subject:"\[Samba\] ADS controller connection issue; clients work fine."

Re: [Samba] ADS controller connection issue; clients work fine.

2004-03-22 Thread Tom Dickson

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jeremy Allison wrote:
| On Wed, Mar 17, 2004 at 11:31:40AM -0800, Tom Dickson wrote:
|
|-BEGIN PGP SIGNED MESSAGE-
|Hash: SHA1
|
|Jeremy Allison wrote:
|| On Wed, Mar 17, 2004 at 09:26:45AM -0800, Tom Dickson wrote:
||
||-BEGIN PGP SIGNED MESSAGE-
||Hash: SHA1
||
||I've joined Samba to the domain, and everything seems to work fine.
||Clients can login to their windows 2000 machines and access the Samba
||server, which authenticates using kerberos to the 2003 AD controller.
||
||However, if I logon ON the 2003 AD controller, it can't access the Samba
||server. The same user logged onto any of the clients does work fine.
||Changing the passwords and rebooting things does not seem to help.
||
||Am I missing something easy? I can get logs and config files if needed.
||
||
|| Debug 10 logs from the smbd would help.
||
|| Jeremy.
||
|| .
||
|Ok. See attached! Thank you!
|
|
| Ok, looking at this it looks like you have a problem with encryption
| types. Are you sure it's using krb5 to allow clients access ? It may
| be falling back to NTLMSSP. What does your krb5.conf look like ? What
| version of MIT Kerberos are you using ?
|
| Jeremy.
|
| .
|
Here's the krb5.conf setup from a similar machine that shows the same
problem against Windows 2003.
more /etc/krb5.conf
[libdefaults]
~ default_realm = NETBENCHDOMAIN.LOCAL
#
[realms]
~ NETBENCHDOMAIN.LOCAL = {
~  kdc = NBSERVER.NETBENCHDOMAIN.LOCAL
~ }
#
[domain_realms]
~ .kerberos.server = NETBENCHDOMAIN.LOCAL
#===eof===
ls /usr/kerberos/lib/
libcom_err.so.3libgssapi_krb5.so.2libkadm5clnt.so.5libkrb4.so.2
libcom_err.so.3.0  libgssapi_krb5.so.2.2  libkadm5clnt.so.5.0
libkrb4.so.2.0
libdes425.so.3 libgssrpc.so.3 libkadm5srv.so.5 libkrb5.so.3
libdes425.so.3.0   libgssrpc.so.3.0   libkadm5srv.so.5.0
libkrb5.so.3.1
libdyn.so.1libk5crypto.so.3   libkdb5.so.3 libpty.so.1
libdyn.so.1.0  libk5crypto.so.3.0 libkdb5.so.3.1   libpty.so.1.2
I don't know how to find out the version any closer than than.

Another thing I noticed that if I connect to the IP address of the
machine, it sometimes works, but not when connecting to the netbios name.
How do I verify that it is using krb5 for the clients, which seem to
work just fine? It also seems that sometimes it just starts working
after a long time.
- -Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAXyyE2dxAfYNwANIRAuonAJ0UIg1wnXAFAAK5Ttft2eKZskNkOgCfd5en
NFVwpl+JE/qLQJ1Fl8OqFrY=
=0rlM
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ADS controller connection issue; clients work fine.

2004-03-19 Thread Jeremy Allison

On Wed, Mar 17, 2004 at 11:31:40AM -0800, Tom Dickson wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Jeremy Allison wrote:
 | On Wed, Mar 17, 2004 at 09:26:45AM -0800, Tom Dickson wrote:
 |
 |-BEGIN PGP SIGNED MESSAGE-
 |Hash: SHA1
 |
 |I've joined Samba to the domain, and everything seems to work fine.
 |Clients can login to their windows 2000 machines and access the Samba
 |server, which authenticates using kerberos to the 2003 AD controller.
 |
 |However, if I logon ON the 2003 AD controller, it can't access the Samba
 |server. The same user logged onto any of the clients does work fine.
 |Changing the passwords and rebooting things does not seem to help.
 |
 |Am I missing something easy? I can get logs and config files if needed.
 |
 |
 | Debug 10 logs from the smbd would help.
 |
 | Jeremy.
 |
 | .
 |
 Ok. See attached! Thank you!

