Re: [Samba] Ideas for distributed Samba servers
On Mon, Apr 12, 2010 at 7:17 AM, Stan Hoeppner s...@hardwarefreak.com wrote: Robert LeBlanc put forth on 4/11/2010 8:19 PM: On Sun, Apr 11, 2010 at 9:03 AM, ravi channavajhala ravi.channavajh...@dciera.com wrote: WAFS (Wide Area File System) appliances can be very well deployed for this sort of thing precisely. Unfortunately, I don't know of any opensource project for WAFS. However, commercial solutions such as Riverbed, Expand Networks, CISCO/WAFS, Juniper/Peribit do exist. So far, this is the direction that we may go. We have looked at a Riverbed product, it's good to know alternatives. This may not be as much of an issue as it was in the past as I believe we my get a network upgrade that will negate the need for this. I would think it would be cheaper and more straight forward to replace the GbE port on each end of the fiber link with a 10GbE port than to deal with the complexity of caching and replication, or other such options, especially for two buildings on the same campus. The fiber link is on campus and thus you control any right-of-way issues, correct? I'd like to know if anyone else thinks this can work as well as a method with write back caching etc... Regards, /rkc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ideas for distributed Samba servers
WAFS (Wide Area File System) appliances can be very well deployed for this sort of thing precisely. Unfortunately, I don't know of any opensource project for WAFS. However, commercial solutions such as Riverbed, Expand Networks, CISCO/WAFS, Juniper/Peribit do exist. Regards, /rkc CTO DCiEra (P) Ltd -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Adam Tauno Williams Sent: Sunday, April 11, 2010 8:15 PM To: samba@lists.samba.org Subject: Re: [Samba] Ideas for distributed Samba servers On Sat, 2010-04-10 at 10:14 -0700, Eric Shubert wrote: Robert LeBlanc wrote: I'm trying to think about how to setup a Samba system and would like to pick the brains of some experts. We are looking up put a large amount of storage ~75TB in a central data center. We have some remote (ok, not remote, but across slower links, ok if you consider several hundred clients over 1Gb to be slow) locations that we would like to set up samba servers that 'cache' the file system and serve it up to the clients in the building and sync with the main data center storage. a.) I don't think you can really do that with a 'file server' b.) I believe what you describe is almost exactly how AFS works. http://www.openafs.org/ OpenAFS is the world's foremost location independent file system. c.) Most SAN vendors provide a block-level replication solution for their products. The idea is have a couple of TB that are located in the building that serve up the Samba share. When a client requests a file, if it's in the local cache it is served up from there, if not then the Samba server grabs the file from the main data center and serves it to the client. When a file is written, something like rsync is used to transfer only difference back to the main data center. The problem is that I'm not sure of a file system that does this. We are using Lustre on our HPC, but this won't do what we want. With all the fun of file locking, concurrent access, etc... I think what you describe just won't work, or at least will never work well. Why not just you a groupware server that supports document check-out and check-in; that seems like the correct solution to me. Or possibly something like iFolder http://ifolder.com/ifolder -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ideas for distributed Samba servers
On Sun, Apr 11, 2010 at 8:14 PM, Adam Tauno Williams awill...@whitemice.org wrote: On Sat, 2010-04-10 at 10:14 -0700, Eric Shubert wrote: Robert LeBlanc wrote: I'm trying to think about how to setup a Samba system and would like to pick the brains of some experts. We are looking up put a large amount of storage ~75TB in a central data center. We have some remote (ok, not remote, but across slower links, ok if you consider several hundred clients over 1Gb to be slow) locations that we would like to set up samba servers that 'cache' the file system and serve it up to the clients in the building and sync with the main data center storage. a.) I don't think you can really do that with a 'file server' b.) I believe what you describe is almost exactly how AFS works. http://www.openafs.org/ OpenAFS is the world's foremost location independent file system. c.) Most SAN vendors provide a block-level replication solution for their products. The idea is have a couple of TB that are located in the building that serve up the Samba share. When a client requests a file, if it's in the local cache it is served up from there, if not then the Samba server grabs the file from the main data center and serves it to the client. When a file is written, something like rsync is used to transfer only difference back to the main data center. The problem is that I'm not sure of a file system that does this. We are using Lustre on our HPC, but this won't do what we want. With all the fun of file locking, concurrent access, etc... I think what you describe just won't work, or at least will never work well. Why not just you a groupware server that supports document check-out and check-in; that seems like the correct solution to me. Or possibly something like iFolder http://ifolder.com/ifolder WAFS (Wide Area File System) appliances can be very well deployed for this sort of thing precisely. Unfortunately, I don't know of any opensource project for WAFS. However, commercial solutions such as Riverbed, Expand Networks, CISCO/WAFS, Juniper/Peribit do exist. Regards, /rkc CTO DCiEra (P) Ltd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
