[Samba] inter domain trust not working
Hello,
I am trying to make a RHEL6 box (samba-winbind-3.5.10-125.el6.x86_64)
accept logins from a trusted domain; all is working fine for the primary
domain, pam_winbind+pam_mkhomedir allow logins for domain users, when
checking the trusted one though
# net rpc trustdom list -Utest%pass
Trusted domains list:
TRUSTED S-1-2-5-etcetc
Unable to find a suitable server for domain TRUSTED
domain controller is not responding: NT_STATUS_UNSUCCESSFUL
TRUSTED couldn't get domain's sid
There are no trusting domains set.
A tcpdump while running the above command shows the client connecting to
the primary domain controller (which also has all the other roles), then
making a DNS query for
SRV? _ldap._tcp.pdc._msdcs.TRUSTED.
to which it gets a NXDomain
This query should not be made, and will not get an answer, the correct one
would be
SRV? _ldap._tcp.pdc._msdcs.TRUSTED.LOCAL
which does exist and returns all the SRV records as expected
Windows clients do work in the same network/VLAN; any hints on what makes
Samba choke after that query are greatly appreciated.
For reference,
smb.conf:
workgroup = PRIMARY
password server = thedc.primary.local
winbind use default domain = no
realm = PRIMARY.LOCAL
security = ads
encrypt passwords = yes
krb5.conf:
[libdefaults]
default_realm = PRIMARY.LOCAL
dns_lookup_realm = yes
dns_lookup_kdc = yes
forwardable = false
[realms]
PRIMARY.LOCAL = {
}
TRUSTED.LOCAL = {
}
[domain_realm]
.primary.local = PRIMARY.LOCAL
primary.local = PRIMARY.LOCAL
.trusted.local = TRUSTED.LOCAL
trusted.local = TRUSTED.LOCAL
(yes, the realm definitions are empty, as everything should work via DNS. I
have also tried specifying admin_server,default_domain and kdc for the
trusted realm, no dice)
thedc.primary.local is set in resolv.conf on the client
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] another one of those "cannot authenticate against AD" posts :(
Hello, I had a perfectly good setup with samba being a domain member, and domain users accessing their shares, since beta1. A month and several updates from M$ later, clients were no longer able to log on to the samba machine. I know this must be related to the updates, since there have been absolutely no configuration / application modifications on the linux box, and clients who forgot to install the patches were still able to login. Hint for the docs: the bloody windows update rewrote the rtfm signorseal registry key, but that can be enforced globally from the domain controller. Now I'm trying with the latest beta - or first stable, as you call it since yesterday :) Status: - linux box joins fine the AD - kinit -v, smbclient -k, net ads whatever work as expected, no errors - no one can login to the samba box. Win 2k/xp report the username/password is incorrect, and the logs state: [2003/09/25 20:20:01, 3] smbd/process.c:process_smb(890) Transaction 10 of length 250 [2003/09/25 20:20:01, 3] smbd/process.c:switch_message(685) switch message SMBsesssetupX (pid 343) [2003/09/25 20:20:01, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X(579) wct=12 flg2=0xc807 [2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(476) Doing spnego session setup [2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500) NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] [2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_spnego_negotiate(385) Got OID 1 3 6 1 4 1 311 2 2 10 [2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_spnego_negotiate(388) Got secblob of size 50 [2003/09/25 20:20:01, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(33) Got NTLMSSP neg_flags=0xe008b297 [2003/09/25 20:20:01, 3] smbd/process.c:process_smb(890) Transaction 11 of length 338 [2003/09/25 20:20:01, 3] smbd/process.c:switch_message(685) switch message SMBsesssetupX (pid 343) [2003/09/25 20:20:01, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X(579) wct=12 flg2=0xc807 [2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(476) Doing spnego session setup [2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500) NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] [2003/09/25 