[Samba] Running Samba 3 in a FreeBSD jail
Hello, I've been trying to get a solution (or at least an explanation) from the FreeBSD guys at freebsd-questions lists, but I guess no one knew the answer. I am trying to run Samba 3 (latest) in a FreeBSD 7.0 jail (http://en.wikipedia.org/wiki/FreeBSD_Jail). It seems I cannot convince Samba to answer NetBIOS broadcast requests and therefore Windows machines cannot browse it directly by name (\\machine). I know I can set up DNS and/or WINS to achieve what I want, but I would like to understand why I can't simply use NetBIOS broadcasts. If I put Samba (the same configuration) out of FreeBSD jail, everything works nicely. If I put it back into the jail, it just doesn't respond - the nmbd is running, though; sockstat output follows: root smbd 1436 18 tcp4 192.168.15.201:445*:* root smbd 1436 19 tcp4 192.168.15.201:139*:* root nmbd 1430 6 udp4 192.168.15.201:137*:* root nmbd 1430 7 udp4 192.168.15.201:138*:* root nmbd 1430 8 udp4 192.168.15.201:137*:* root nmbd 1430 9 udp4 192.168.15.201:138*:* root nmbd 1430 12 dgram -> /var/run/logpriv So it listens at the correct IP address (of the jail). Any ideas how to debug this? How to find out why Samba doesn't respond to NetBIOS broadcast requests when running in jail? My smb.conf is here: http://stuff.skoberne.net/smb.conf Thanks, Nejc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Response too big for UDP, retry with TCP
Hey Todd, Kinit uses the installed kerberos package - if your kerberos package does not do TCP fallback in the AS_REQ, you'll never be able to get a ticket when you see this error message - it's generated by the KDC, which will refuse to issue a ticket > roughly 1500 bytes (for MS KDCs). Time to update your Kerberos port (MIT's dist > 1.4.1 supports TCP). OK, I understand now. I installed MIT's Kerberos5 (installed port 'krb5' on FreeBSD, added 'KRB5_HOME=/usr/local' to /etc/make.conf and rebuilt samba3 port) and I succeeded joining the Samba server into ADS domain. Thanks to everyone! Bye, Nejc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Response too big for UDP, retry with TCP
Hey Martin,
What does kinit say, if you have the
e.g. "kdc = tcp/192.168.1.1" line in your krb.conf?
[EMAIL PROTECTED]:~# kinit [EMAIL PROTECTED]
[EMAIL PROTECTED]'s Password:
kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP
krb5.conf:
[libdefaults]
default_realm = INFRAX.LOCAL
[realms]
INFRAX.LOCAL = {
kdc = tcp/192.168.1.1
}
[domain_realms]
.infrax.local = INFRAX.LOCAL
Any more ideas?
Thanks for your help,
Nejc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Response too big for UDP, retry with TCP
Hi again, You could either use an administrative account which is not a member of so many groups (causing the "packet too big" error), or use a more recent version of samba. In any version <= 3.0.22 the tcp fallback is not implemented during the kpasswd request. The krb5.conf kdc line is not taken into account at this place. I upgraded Samba to 3.0.25a and tried again with the user, who has administrator privileges but is not in so many groups. I get a bit different message, but it is still a no go: [EMAIL PROTECTED]:~# net ads join -U domainadmin%idsrmap978 [2007/07/11 11:36:34, 0] libads/kerberos.c:ads_kinit_password(227) kerberos_kinit_password [EMAIL PROTECTED] failed: Response too big for UDP, retry with TCP Failed to join domain: NT_STATUS_PROTOCOL_UNREACHABLE Any ideas? Thanks, Nejc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Response too big for UDP, retry with TCP
Hey Martin, thanks for your quick reply. You could either use an administrative account which is not a member of so many groups (causing the "packet too big" error), or use a more recent version of samba. I tried the first option first: created a new account, put it into "Administrators" and "Domain Admins" groups (so it is in three groups now) but I still get "packet too big" error. In any version <= 3.0.22 the tcp fallback is not implemented during the kpasswd request. The krb5.conf kdc line is not taken into account at this place. I am running Samba 3.0.24 - so this version supports tcp fallback, right? What can I try next? Thanks, Nejc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Response too big for UDP, retry with TCP
Hello,
I am trying to join a Samba 3.0.24 server into an ADS domain, which is
served by two Windows 2003 servers (let's say srv1.domain.local (192.168.1.1)
and srv2.domain.local (192.168.1.4)). I am running Samba on a FreeBSD 6.2
machine and I have established an OpenVPN connection to the ADS network
(tunneling). I have this in my resolv.conf:
search domain.local
nameserver 192.168.1.1
nameserver 192.168.1.4
I also have this in my /etc/hosts:
127.0.0.1 localhost localhost.my.domain
192.168.1.1 srv1.domain.local srv1
192.168.1.4 srv2.domain.local srv2
and I have this in my krb5.conf:
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = srv1.domain.local
}
[domain_realms]
.domain.local = DOMAIN.LOCAL
And these are the relevant parameters in smb.conf:
security = ADS
netbios name = BONAPARTE
server string = BONAPARTE Samba server
workgroup = INFRAX
realm = DOMAIN.LOCAL
local master = yes
preferred master = yes
wins server = 192.168.1.1 192.168.1.4
password server = srv1
However, when I try to "kinit", I get this:
[EMAIL PROTECTED]:~# kinit [EMAIL PROTECTED]
[EMAIL PROTECTED]'s Password:
kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP
and when I try to "net ads join" into the domain, I get this:
[EMAIL PROTECTED]:~# net ads join -U Administrator%password
[2007/07/10 08:54:38, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password [EMAIL PROTECTED] failed: Response too big for UDP,
retry with TCP
[2007/07/10 08:54:38, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Response too big for UDP, retry with TCP
I am really stumped here. I have tried to change the kdc entry in krb5.conf
like this:
[realms]
DOMAIN.LOCAL = {
kdc = tcp/srv1.domain.local
}
but no luck either. FreeBSD 6.2 has Heimdal Kerberos 0.6.3 in it's base
system, I guess this is OK.
Let me also tell you also this: we firstly had a Windows 2000 server and
a Windows 2003 servers as srv1 and srv2, but then we replaced the
2000 with another 2003. This BSD box is a new server as well, previously
I had FreeBSD 5.4 (Samba 3.0.22) and I was ABLE to join it into the ADS
(via the Win2000 server). There is no computer account in the ADS for the
BSD box anymore, so I am trying to create it again (by joining it into the
domain).
Any ideas?
Thanks,
Nejc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