What I was implying basically the same statement, which is definitely more elaborately explained by you Case becomes an issue to a unix service if the case of the principal in the ticket does not match the case in keytab Regards, /rkc -Original Message- From: Douglas E. Engert [mailto:deeng...@anl.gov] Sent: Wednesday, October 14, 2009 7:24 PM To: ravi.channavajh...@dciera.com Cc: 'Bober, Mark'; samba@lists.samba.org Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 ravi channavajhala wrote: To my understanding, windows treat principal names as case insensitive. Kerberos treats them as case sensitive. MIT Kerberos version - 1.7 is supposed to have fixed this. The way to get around this is to add uppercase SPN names into the Kerberos keytab. Not exactly. Windows AD will accept any case and return the principal in the ticket using the case requested by the caller. A service principal usually consists of three parts, service, hostname and realm. The service should be entered in the correct case, for example: host, ldap or HTTP. The hostname should be the FQDN in lower case, and the realm should be the AD domain name in uppercase. Case becomes an issue to a unix service if the case of the principal in the ticket does not match the case in keytab. It is also an issue when creating a keytab file using DES or AES as the key is derived from a password and a salt. The salt is is the concatenation of host||lowercase(samAccountName)||uppercase(AD domain name) (Archfour does not use a salt.) Regards, /rkc -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Bober, Mark Sent: Wednesday, October 14, 2009 12:17 AM To: samba@lists.samba.org Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 DNS, /etc/hosts, all that is correct, on the Samba box, the client, and the 2008 AD server. It still works perfectly if you use \\128.252.x.x in the URI instead of the name. What is the functional difference between accessing a URI via IP rather than the hostname or FQDN? Mark -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Dirk Jakobsmeier Sent: Tuesday, October 13, 2009 12:04 AM To: samba@lists.samba.org Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 Hello Mark, Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark: Here's some things from log level 99: [2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn) name_to_fqdn: lookup for HOSTNAME - hostname.domain.wustl.edu. [2009/10/12 09:43:53, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl@d OMAIN.WUSTL.EDU) failed: Wrong principal in request [2009/10/12 09:43:53, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/hostn...@domain.wustl.edu) failed: Wrong principal in request [2009/10/12 09:43:53, 3] libads/kerberos_verify.c:266(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab principals [2009/10/12 09:43:53, 3] libads/kerberos_verify.c:567(ads_verify_ticket) ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) [2009/10/12 09:43:53, 10] libads/kerberos_verify.c:576(ads_verify_ticket) ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE i've found several informations about wrong principal in request errors pointing to a name resolution problem. Can you check dns, /etc/hosts ...? I cut some of that out - it tried each name 6 times, hence the 12? Looking at the system keytab, and the computer account in AD, everything seems to match. FWIW, if I leave the domain and come back specifying the remaining 2003 server as the password server, this all looks the same and seems to work How much does capitalization matter? ADSIEDIT shows the ServicePrincipalNames as HOST/hostname.domain.wustl.edu HOST/HOSTNAME Where the keytab is: host/hostname.domain.wustl.edu host/hostname -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Dirk Jakobsmeier Sent: Thursday, October 08, 2009 10:57 PM To: samba@lists.samba.org Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 Hello Mark, Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark: Hello! I'm having an odd issue between Samba and Win2k8R2. We updated one of our domain controllers to 2k8R2, and as such are working in a 2003-level AD environment. If I force the 'password server' to the 2003 DC, then everything works fine, only working against the 2008 box has issues. we have several issues here depending on one of our servers (2008). E.g. domainnames (usern
Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
To my understanding, windows treat principal names as case insensitive. Kerberos treats them as case sensitive. MIT Kerberos version - 1.7 is supposed to have fixed this. The way to get around this is to add uppercase SPN names into the Kerberos keytab. Regards, /rkc -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Bober, Mark Sent: Wednesday, October 14, 2009 12:17 AM To: samba@lists.samba.org Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 DNS, /etc/hosts, all that is correct, on the Samba box, the client, and the 2008 AD server. It still works perfectly if you use \\128.252.x.x in the URI instead of the name. What is the functional difference between accessing a URI via IP rather than the hostname or FQDN? Mark -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Dirk Jakobsmeier Sent: Tuesday, October 13, 2009 12:04 AM To: samba@lists.samba.org Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 Hello Mark, Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark: Here's some things from log level 99: [2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn) name_to_fqdn: lookup for HOSTNAME - hostname.domain.wustl.edu. [2009/10/12 09:43:53, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl@d OMAIN.WUSTL.EDU) failed: Wrong principal in request [2009/10/12 09:43:53, 10] libads/kerberos_verify.c:220(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab(host/hostn...@domain.wustl.edu) failed: Wrong principal in request [2009/10/12 09:43:53, 3] libads/kerberos_verify.c:266(ads_keytab_verify_ticket) ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab principals [2009/10/12 09:43:53, 3] libads/kerberos_verify.c:567(ads_verify_ticket) ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in request) [2009/10/12 09:43:53, 10] libads/kerberos_verify.c:576(ads_verify_ticket) ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE i've found several informations about wrong principal in request errors pointing to a name resolution problem. Can you check dns, /etc/hosts ...? I cut some of that out - it tried each name 6 times, hence the 12? Looking at the system keytab, and the computer account in AD, everything seems to match. FWIW, if I leave the domain and come back specifying the remaining 2003 server as the password server, this all looks the same and seems to work How much does capitalization matter? ADSIEDIT shows the ServicePrincipalNames as HOST/hostname.domain.wustl.edu HOST/HOSTNAME Where the keytab is: host/hostname.domain.wustl.edu host/hostname -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Dirk Jakobsmeier Sent: Thursday, October 08, 2009 10:57 PM To: samba@lists.samba.org Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2 Hello Mark, Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark: Hello! I'm having an odd issue between Samba and Win2k8R2. We updated one of our domain controllers to 2k8R2, and as such are working in a 2003-level AD environment. If I force the 'password server' to the 2003 DC, then everything works fine, only working against the 2008 box has issues. we have several issues here depending on one of our servers (2008). E.g. domainnames (usern...