Re: [Samba] ADS controller connection issue; clients work fine.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: | On Wed, Mar 17, 2004 at 11:31:40AM -0800, Tom Dickson wrote: | |-BEGIN PGP SIGNED MESSAGE- |Hash: SHA1 | |Jeremy Allison wrote: || On Wed, Mar 17, 2004 at 09:26:45AM -0800, Tom Dickson wrote: || ||-BEGIN PGP SIGNED MESSAGE- ||Hash: SHA1 || ||I've joined Samba to the domain, and everything seems to work fine. ||Clients can login to their windows 2000 machines and access the Samba ||server, which authenticates using kerberos to the 2003 AD controller. || ||However, if I logon ON the 2003 AD controller, it can't access the Samba ||server. The same user logged onto any of the clients does work fine. ||Changing the passwords and rebooting things does not seem to help. || ||Am I missing something easy? I can get logs and config files if needed. || || || Debug 10 logs from the smbd would help. || || Jeremy. || || . || |Ok. See attached! Thank you! | | | Ok, looking at this it looks like you have a problem with encryption | types. Are you sure it's using krb5 to allow clients access ? It may | be falling back to NTLMSSP. What does your krb5.conf look like ? What | version of MIT Kerberos are you using ? | | Jeremy. | | . | Here's the krb5.conf setup from a similar machine that shows the same problem against Windows 2003. more /etc/krb5.conf [libdefaults] ~ default_realm = NETBENCHDOMAIN.LOCAL # [realms] ~ NETBENCHDOMAIN.LOCAL = { ~ kdc = NBSERVER.NETBENCHDOMAIN.LOCAL ~ } # [domain_realms] ~ .kerberos.server = NETBENCHDOMAIN.LOCAL #===eof=== ls /usr/kerberos/lib/ libcom_err.so.3libgssapi_krb5.so.2libkadm5clnt.so.5libkrb4.so.2 libcom_err.so.3.0 libgssapi_krb5.so.2.2 libkadm5clnt.so.5.0 libkrb4.so.2.0 libdes425.so.3 libgssrpc.so.3 libkadm5srv.so.5 libkrb5.so.3 libdes425.so.3.0 libgssrpc.so.3.0 libkadm5srv.so.5.0 libkrb5.so.3.1 libdyn.so.1libk5crypto.so.3 libkdb5.so.3 libpty.so.1 libdyn.so.1.0 libk5crypto.so.3.0 libkdb5.so.3.1 libpty.so.1.2 I don't know how to find out the version any closer than than. Another thing I noticed that if I connect to the IP address of the machine, it sometimes works, but not when connecting to the netbios name. How do I verify that it is using krb5 for the clients, which seem to work just fine? It also seems that sometimes it just starts working after a long time. - -Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAXyyE2dxAfYNwANIRAuonAJ0UIg1wnXAFAAK5Ttft2eKZskNkOgCfd5en NFVwpl+JE/qLQJ1Fl8OqFrY= =0rlM -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS controller connection issue; clients work fine.
On Wed, Mar 17, 2004 at 11:31:40AM -0800, Tom Dickson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: | On Wed, Mar 17, 2004 at 09:26:45AM -0800, Tom Dickson wrote: | |-BEGIN PGP SIGNED MESSAGE- |Hash: SHA1 | |I've joined Samba to the domain, and everything seems to work fine. |Clients can login to their windows 2000 machines and access the Samba |server, which authenticates using kerberos to the 2003 AD controller. | |However, if I logon ON the 2003 AD controller, it can't access the Samba |server. The same user logged onto any of the clients does work fine. |Changing the passwords and rebooting things does not seem to help. | |Am I missing something easy? I can get logs and config files if needed. | | | Debug 10 logs from the smbd would help. | | Jeremy. | | . | Ok. See attached! Thank you! Ok, looking at this it looks like you have a problem with encryption types. Are you sure it's using krb5 to allow clients access ? It may be falling back to NTLMSSP. What does your krb5.conf look like ? What version of MIT Kerberos are you using ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ADS controller connection issue; clients work fine.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've joined Samba to the domain, and everything seems to work fine. Clients can login to their windows 2000 machines and access the Samba server, which authenticates using kerberos to the 2003 AD controller. However, if I logon ON the 2003 AD controller, it can't access the Samba server. The same user logged onto any of the clients does work fine. Changing the passwords and rebooting things does not seem to help. Am I missing something easy? I can get logs and config files if needed. - -Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAWIpV2dxAfYNwANIRAv6eAJ9o/UpiwGOUAHi3xODphOaFKSp1iQCfTCqV ncz8DBbbJ1lt/4vLtBXWiSk= =pceb -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS controller connection issue; clients work fine.