20:20:01, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286) Got user=[Thatsme] domain=[Mydomain] workstation=[Mine] len1=24 len2=24 [2003/09/25 20:20:01, 3] auth/auth.c:check_ntlm_password(216) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2003/09/25 20:20:01, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2003/09/25 20:20:01, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2003/09/25 20:20:01, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2003/09/25 20:20:01, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/09/25 20:20:01, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/09/25 20:20:01, 3] auth/auth_util.c:make_server_info_info3(1009) User Thatsme does not exist, trying to add it [2003/09/25 20:20:01, 0] auth/auth_util.c:make_server_info_info3(1017) make_server_info_info3: pdb_init_sam failed! ... I don't understand this one .. [2003/09/25 20:20:01, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: Authentication for user [Thatsme] -> [Thatsme] FAILED with error NT_STATUS_NO_SUCH_USER ... and I definitely have a domain logon .. [2003/09/25 20:20:04, 3] smbd/process.c:timeout_processing(1099) timeout_processing: End of file from client (client has disconnected). I tried raising the debug level info and got some interesting lines: [2003/09/25 23:03:09, 10] libads/kerberos_verify.c:ads_verify_ticket(310) ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2003/09/25 23:03:09, 10] libads/kerberos_verify.c:ads_verify_ticket(303) ads_verify_ticket: enc type [3] decrypted message ! [2003/09/25 23:03:09, 10] passdb/secrets.c:secrets_named_mutex_release(709) secrets_named_mutex: released mutex for replay cache mutex [2003/09/25 23:03:09, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385) Got KRB5 session key of length 8 ... [2003/09/25 23:03:09, 3] smbd/sesssetup.c:reply_spnego_kerberos(178) Ticket name is [EMAIL PROTECTED] [2003/09/25 23:03:09, 5] lib/username.c:Get_Pwnam(288) Finding user MYDOMAIN.COM\Thatsme [2003/09/25 23:03:09, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is mydomain.com\thatsme ..and uppercase, and combinations, with and without the domain name appended.. [2003/09/25 23:03:10, 1] smbd/sesssetup.c
[Samba] get file information from smb share
Hello, I (and probably everyone else) noticed that right-clicking on a file located on a remote share (at least in the windows explorer) provides a lot of useful info besides the size & access rights. It does that without transferring the entire file, so what I'm wondering if there is a way to access that info using libsmbclient (meaning: is this part of the smb/cifs protocol specification or just a explorer feature)? Regards, Razvan Cosma -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3b3 + ADS
> I've been trying for a couple of days to get ADS support built into > Samba 3. I've been searching the archives for something that will help > me out, but nothing seems to work. > > Here's what I've tried, first on FreeBSD 4.8: > > FreeBSD 4.8 > Samba 3b3, ./configure --with-ads --with-krb5=/usr (I installed FBSD > krb5 from /usr/src/kerberos5) works like a charm. make works and I see > all the fancy ads stuff fly by the screen like it's compiling. I then > test source/bin/net ads - "ADS support not compiled in". > Same problem here.. linux slackware. Is it necessary to also have the ldap libraries installed? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3 active directory
Hello,
I'm posting this only in the event somebody else does a search in the
mlist archive for such keywords (I know I did), hope you won't mind.
Status: IT WORKS! :)
Steps taken:
Install Slackware (well, that was already in place).
Install PAM (Linux-PAM-0.77, plain ./configure) - this I will need later
for Postfix SMTP auth against AD.
Install Kerberos (krb5-1.2.8, ./configure --prefix=/usr/local/kerberos
--without-krb4 --enable-dns --enable-dns-for-kdc --enable-dns-for-realm
--enable-shared).
Install OpenLDAP (openldap-2.1.22, ./configure --disable-slapd
--disable-slurpd).