@domainname) has to be written in capital lettres when connecting to shares... \\128.252.123.123\sharename file:///\\128.252.123.123\sharename And it works as expected - my clients are in the same domain, no password is asked for, etc. Using any form of the hostname in the URI, either \\hostname\sharename file:///\\hostname\sharename or \\hostname.domain.name\sharename file:///\\hostname.domain.name\sharename in the URI will continually prompt for a password. Using 'smbclient' with the names in the URI on the Samba box itself works fine. log level = 1 did you try to set this to a higher level (and restart samba)? I always use 99 so i get large logfiles with nearly all informations i need. The clientlog (log.clienthostname or log.clientip) could be interresting. -- Mit freundlichem Gruß Dirk Jakobsmeier / Systembetreuung __ WIGE Konstruktionen GmbH Co. KG Sitz Ravensburg Amtsgericht Ravensburg HRA Nr. 1493 Schwanenstrasse 4, 88214 Ravensburg Tel: 0751 / 36609 - 29 Fax: 0751 / 36609 - 66 Persönlich haftende Gesellschafterin: WIGE Konstruktionen Verwaltungsgesellschaft mbH Amtsgericht Ravensburg HRB Nr. 2534 Geschäftsführer: Eduard, Thomas
[Samba] share mapping issue related to GID
Reposting this in the hope of someone throwing some hints: I’ve setup a brand new Samba server – 3.0.33 on RHEL 5. The access to shares is a bit erratic, specifically users who belong to a group which is different from their primary group. Using LDAP, Kerberos, AD. The /etc/nsswitch.conf is set to files ldap. Not using winbind at all. The below two users cant map the shares (GID is not primary GID) [r...@samba]# getent passwd jane jane:*:3057:1108:jane:/home/jane:/bin/bash [r...@samba]# getent passwd jim jim:*:3426:1108:jim:/home/jim:/bin/bash This user can map the share (the GID is the primary GID) [r...@samba]# getent passwd danny danny:*:3041:3041:danny:/home/danny:/bin/bash [r...@samba]# getent group 3041 danny:*:3041: [r...@samba]# getent group 1108 core_dev::1108:jane,jim,eric,steven,core_dev2,core_dev3,elias,chip,douglas Also saving the files especially MS-office ones such as xls/doc are taking really long time 30-40 seconds. Appreciate any ideas. Thanks, -- Ravi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] share mapping issue related to GID
Ive setup a brand new Samba server 3.0.33 on RHEL 5. The access to shares is a bit erratic, specifically users who belong to a group which is different from their primary group. Using LDAP, Kerberos, AD. The /etc/nsswitch.conf is set to files ldap. Not using winbind at all. The below two users cant map the shares (GID is not primary GID) [r...@samba]# getent passwd jane jane:*:3057:1108:jane:/home/jane:/bin/bash [r...@samba]# getent passwd jim jim:*:3426:1108:jim:/home/jim:/bin/bash This user can map the share (the GID is the primary GID) [r...@samba]# getent passwd danny danny:*:3041:3041:danny:/home/danny:/bin/bash [gusre...@samba]# getent group 3041 danny:*:3041: [gusre...@samba]# getent group 1108 core_dev::1108:jane,jim,eric,steven,core_dev2,core_dev3,elias,chip,douglas Also saving the files especially MS-office ones such as xls/doc are taking really long time 30-40 seconds. Appreciate any ideas. Thanks, Ravi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Shares - Permission denied
My issue is permission denied. The setup is as follows. a) All the development dirs are mounted on Solaris-10/9 server b) Home Directories are mounted on a netapp filer c) All the /projects[0-5] and /home mounts are setup in automount, NIS master is Solaris d) Samba server is Linux, with winbind and kerberos; samba version is 3.3 e) Autmounter is running on samba server and can mount /home and /projects[0-5] fine Setup is briefly as follows ++ +++-+ || ||| | || ||| | | Solaris-10 | | Solaris-10 || NetAPP | | NFS | | NFS || /home | | /projects | | /project1|| | ++ +++-+ NIS Master +-+ +-+ | | | | Linux - RH 5.3| | | | Automounter | Linux |--| Windows AD | NIS Client| Samba | | 2003 R2| Kerberos | server | | | Winbind +-+ +-+ |server1 (kdc) |relam xxx.example.com | | +-+ +-+ | | | | | | | | | WIN xP | | Win XP | | Samba | | Samba | | Client | | Client | +-+ +-+ The problem I'm facing is when a user logs in directly to the samba server or tries to map samba shares /home through win XP clients, it errors with permission denied. The Samba server is automounting the /home and /projects. getent passwd and wbinfo -u and wbinfo -g all are working fine. kinit and kerberos look ups are fine. pam configuration looks right, because users can login. The only problem is the permission denied access on all /home mappings and /projects directories being opened in read only access. On samba server the setup is /etc/nsswitch.conf passwd: files winbind group: files winbind /etc/samba/smb.conf looks something like this workgroup = cifs server string = samba1 security = ads ; use Kerberos keytab = true password server = server1.example.com encrypt passwords = true idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind enum users = true winbind enum group = true winbind use default domain = yes template shell = /bin/bash template homedir = /home/%U [homes] path=/home/%U readonly = no writable = yes browsable = no [dev] Path = /projects Regards, Ravi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba - preauthentication error