On Wed, Mar 17, 2004 at 09:26:45AM -0800, Tom Dickson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've joined Samba to the domain, and everything seems to work fine. Clients can login to their windows 2000 machines and access the Samba server, which authenticates using kerberos to the 2003 AD controller. However, if I logon ON the 2003 AD controller, it can't access the Samba server. The same user logged onto any of the clients does work fine. Changing the passwords and rebooting things does not seem to help. Am I missing something easy? I can get logs and config files if needed. Debug 10 logs from the smbd would help. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS controller connection issue; clients work fine.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: | On Wed, Mar 17, 2004 at 09:26:45AM -0800, Tom Dickson wrote: | |-BEGIN PGP SIGNED MESSAGE- |Hash: SHA1 | |I've joined Samba to the domain, and everything seems to work fine. |Clients can login to their windows 2000 machines and access the Samba |server, which authenticates using kerberos to the 2003 AD controller. | |However, if I logon ON the 2003 AD controller, it can't access the Samba |server. The same user logged onto any of the clients does work fine. |Changing the passwords and rebooting things does not seem to help. | |Am I missing something easy? I can get logs and config files if needed. | | | Debug 10 logs from the smbd would help. | | Jeremy. | | . | Ok. See attached! Thank you! bash-2.05a# wbinfo -t checking the trust secret via RPC calls succeeded smb.conf excerpt: ~ password server = WIN2KNATIVE ~ winbind uid = 1-1 ~ map to guest = never ~ security = ads ~ realm = NATIVEDOMAIN.LOCAL ~ domain logons = no ~ server string = ~ workgroup = NATIVEDOMAIN ~ winbind gid = 1-1 ~ netbios name = irepsource ~ admin users = @NATIVEDOMAIN.LOCAL+Domain Admins - -Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAWKeb2dxAfYNwANIRAsaBAJ9d7FmIbJUztwa4R1JAghO40RA95ACfU5XI kjfU9WsmW0fOnfCeESPX0xk= =3TA5 -END PGP SIGNATURE- [2004/03/17 11:28:51, 6] param/loadparm.c:lp_file_list_changed(2653) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Wed Mar 17 11:25:12 2004 [2004/03/17 11:28:51, 5] smbd/connection.c:claim_connection(170) claiming 0 [2004/03/17 11:28:51, 5] smbd/reply.c:reply_special(153) init msg_type=0x81 msg_flags=0x0 [2004/03/17 11:28:51, 6] lib/util_sock.c:write_socket(407) write_socket(16,4) [2004/03/17 11:28:51, 6] lib/util_sock.c:write_socket(410) write_socket(16,4) wrote 4 [2004/03/17 11:28:51, 10] lib/util_sock.c:read_smb_length_return_keepalive(463) got smb length of 133 [2004/03/17 11:28:51, 6] smbd/process.c:process_smb(889) got message type 0x0 of len 0x85 [2004/03/17 11:28:51, 3] smbd/process.c:process_smb(890) Transaction 1 of length 137 [2004/03/17 11:28:51, 5] lib/util.c:show_msg(456) [2004/03/17 11:28:51, 5] lib/util.c:show_msg(459) size=133 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51283 smb_tid=0 smb_pid=65279 smb_uid=0 smb_mid=0 smt_wct=0 smb_bcc=98 [2004/03/17 11:28:51, 10] lib/util.c:dump_data(1830) [000] 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 .PC NETW ORK PROG [010] 52 41 4D 20 31 2E 30 00 02 4C 41 4E 4D 41 4E 31 RAM 1.0. .LANMAN1 [020] 2E 30 00 02 57 69 6E 64 6F 77 73 20 66 6F 72 20 .0..Wind ows for [030] 57 6F 72 6B 67 72 6F 75 70 73 20 33 2E 31 61 00 Workgrou ps 3.1a. [040] 02 4C 4D 31 2E 32 58 30 30 32 00 02 4C 41 4E 4D .LM1.2X0 02..LANM [050] 41 4E 32 2E 31 00 02 4E 54 20 4C 4D 20 30 2E 31 AN2.1..N T LM 0.1 [060] 32 00 2. [2004/03/17 11:28:51, 3] smbd/process.c:switch_message(685) switch message SMBnegprot (pid 25431) [2004/03/17 11:28:51, 3] smbd/sec_ctx.c:set_sec_ctx(287) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/03/17 11:28:51, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/03/17 11:28:51, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/03/17 11:28:51, 5] smbd/uid.c:change_to_root_user(217) change_to_root_user: now uid=(0,0) gid=(0,0) [2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [PC NETWORK PROGRAM 1.0] [2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [LANMAN1.0] [2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [Windows for Workgroups 3.1a] [2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [LM1.2X002] [2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [LANMAN2.1] [2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [NT LM 0.12] [2004/03/17 11:28:51, 10] lib/util.c:set_remote_arch(1805) set_remote_arch: Client arch is 'Win2K' [2004/03/17 11:28:51, 6] param/loadparm.c:lp_file_list_changed(2653) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Wed Mar 17 11:25:12 2004 [2004/03/17 11:28:51, 6] param/loadparm.c:lp_file_list_changed(2653) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Wed Mar 17 11:25:12 2004 [2004/03/17 11:28:51, 3] smbd/negprot.c:reply_nt1(329) using SPNEGO [2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(532) Selected protocol NT LM 0.12 [2004/03/17 11:28:51, 5] smbd/negprot.c:reply_negprot(538) negprot index=5 [2004/03/17 11:28:51, 5] lib/util.c:show_msg(456) [2004/03/17