerberos database while initializing kadmin interface The only example I can find for creating a /etc/krb5.keytab is http://mailman.mit.edu/pipermail/kerberos/2002-June/001055.html which talks about the FTP service key. Do I need to have a /etc/krb5.keytab file, and if so how do I create one ?? Anyone any help - I'm not sure if I have a winbind problem or a krb5 problem - somewhere in between ? Gavin Davenport -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] nwebie problems.
Hi there I'm built samba-3.0.0-2 from the src rpm on a redhat 7.1 system. I had to make sure a few ldap and kerberos devel rpms were installed, but I managed to build and install it eventually. I added: --with-ads \ --with-krb5=/usr/kerberos \ --with-ldap to the SPEC file for the package. I followed mainly whats in here: http://www.opensource.apple.com/darwinsource/7.0b1/samba/samba/docs/htmldocs /ads.html and succeeded, briefly, in getting it all working (I think) for about 20 minutes. unfortunately I had to power off the machine as I lost control of it (don't ask), got the machine back up and running, and I now dont seem to be able to get it to use ADS authentication. I'm now a bit confused in order what things are supposed to happen. Is winbindd dependent on a working krb5.conf ? How to I determine what bit isn't working ? kinit -U [EMAIL PROTECTED] appears to challenge me for the right password, and work I appear to be able to net ads join and net ads leave ok. if I run winbindd with -i and -vv I get: got [EMAIL PROTECTED] Doing kerberos session setup signing_good: SMB signature check failed on seq 1! SMB Signature verification failed on incoming packet! failed kerberos session setup with NT_STATUS_OK failed anonymous session setup with NT_STATUS_OK Every 10 minutes or so. kadmin also doesn't seem to work - I get: ]# kadmin Authenticating as principal Username/[EMAIL PROTECTED] with password. kadmin: Client not found in Kerberos database while initializing kadmin interface. my machine didn't have a /var/kerberos/krb5kdc/kdc.conf file - do I create one by hand or is there a tool to help generate one ?? Can anyone help me with some diagnostic tips ? Gavin Davenport -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