Can anyone suggest how to get around the following? [2009/09/05 00:32:55, 3] libads/sasl.c:ads_sasl_spnego_bind(300) ads_sasl_spnego_bind: got server principal name = exd...@domain.example.com [2009/09/05 00:32:55, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2009/09/05 00:32:56, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password samser...@domain.example.com failed: Preauthentication failed This is what my samba RPMs are # rpm -qa | grep -i samb samba-client-3.0.33-3.7.el5 system-config-samba-1.2.41-3.el5 samba-common-3.0.33-3.7.el5 samba-3.0.33-3.7.el5 # uname -a Linux samserv1.domain.example.com 2.6.18-128.el5PAE #1 SMP Wed Dec 17 12:02:33 EST 2008 i686 i686 i386 GNU/Linux # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.3 (Tikanga) The smb.conf file uses Security = ads Use Kerberos keytab = true AD logins from Linux work just fine (ruling out the obvious such as time synchronization etc.), 'net ads info' and 'net ads status' show relevant information. The Kerberos keytab was generated with net ads keytab create. Information from net ads status (partial) sAMAccountName: SAMSERV1$ sAMAccountType: 805306369 dNSHostName: samserv1.domain.example.com userPrincipalName: host/samserv1.domain.example@samserv1.domain.example.com objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com Regards, Ravi K. Channavajhala -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba - preauthentication error
Can anyone suggest how to get around the following? [2009/09/05 00:32:55, 3] libads/sasl.c:ads_sasl_spnego_bind(300) ads_sasl_spnego_bind: got server principal name = exd...@domain.example.com [2009/09/05 00:32:55, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2009/09/05 00:32:56, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password samser...@domain.example.com failed: Preauthentication failed This is what my samba RPMs are # rpm -qa | grep -i samb samba-client-3.0.33-3.7.el5 system-config-samba-1.2.41-3.el5 samba-common-3.0.33-3.7.el5 samba-3.0.33-3.7.el5 # uname -a Linux samserv1.domain.example.com 2.6.18-128.el5PAE #1 SMP Wed Dec 17 12:02:33 EST 2008 i686 i686 i386 GNU/Linux # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.3 (Tikanga) The smb.conf file uses Security = ads Use Kerberos keytab = true AD logins from Linux work just fine (ruling out the obvious such as time synchronization etc.), 'net ads info' and 'net ads status' show relevant information. The Kerberos keytab was generated with net ads keytab create. Information from net ads status (partial) sAMAccountName: SAMSERV1$ sAMAccountType: 805306369 dNSHostName: samserv1.domain.example.com userPrincipalName: host/samserv1.domain.example@samserv1.domain.example.com objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com Regards, Ravi K. Channavajhala -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File Locking, Access - Inconsistencies
On Wed, Aug 12, 2009 at 11:01 AM, Ravi Channavajhalaravi.channavajh...@dciera.com wrote: On Wed, Aug 12, 2009 at 9:53 AM, Jeremy Allisonj...@samba.org wrote: On Wed, Aug 12, 2009 at 08:51:51AM +0530, ravi channavajhala wrote: Hi Jeremy, Why would the file name be an issue here? It is not just one file, several files are getting affected. I followed your earlier discussion on the issue way back in 2002, can you suggest something to try. Really, I will take whatever I can get. Firstly, let's keep the list CC:ed so we keep everyone up to date. I'm asking what file name the fcntl is blocked in, as I want to know if this is a Samba tdb, or a file the server is trying to access. The Samba server should never make a blocking fcntl lock call on a user data file, but will make such calls on tdb files. So please let me know what file the fcntl syscall is blocked in. Thanks, Jeremy. Sorry I must have not used reply to all. Anyway, here is how I trussed. I had the user open a file, and then capture the system calls made with truss. The fcntl appears blocking on a user file, but I might be incorrect because I didnt really see which file the file descriptor belonged to (the very first two lines of truss show fcntl, no other information). Either way, if this is blocking on tbd file what possible recourse I can apply? Thanks for your help. FWIW, this is what I see on Solaris 10 (Sun's stock Samba bundled with OS) # pstack 1968 1968: /usr/sfw/sbin/smbd -D ff049c64 fcntl(a, 23, ffbff750) ff0398c0 fcntl(a, 23, ffbff750, a, fee02a00, ff0c72b4) + 18 00272ec0 tdb_brlock (448180, 22dc, 2, 23, 0, 1) + 90 002731dc tdb_lock (448180, 88d, 2, 20, 18ec34, 401c98) + 17c 001ff048 (fffa7038, 43d960, 1d3d8, 453660, 9ea5, 453670) 001f8538 is_locked (43d960, feff, 0, 1000, 0, 0) + 1e8 000926a4 reply_read_and_X (495ca8, 4751f0, 3f, 43d960, 2, 0) + 2ec 000d4c64 (495ca8, 454da0, 4751f0, 3f, 2, 0) 000d4db8 (9400, 4751f0, 3f, 2, 9400, 32cf4c) 000d5060 (454da0, 4751f0, 0, 1, 401c98, 6c00) 000d634c smbd_process (fff58830, 6c7c, 401c98, 93a80, 20441, 17d) + 1e4 0032f028 main (0, 392800, 1, 40aacc, 40ca28, 0) + afc 0004dda8 _start (0, 0, 0, 0, 0, 0) + 108 # truss -v all -aef -p 1968 1968: *** SUID: ruid/euid/suid = 0 / 2110 / 2110 *** 1968: *** SGID: rgid/egid/sgid = 0 / 2110 / 2110 *** 1968: psargs: /usr/sfw/sbin/smbd -D 1968: fcntl(10, F_SETLKW64, 0xFFBFF750) (sleeping...) 1968: typ=F_WRLCK whence=SEEK_SET start=8924 len=1 sys=3 pid=0 Now on Solaris 9 (Compiled with gcc) #truss -aef -v all -p 3623 3623: *** SUID: ruid/euid/suid = 0 / 1598 / 1598 *** 3623: *** SGID: rgid/egid/sgid = 0 / 1598 / 1598 *** 3623: psargs: /usr/local/samba/sbin/smbd -D -d 3 -s /usr/local/samba/etc/smb.conf 3623: fcntl(25, F_GETLK64, 0xFFBFF100) (sleeping...) 3623: typ=F_RDLCK whence=SEEK_SET start=0 len=512 sys=0 pid=0 #pstack 3623 3623: /usr/local/samba/sbin/smbd -D -d 3 -s /usr/local/samba/etc/smb.conf fcntl(19, 21, ffbff100) #pflags 3623 3623: /usr/local/samba/sbin/smbd -D -d 3 -s /usr/local/samba/etc/smb.conf data model = _ILP32 flags = PR_ORPHAN /1: flags = PR_PCINVAL|PR_ASLEEP [ fcntl(0x19,0x21,0xffbff100) ] sigmask = 0x00011080,0x -- Ravi Channavajhala http://www.dciera.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] File Locking, Access - Inconsistencies
Lately I'm seeing bizarre problems with the SAMBA server I'm using in production. For no rhyme or reason the connections get dropped, the same set of users who previously were able to access the shares, now get permission denied. Users (not all but some) are having trouble opening the folders, files and so on. This was not the case few days ago, it started happening lately with amazing inconsistency. Inconsistent in it works some times, it simply doesn't sometimes. I have two samba servers in the setup one on Solaris-10 and the other on Solaris-9. On Solaris 10 I'm using stock SUN Samba packages. It would be real easy, if I could isolate the problem by limiting it to one, but it occurs on both the servers. The samba versions are different on both servers. Before any can suggest, I did shutdown one server and pointed all the users to remaining one. No luck. Shut down the other server, re-pointed the users, no luck. I'm going nuts trying to isolate the problem, if only it wasn't happening with such astonishing inconsistency. Trussing the smbd shows the user access is stuck in fcntl system calls like this, and these users do have all the proper permissions for messing with these files Fcntl(10, F_SETLKW64, 0xFFBFF750) . (sleeping) Fcntl (27,F_GETLKW64,0xFFBFF840)..(sleeping) They never get out of this. Tried the usual options of oplocks = no kernel oplocks = no and even faking oplocks in the smb.conf, I can't get out of this. Anyone can suggest something I can muck with? I know earlier Solaris versions had a kernel bug with fcntl and it was patched. So, what else could be the issue here? Thanks. Ravi K. Channavajhala http://www.dciera.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File Locking, Access - Inconsistencies