Ok, looking at this it looks like you have a problem with encryption
types. Are you sure it's using krb5 to allow clients access ? It may
be falling back to NTLMSSP. What does your krb5.conf look like ? What
version of MIT Kerberos are you using ?

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] ADS controller connection issue; clients work fine.

2004-03-17 Thread Tom Dickson

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I've joined Samba to the domain, and everything seems to work fine.
Clients can login to their windows 2000 machines and access the Samba
server, which authenticates using kerberos to the 2003 AD controller.
However, if I logon ON the 2003 AD controller, it can't access the Samba
server. The same user logged onto any of the clients does work fine.
Changing the passwords and rebooting things does not seem to help.
Am I missing something easy? I can get logs and config files if needed.

- -Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAWIpV2dxAfYNwANIRAv6eAJ9o/UpiwGOUAHi3xODphOaFKSp1iQCfTCqV
ncz8DBbbJ1lt/4vLtBXWiSk=
=pceb
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ADS controller connection issue; clients work fine.

2004-03-17 Thread Jeremy Allison

On Wed, Mar 17, 2004 at 09:26:45AM -0800, Tom Dickson wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 I've joined Samba to the domain, and everything seems to work fine.
 Clients can login to their windows 2000 machines and access the Samba
 server, which authenticates using kerberos to the 2003 AD controller.
 
 However, if I logon ON the 2003 AD controller, it can't access the Samba
 server. The same user logged onto any of the clients does work fine.
 Changing the passwords and rebooting things does not seem to help.
 
 Am I missing something easy? I can get logs and config files if needed.

Debug 10 logs from the smbd would help.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ADS controller connection issue; clients work fine.

2004-03-17 Thread Tom Dickson

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jeremy Allison wrote:
| On Wed, Mar 17, 2004 at 09:26:45AM -0800, Tom Dickson wrote:
|
|-BEGIN PGP SIGNED MESSAGE-
|Hash: SHA1
|
|I've joined Samba to the domain, and everything seems to work fine.
|Clients can login to their windows 2000 machines and access the Samba
|server, which authenticates using kerberos to the 2003 AD controller.
|
|However, if I logon ON the 2003 AD controller, it can't access the Samba
|server. The same user logged onto any of the clients does work fine.
|Changing the passwords and rebooting things does not seem to help.
|
|Am I missing something easy? I can get logs and config files if needed.
|
|
| Debug 10 logs from the smbd would help.
|
| Jeremy.
|
| .
|
Ok. See attached! Thank you!
bash-2.05a# wbinfo -t
checking the trust secret via RPC calls succeeded
smb.conf excerpt:
~ password server = WIN2KNATIVE
~ winbind uid = 1-1
~ map to guest = never
~ security = ads
~ realm = NATIVEDOMAIN.LOCAL
~ domain logons = no
~ server string =
~ workgroup = NATIVEDOMAIN
~ winbind gid = 1-1
~ netbios name = irepsource
~ admin users = @NATIVEDOMAIN.LOCAL+Domain Admins
- -Tom

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAWKeb2dxAfYNwANIRAsaBAJ9d7FmIbJUztwa4R1JAghO40RA95ACfU5XI
kjfU9WsmW0fOnfCeESPX0xk=
=3TA5
-END PGP SIGNATURE-
[2004/03/17 11:28:51, 6] param/loadparm.c:lp_file_list_changed(2653)
  lp_file_list_changed()
  file /etc/samba/smb.conf - /etc/samba/smb.conf  last mod_time: Wed Mar 17 11:25:12 
2004
  