Install Samba (samba-3.0.0beta3, ./configure --prefix=/usr/local/samba
--with-smbwrapper --with-dce-dfs --with-ads --with-smbmount --with-pam
--with-libsmbclient --with-acl-support --with-winbind
--with-krb5=/usr/local/kerberos --without-quotas --with-ldap)
joe /etc/krb5.conf
[realms]
DOM.AIN = {
kdc = DC.DOM.AIN
}
test with
kinit [EMAIL PROTECTED]
joe /usr/local/samba/lib/smb.conf
[global]
security = ADS
realm = DOM.AIN
winbind use default domain = yes
wins server = dc.dom.ain
encrypt passwords = yes
password server = dc.dom.ain
net ads join -U Administrator
nmbd -D
smbd -D
winbindd
..that's all I think
PS. Thanks to the Samba team for the great work
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ADS authentication.. almost works
Hello, Beta 3, ./configure --with-ads & krb5, slackware system (no PAM). Things seem to be correctly configured, done the net join part without errors, I can use e.g. smbclient -L or wbinfo -u, but users cannot acces shares on the Samba machine. Snip from the log (trying to connect from the domain controller on which I'm logged as administrator): [2003/07/28 14:52:27, 3] auth/auth.c:check_ntlm_password(216) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2003/07/28 14:52:27, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2003/07/28 14:52:27, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2003/07/28 14:52:27, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2003/07/28 14:52:27, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/07/28 14:52:27, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(182) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2003/07/28 14:52:27, 0] passdb/pdb_smbpasswd.c:smbpasswd_getsampwnam(1284) Unable to open passdb database. [2003/07/28 14:52:27, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/07/28 14:52:27, 3] auth/auth_sam.c:check_sam_security(439) Couldn't find user 'Administrator' in passdb file. [2003/07/28 14:52:27, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER [2003/07/28 14:52:27, 3] smbd/process.c:process_smb(878) Transaction 3 of length 214 [2003/07/28 14:52:27, 3] smbd/process.c:switch_message(673) switch message SMBsesssetupX (pid 14296) [2003/07/28 14:52:27, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/07/28 14:52:27, 3] smbd/sesssetup.c:reply_sesssetup_and_X(551) wct=12 flg2=0xc807 [2003/07/28 14:52:27, 2] smbd/sesssetup.c:setup_new_vc_session(507) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2003/07/28 14:52:27, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(448) Doing spnego session setup [2003/07/28 14:52:27, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(472) NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] [2003/07/28 14:52:27, 3] smbd/sesssetup.c:reply_spnego_negotiate(353) Got OID 1 3 6 1 4 1 311 2 2 10 [2003/07/28 14:52:27, 3] smbd/sesssetup.c:reply_spnego_negotiate(360) Got secblob of size 44 [2003/07/28 14:52:27, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(33) Got NTLMSSP neg_flags=0xe008b297 [2003/07/28 14:52:27, 3] smbd/process.c:process_smb(878) Transaction 4 of length 310 [2003/07/28 14:52:27, 3] smbd/process.c:switch_message(673) switch message SMBsesssetupX (pid 14296) [2003/07/28 14:52:27, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/07/28 14:52:27, 3] smbd/sesssetup.c:reply_sesssetup_and_X(551) wct=12 flg2=0xc807 [2003/07/28 14:52:27, 2] smbd/sesssetup.c:setup_new_vc_session(507) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2003/07/28 14:52:27, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(448) Doing spnego session setup [2003/07/28 14:52:27, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(472) NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] [2003/07/28 14:52:27, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(283) Got user=[Administrator] domain=[DOMAIN] workstation=[DOMAINCTL] len1=24 len2=24 [2003/07/28 14:52:27, 3] auth/auth.c:check_ntlm_password(216) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2003/07/28 14:52:27, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2003/07/28 14:52:27, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2003/07/28 14:52:27, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2003/07/28 14:52:27, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/07/28 14:52:27, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(182) startsmbfilepwent_internal: unable to open file /usr/local/samba/private/smbpasswd. Error was No such file or directory [2003/07/28 14:52:27, 0] passdb/pdb_smbpasswd.c:smbpasswd_getsampwnam(1284) Unable to open passdb database. [2003/07/28 14:52:27, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/07/28 14:52:27, 3] auth/auth_sam.c:check_sam_security(439) Couldn't find user 'Administrator' in passdb file. [2003/07/28 14:52:27, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STAT