On Wed, Aug 12, 2009 at 9:53 AM, Jeremy Allisonj...@samba.org wrote: On Wed, Aug 12, 2009 at 08:51:51AM +0530, ravi channavajhala wrote: Hi Jeremy, Why would the file name be an issue here? It is not just one file, several files are getting affected. I followed your earlier discussion on the issue way back in 2002, can you suggest something to try. Really, I will take whatever I can get. Firstly, let's keep the list CC:ed so we keep everyone up to date. I'm asking what file name the fcntl is blocked in, as I want to know if this is a Samba tdb, or a file the server is trying to access. The Samba server should never make a blocking fcntl lock call on a user data file, but will make such calls on tdb files. So please let me know what file the fcntl syscall is blocked in. Thanks, Jeremy. Sorry I must have not used reply to all. Anyway, here is how I trussed. I had the user open a file, and then capture the system calls made with truss. The fcntl appears blocking on a user file, but I might be incorrect because I didnt really see which file the file descriptor belonged to (the very first two lines of truss show fcntl, no other information). Either way, if this is blocking on tbd file what possible recourse I can apply? Thanks for your help. -- Ravi Channavajhala -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] I/O error when trying to write
My setup is fairly straight forward; I have a Solaris 10 (SPARC) being used as a samba server with AD sign on. Users can log in fine and map their directories through windows clients. All the user home dirs and critical project dirs are on a NetAPP filer. When user tries to write a file, it is erroring out with I/O error, file access is permitted for read operations only. Investigating the problem shows that on Solaris this message is appearing NFS compound failed for server filer.example.com: error 2 (RPC: Can't decode result). It appears there is a problem with NFS v4 support either on the Solaris or the NetAPP filer. I've not had a chance to set NetAPP filer not to use NFS V4; I'm attempting it this weekend along with hacking /etc/default/nfs . Anything that I should look out also on the Samba side, especially the ACLs/permissions issues related stuff? Regards, /rkc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] I/O error when trying to write
On Mon, Jul 27, 2009 at 05:02:28PM +0530, ravi channavajhala wrote: My setup is fairly straight forward; I have a Solaris 10 (SPARC) being used as a samba server with AD sign on. Users can log in fine and map their directories through windows clients. All the user home dirs and critical project dirs are on a NetAPP filer. When user tries to write a file, it is erroring out with I/O error, file access is permitted for read operations only. Investigating the problem shows that on Solaris this message is appearing NFS compound failed for server filer.example.com: error 2 (RPC: Can't decode result). It appears there is a problem with NFS v4 support either on the Solaris or the NetAPP filer. I've not had a chance to set NetAPP filer not to use NFS V4; I'm attempting it this weekend along with hacking /etc/default/nfs . Anything that I should look out also on the Samba side, especially the ACLs/permissions issues related stuff? Why don't you just enable CIFS on NetApp? To me this really does not sound like a Samba problem. Volker I agree this is not a samba problem; I just want to ensure that I don't need to tie up any loose ends on the samba side, that's all. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] krb5 configuration generation
This certainly is one of the things, I also wish there is a resolution. To my knowledge there is no way to get this done. On Fri, May 15, 2009 at 4:07 PM, Alex Green alex.gr...@db.com wrote: Hi, Is there any way to stop Samba regenerating the krb5.conf.[WORKGROUP] file under /var/lib/samba/smb_krb5 every time? It appears to completely ignore /etc/krb5.conf, is this expected? Kernel: Linux localhost 2.6.16.60-0.37_f594963d-smp #1 SMP Mon Mar 23 13:39:48 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux smbd -V: Version 3.0.32-0.8-2045-SUSE-CODE10 Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Ravi Channavajhala CTO DCiEra (Extreme Data Center Efficiency) Plot #247, Road #78, Ground Floor Jubilee Hills Hyderabad 500 034 (AP) +91 96521 84670 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Timing in a script
On Fri, May 15, 2009 at 7:43 PM, Pete Clapham peteclap...@sbcglobal.net wrote: Hi, all -- I am trying to write a script in which I can add users and their samba passwords easily and quickly. It looks something like: useradd -c User Name -g groupname -p unixpassword accountname echo -e smbpassword\nsmbpassword\n | pdbedit -a -t -u accountname You should evaluate the exit status of the previous command before going on to the next command, especially if there is a dependency. Evaluate the $? like if [ $? -eq 0 ]; then do_whatever fi If I type the lines from the keyboard, it works fine. However, when I try to execute the script, the pdbedit on the second line reports that there's no unix accountname to apply to samba. I assume that this is because the useradd process hasn't finished when the pdbedit is executed. Is there a way to insure that the useradd has completed its execution before the pdbedit starts? Alternatively is there a way to insert a delay between the two commands to allow the useradd to complete? Thanks. cheers, pete -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Solaris 10 (sparc) and samba issue
The net ads joins the host to the AD, but cant get the proper kerberos
tix. Manually generating the kerberos keytab from AD dont work. Any
suggestions?