[2004/03/17 11:28:51, 5] smbd/connection.c:claim_connection(170)
  claiming  0
[2004/03/17 11:28:51, 5] smbd/reply.c:reply_special(153)
  init msg_type=0x81 msg_flags=0x0
[2004/03/17 11:28:51, 6] lib/util_sock.c:write_socket(407)
  write_socket(16,4)
[2004/03/17 11:28:51, 6] lib/util_sock.c:write_socket(410)
  write_socket(16,4) wrote 4
[2004/03/17 11:28:51, 10] lib/util_sock.c:read_smb_length_return_keepalive(463)
  got smb length of 133
[2004/03/17 11:28:51, 6] smbd/process.c:process_smb(889)
  got message type 0x0 of len 0x85
[2004/03/17 11:28:51, 3] smbd/process.c:process_smb(890)
  Transaction 1 of length 137
[2004/03/17 11:28:51, 5] lib/util.c:show_msg(456)
[2004/03/17 11:28:51, 5] lib/util.c:show_msg(459)
  size=133
  smb_com=0x72
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=51283
  smb_tid=0
  smb_pid=65279
  smb_uid=0
  smb_mid=0
  smt_wct=0
  smb_bcc=98
[2004/03/17 11:28:51, 10] lib/util.c:dump_data(1830)
  [000] 02 50 43 20 4E 45 54 57  4F 52 4B 20 50 52 4F 47  .PC NETW ORK PROG
  [010] 52 41 4D 20 31 2E 30 00  02 4C 41 4E 4D 41 4E 31  RAM 1.0. .LANMAN1
  [020] 2E 30 00 02 57 69 6E 64  6F 77 73 20 66 6F 72 20  .0..Wind ows for 
  [030] 57 6F 72 6B 67 72 6F 75  70 73 20 33 2E 31 61 00  Workgrou ps 3.1a.
  [040] 02 4C 4D 31 2E 32 58 30  30 32 00 02 4C 41 4E 4D  .LM1.2X0 02..LANM
  [050] 41 4E 32 2E 31 00 02 4E  54 20 4C 4D 20 30 2E 31  AN2.1..N T LM 0.1
  [060] 32 00 2. 
[2004/03/17 11:28:51, 3] smbd/process.c:switch_message(685)
  switch message SMBnegprot (pid 25431)
[2004/03/17 11:28:51, 3] smbd/sec_ctx.c:set_sec_ctx(287)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/17 11:28:51, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/03/17 11:28:51, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/03/17 11:28:51, 5] smbd/uid.c:change_to_root_user(217)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [LANMAN1.0]
[2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [Windows for Workgroups 3.1a]
[2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [LM1.2X002]
[2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [LANMAN2.1]
[2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(455)
  Requested protocol [NT LM 0.12]
[2004/03/17 11:28:51, 10] lib/util.c:set_remote_arch(1805)
  set_remote_arch: Client arch is 'Win2K'
[2004/03/17 11:28:51, 6] param/loadparm.c:lp_file_list_changed(2653)
  lp_file_list_changed()
  file /etc/samba/smb.conf - /etc/samba/smb.conf  last mod_time: Wed Mar 17 11:25:12 
2004
  
[2004/03/17 11:28:51, 6] param/loadparm.c:lp_file_list_changed(2653)
  lp_file_list_changed()
  file /etc/samba/smb.conf - /etc/samba/smb.conf  last mod_time: Wed Mar 17 11:25:12 
2004
  
[2004/03/17 11:28:51, 3] smbd/negprot.c:reply_nt1(329)
  using SPNEGO
[2004/03/17 11:28:51, 3] smbd/negprot.c:reply_negprot(532)
  Selected protocol NT LM 0.12
[2004/03/17 11:28:51, 5] smbd/negprot.c:reply_negprot(538)
  negprot index=5
[2004/03/17 11:28:51, 5] lib/util.c:show_msg(456)
[2004/03/17

Re: [Samba] ADS controller connection issue; clients work fine.

Re: [Samba] ADS controller connection issue; clients work fine.

[Samba] ADS controller connection issue; clients work fine.

Re: [Samba] ADS controller connection issue; clients work fine.

Re: [Samba] ADS controller connection issue; clients work fine.

5 matches

Site Navigation

Mail list logo

Footer information