r...@host /#head -1 /etc/release
Solaris 10 10/08 s10s_u6wos_07b SPARC
r...@host /usr/sfw/sbin#./smbd -V
Version 3.0.28
r...@host /#for PKG in `pkginfo -x | grep -i samba | awk '{print
$1}'`; do VER=`pkginfo -l ${PKG} | grep PSTAMP`; echo ${PKG} ${VER};
done
SUNWsmbac PSTAMP: sfw10-patch20080310191909
SUNWsmbar PSTAMP: sfw10-patch20080723133424
SUNWsmbau PSTAMP: sfw10-patch20080723134146
Last few relevant lines from net ads with -d10 level debugging.
[2009/05/11 20:13:20, 10] libsmb/clientgen.c:(395)
cli_rpc_pipe_close: closed pipe \NETLOGON to machine host.domain.com
[2009/05/11 20:13:20, 6] libsmb/clientgen.c:(153)
write_socket(9,39)
[2009/05/11 20:13:20, 6] libsmb/clientgen.c:(156)
write_socket(9,39) wrote 39
[2009/05/11 20:13:20, 10] lib/util_sock.c:(623)
got smb length of 35
[2009/05/11 20:13:20, 5] lib/util.c:(484)
[2009/05/11 20:13:20, 5] lib/util.c:(494)
size=35
smb_com=0x71
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=2050
smb_pid=2945
smb_uid=2050
smb_mid=12
smt_wct=0
smb_bcc=0
[2009/05/11 20:13:20, 10] lib/util.c:(2957)
name_to_fqdn: lookup for HOST - HOST.domain.com
[2009/05/11 20:13:20, 3] libads/ldap.c:(2471)
ads_domain_func_level: 2
[2009/05/11 20:13:20, 3] libads/kerberos.c:(337)
kerberos_secrets_store_des_salt: Storing salt
host/host.domain@domain.com
[2009/05/11 20:13:21, 2] libads/kerberos_keytab.c:(260)
ads_keytab_add_entry: Using default system keytab: FILE:/etc/krb5/krb5.keytab
[2009/05/11 20:13:21, 5] libads/ldap.c:(1422)
ads_get_kvno: Searching for host HOST
[2009/05/11 20:13:21, 5] libads/ldap.c:(1440)
ads_get_kvno: Using: CN=HOST,CN=Computers,DC=domain,DC=com
[2009/05/11 20:13:21, 5] libads/ldap.c:(1459)
ads_get_kvno: Looked Up KVNO of: 7
[2009/05/11 20:13:21, 3] libads/kerberos_keytab.c:(65)
smb_krb5_kt_add_entry: Will try to delete old keytab entries
[2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(152)
smb_krb5_kt_add_entry: krb5_kt_end_seq_get failed (Bad file number)
[2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(346)
ads_keytab_add_entry: Failed to add entry to keytab file
[2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(508)
ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.
[2009/05/11 20:13:21, 1] utils/net_ads.c:(1644)
Error creating host keytab!
Joined 'HOST' to realm 'DOMAIN.COM'
[2009/05/11 20:13:21, 2] utils/net.c:(1036)
return code = 0
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 10 (sparc) and samba issue
Brian, it is Windows 2003/R2. The config for samba is straightup just
from the global section. The exact problem I'm having is the net ads
is unable to create the kerberos keytab and I hate to run ktpass and
etc from the win KDC and install them. Even if I did the ktpass, the
tix are not workingI get constant error 'server not found in
kerberos database' whenever attempting to login.
[global]
workgroup = WKG
netbios name = HOST
security = ads
password server = x.domain.com
use kerberos keytab = true
realm = DOMAIN.COM
[2009/05/11 22:33:30, 10] lib/util.c:(2957)
name_to_fqdn: lookup for HOST - HOST.domain.com
[2009/05/11 22:33:30, 3] libads/ldap.c:(2471)
ads_domain_func_level: 2
[2009/05/11 22:33:30, 3] libads/kerberos.c:(337)
kerberos_secrets_store_des_salt: Storing salt
host/host.domain@domain.com
[2009/05/11 22:33:30, 2] libads/kerberos_keytab.c:(260)
ads_keytab_add_entry: Using default system keytab: FILE:/etc/krb5/krb5.keytab
[2009/05/11 22:33:30, 5] libads/ldap.c:(1422)
ads_get_kvno: Searching for host HOST
[2009/05/11 22:33:30, 5] libads/ldap.c:(1440)
ads_get_kvno: Using: CN=host,OU=NewComputers,DC=domain,DC=com
[2009/05/11 22:33:30, 5] libads/ldap.c:(1459)
ads_get_kvno: Looked Up KVNO of: 7
[2009/05/11 22:33:30, 3] libads/kerberos_keytab.c:(65)
smb_krb5_kt_add_entry: Will try to delete old keytab entries
[2009/05/11 22:33:30, 5] libads/kerberos_keytab.c:(105)
smb_krb5_kt_add_entry: Found old entry for principal:
host/host.domain@domain.com (kvno 7) - trying to remove it.
[2009/05/11 22:33:30, 1] libads/kerberos_keytab.c:(116)
smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (Cannot write to
specified key table)
[2009/05/11 22:33:30, 1] libads/kerberos_keytab.c:(346)
ads_keytab_add_entry: Failed to add entry to keytab file
[2009/05/11 22:33:30, 1] libads/kerberos_keytab.c:(508)
ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.
[2009/05/11 22:33:30, 1] utils/net_ads.c:(1644)
Error creating host keytab!
Joined 'HOST' to realm 'DOMAIN.COM'
[2009/05/11 22:33:30, 2] utils/net.c:(1036)
return code = 0
On Mon, May 11, 2009 at 10:16 PM, Brian H. Nelson bnel...@cis.ysu.edu wrote:
Ravi,
You don't mention which version of AD your are working with or include any
relevant config files. Both would be helpful.
Also, it might just be me, but I'm not clear on exactly what problem you're
having. Maybe you could clarify, list error messages, etc.
You might want to get Solaris patch 119757-14 which gives you samba 3.0.33.
I don't know if it will help. I had no problems with samba 3.0.28 on Solaris
10.
-Brian
Ravi Channavajhala wrote:
The net ads joins the host to the AD, but cant get the proper kerberos
tix. Manually generating the kerberos keytab from AD dont work. Any
suggestions?
r...@host /#head -1 /etc/release
Solaris 10 10/08 s10s_u6wos_07b SPARC
r...@host /usr/sfw/sbin#./smbd -V
Version 3.0.28
r...@host /#for PKG in `pkginfo -x | grep -i samba | awk '{print
$1}'`; do VER=`pkginfo -l ${PKG} | grep PSTAMP`; echo ${PKG} ${VER};
done
SUNWsmbac PSTAMP: sfw10-patch20080310191909
SUNWsmbar PSTAMP: sfw10-patch20080723133424
SUNWsmbau PSTAMP: sfw10-patch20080723134146
Last few relevant lines from net ads with -d10 level debugging.
[2009/05/11 20:13:20, 10] libsmb/clientgen.c:(395)
cli_rpc_pipe_close: closed pipe \NETLOGON to machine host.domain.com
[2009/05/11 20:13:20, 6] libsmb/clientgen.c:(153)
write_socket(9,39)
[2009/05/11 20:13:20, 6] libsmb/clientgen.c:(156)
write_socket(9,39) wrote 39
[2009/05/11 20:13:20, 10] lib/util_sock.c:(623)
got smb length of 35
[2009/05/11 20:13:20, 5] lib/util.c:(484)
[2009/05/11 20:13:20, 5] lib/util.c:(494)
size=35
smb_com=0x71
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=2050
smb_pid=2945
smb_uid=2050
smb_mid=12
smt_wct=0
smb_bcc=0
[2009/05/11 20:13:20, 10] lib/util.c:(2957)
name_to_fqdn: lookup for HOST - HOST.domain.com
[2009/05/11 20:13:20, 3] libads/ldap.c:(2471)
ads_domain_func_level: 2
[2009/05/11 20:13:20, 3] libads/kerberos.c:(337)
kerberos_secrets_store_des_salt: Storing salt
host/host.domain@domain.com
[2009/05/11 20:13:21, 2] libads/kerberos_keytab.c:(260)
ads_keytab_add_entry: Using default system keytab:
FILE:/etc/krb5/krb5.keytab
[2009/05/11 20:13:21, 5] libads/ldap.c:(1422)
ads_get_kvno: Searching for host HOST
[2009/05/11 20:13:21, 5] libads/ldap.c:(1440)
ads_get_kvno: Using: CN=HOST,CN=Computers,DC=domain,DC=com
[2009/05/11 20:13:21, 5] libads/ldap.c:(1459)
ads_get_kvno: Looked Up KVNO of: 7
[2009/05/11 20:13:21, 3] libads/kerberos_keytab.c:(65)
smb_krb5_kt_add_entry: Will try to delete old keytab entries
[2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(152)
smb_krb5_kt_add_entry: krb5_kt_end_seq_get failed (Bad file number)
[2009/05/11 20:13:21, 1] libads/kerberos_keytab.c:(346)
ads_keytab_add_entry: Failed to add entry to keytab file
Re: [Samba] Solaris 10 (sparc) and samba issue
I don't think I missed anything as obvious as that. My problem is elsewhere...still looking. On to the next step of compiling latest and greatest samba distro.. On Mon, May 11, 2009 at 11:23 PM, Brian H. Nelson bnel...@cis.ysu.edu wrote: Ravi Channavajhala wrote: Brian, it is Windows 2003/R2. The config for samba is straightup just from the global section. The exact problem I'm having is the net ads is unable to create the kerberos keytab and I hate to run ktpass and etc from the win KDC and install them. Even if I did the ktpass, the tix are not workingI get constant error 'server not found in kerberos database' whenever attempting to login. Ah, sorry. I'm not using keytab anywhere so I probably can't help much. I know it's an obvious check, but does the file /etc/krb5/krb5.keytab exist on your machine? It's not there by default and might need to be created first. -Brian -- --- Brian H. Nelson Youngstown State University System Administrator Media and Academic Computing bnelson[at]cis.ysu.edu --- -- Ravi Channavajhala CTO DCiEra (Extreme Data Center Efficiency) Plot #247, Road #78, Ground Floor Jubilee Hills Hyderabad 500 034 (AP) +91 96521 84670 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Kerberos tickets problem
I'm setting up a Solaris 10 server as a test samba server with AD authentication. I'm running into a little bit of issue with Kerberos tickets. The setup is as follows Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, LDAP (shipped with the distro) and IMU on windows. My LDAP client is working good and validates getent passwd user and can run ldaplist -l passwd user and ldapsearch, no issues. My ldap autnetication is set to simple, with proxyDnuser. On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf, nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use 'files ldap' for both passwd and group and dns files for hosts. On windows the IMU, UNIX attributes are set to the correct NIS domain. I ran net ads join to successfully join the Solaris server into the AD, however net ads keytab create simply returns a new line without any errors. When I checked on windows, after net ADS join command, I see two service principals (SPN), the capitalization is intentional as this is how they appear when I run spnset hostname HOST/HOSTNAME HOST/hostname.domain.com (FQDN) I also setup a service account name (user object) on Windows whose name is same as the hostname (computer object). I generated the keytab file with ktpass -princ host/f...@realm -mapuser DOMAIN\SERVICEACCT$ -pass password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab I then ftped this file over to Solaris host and try to authenticate a user login via AD, I get PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos database So, just for the heck of it I generated another krb5.keytab with the following ktpass -princ HOST/f...@realm -mapuser DOMAIN\SERVICEACCT$ -pass password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab Please note the HOST in capitals. Now, I get this error testing with this keytab PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found Running PAM in debug mode didn't reveal anything specific other than the obvious. I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP servers return properly. I can add the SPNs forcibly with host/hostname.domain.com and host/hostname and try different combinations. But..first I need to understand this behavior, anyone??? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Avoiding running net ads
I recently setup Solaris server which uses AD for authentication. It is working well. Now I need to run Samba on this machine. I set up the smb.conf with appropriate entries such as 'security = ads', 'encrypt passwords = yes', use 'kerberos keytab = true', however I don't want to specify an explicit password server. When I try to map the Solaris directories from Windows clients, I keep getting errors. Samba 'net ads info' returns correct information, however. Is it necessary to run 'net ads join' at all? Reading through the net ads, seems it will try to re-create the /etc/krb5/krb5.keytab, add the computer object again in AD. I want to avoid all this because; I got a working configuration, which I don't want to upset. Can someone tell me 1. Is it necessary to run net ads join at all? 2. If required to run net ads anyway, how can I make it run as an non-admin user? (I studied Eric Roseme's paper which is a bit dated) 3. Even if I run net ads I don't want it to mess with krb5.keytab, why does it have to anyway? I already got valid tickets (generated with ktpass.exe) for the authentication supported by Samba arcfour, DES etc. The real issue, I'm trying to avoid is having to run to Windows admins every time there is an issue as the unix/windows teams are run independently. There must be a way out of not running net ads join and still have samba work. Ravi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] bad encryption type in AD domain authentication
Decrypt integrity check usually means your Kerberos tickets are no good or you don't have the entry in keytab which specifies the encryption method expected. The real way to fix is run the ktpass.exe from the ADS server, ftp the generated krb keytab file to the Unix server to the /tmp. Examine it with klist -e -k /tmp/krb5.keytab, if all looks good, remove the /etc/krb5 keytab file, run the ktutil to write the /tmp/krb5.keytab to /etc/krb5 keytab. The safest method I found is to use the default DES-CBC-MD5 authentication only while generating the keytab file with ktpass. Run the ktpass something along the lines of ktpass -princ host/f...@realm -mapuser DOMAIN\hostname$ -crypto DES-CBC-MD5 -pass whatever -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab You don't have to specify the -crypto option unless you would like to use encryption method such as DES-CBC-CRC or arcfour etc. In that case, generate keytabs separately for each encryption method and merge them into the keytab. Two points, one is the FQDN should be literally of the form host.domain.com, and secondly in the mapuser use the short form of domain name. Honestly, I wish this isn't this complicated, but the interoperability of (lin)u(ni)x with windows AD server isn't really seamless. Now, the hard part is what if you don't have never expiring passwds on the ADS, this rigmarole of generating the keytabs will be an on going process. -Original Message- From: samba-bounces+ravi.channavajhala=dciera@lists.samba.org [mailto:samba-bounces+ravi.channavajhala=dciera@lists.samba.org] On Behalf Of nilleb Sent: Monday, May 04, 2009 5:50 PM To: samba@lists.samba.org Subject: [Samba] bad encryption type in AD domain authentication Hello, I'm trying to access a samba share using an ADS user credentials. I always get an error, and the debug traces (log level = 5) are giving me the output in the follow. I have searched the samba ML archives, and I have found the thread http://lists.samba.org/archive/samba/2004-April/084545.html but, before asking the system admin to apply the eventual KB fixes, I would like to know if the problem is really the same: *what are the codes 296 and 471* which can be found in the follow? *do they show the algorithm used to decrypt the token*? so, is this the same problem, since the email I linked above shows a 323 code?* is there a list of codes/algorithms, if my hypothesis is correct*? (I've tried the samba websvn, but it isn't currently available) [2009/05/04 11:29:45, 3] smbd/sesssetup.c:reply_spnego_negotiate(802) reply_spnego_negotiate: Got secblob of size 1445 [2009/05/04 11:29:45, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2009/05/04 11:29:45, 3] libads/kerberos_verify.c:ads_verify_ticket(471) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2009/05/04 11:29:45, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2009/05/04 11:29:45, 3] smbd/error.c:error_packet_set(61) error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE and [2009/05/04 11:29:51, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(296) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2009/05/04 11:29:51, 3] libads/kerberos_verify.c:ads_verify_ticket(471) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) -- pgp.mit.edu:0A4D0FDD http://www.nilleb.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
