Ok, I will set that up tomorrow. I had it setup at one time, but thought that if I didn't have local users logging into the local system I didn't need it.
I really appreciate your quick and informative responses to my questions Thomas and everyone else....I really appreciate it. ---------- Original Message ---------------------------------- From: "Thomas M. Skeren III" <[EMAIL PROTECTED]> Date: Mon, 20 Dec 2004 20:12:05 -0800 Brian Kesting wrote: >Even if I do not have users logging into this samba box locally, i still need >to edit /etc/pam.d/login? > > Yes > >---------- Original Message ---------------------------------- >From: "Thomas M. Skeren III" <[EMAIL PROTECTED]> >Date: Mon, 20 Dec 2004 18:31:53 -0800 > >Brian Kesting wrote: > > > >>When I made those changes to krb5.conf I got the following in my smb log >>and I could not access my samba share... >> >>[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) >> Failed to verify incoming ticket! >>[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) >> Failed to verify incoming ticket! >>[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) >> Failed to verify incoming ticket! >>[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) >> Failed to verify incoming ticket! >> >>Not sure what I am missing, I may just start this whole project over from >>scratch and see if I have better luck. >> >> >> >> >As I stated in my guide, > >Note: If you have a server and it isn't a production server, has >nothing of value on it, and you have been stuffing programs on it to get >Samba to work with ADS , but failed, put that 5.3 Release install cd >into the cdrom drive, and reinstall FBSD 5.3 formatting the drives along >the way. Don't bug me if you didn't start with a nice clean install. > >Make sure you have the pam.d/login stuff done. Without it pam can't >authenticate non local users. > > > >>---------- Original Message ---------------------------------- >>From: "Thomas M. Skeren III" <[EMAIL PROTECTED]> >>Date: Mon, 20 Dec 2004 17:50:47 -0800 >> >>Brian Kesting wrote: >> >> >> >> >> >>>I am using Suse 9.2 and heimdal 0.6.2 >>> >>> >>> >>> >>> >>> >>In that case you need: >> >> default_etypes = des-cbc-crc des-cbc-md5 >>default_etypes_des = des-cbc-crc des-cbc-md5 >> >>In libdefaults. Read my whole response as I made changes throughout >>your krb5.conf file. You may also need a keytab file, but I doubt it. >> >> >> >> >> >>>---------- Original Message ---------------------------------- >>>From: "Thomas M. Skeren III" <[EMAIL PROTECTED]> >>>Date: Mon, 20 Dec 2004 17:43:07 -0800 >>> >>>Brian Kesting wrote: >>> >>> >>> >>> >> >> >> >> >>> >>> >>> >>> >>>>My setup looks about identical to the setup you have listed in the link you >>>>provided. >>>> >>>>Since this line: >>>>libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>>krb5_cc_get_principal failed (No such file or directory) >>>> >>>>keeps appearing in my winbind log file, I am thinking it is a kerberos >>>>problem too. Do you see anything wrong with my /etc/krb5.conf file? >>>> >>>>[libdefaults] >>>> default_realm = WAYNE.LOCAL >>>> clockskew = 300 >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Try adding : >>> >>>dns_lookup_realm = false >>>dns_lookup_kdc = false >>> >>>Also which OS are you using? What Kerberos? The default etypes lines >>>are necessary for Heimdal, but I don't think they are necessary for MIT. >>> >>> >>> >>> >>> >>> >>> >>>>[realms] >>>>WAYNE.LOCAL = { >>>> kdc = police.wayne.local >>>> default_domain = WAYNE.LOCAL >>>> kpasswd_server = police.wayne.local >>>>} >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Try: >>> >>>kdc = KERBEROS.WAYNE.LOCAL >>>admin_server = police.wayne.local >>>default_domain = wayne.local >>> >>> >>> >>> >>> >>> >>> >>>>[domain_realm] >>>> .WAYNE.LOCAL = WAYNE.LOCAL >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Probably not enough info here. Try: (Remember caps must be in caps). >>> >>>.wayne.local = WAYNE.LOCAL >>>wayne.local = WAYNE.LOCAL >>>.WAYNE.LOCAL = WAYNE.LOCAL >>>kerberos.server = KERBEROS.WAYNE.LOCAL >>> >>> >>> >>> >>> >>> >>> >>>>[appdefaults] >>>>pam = { >>>> ticket_lifetime = 365d >>>> renew_lifetime = 365d >>>> forwardable = true >>>> proxiable = false >>>> retain_after_close = true >>>> minimum_uid = 0 >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>Pam stuff is more OS dependent, so I have no suggestions here. MAKE >>>SURE THAT YOU SAMBA SERVER IS USING THE W2K ADS SERVER AS DNS----THIS IS >>>ABSOLUTELY CRITICAL. >>> >>> >>> >>> >>> >>> >>> >>>>---------- Original Message ---------------------------------- >>>>From: "Thomas M. Skeren III" <[EMAIL PROTECTED]> >>>>Date: Mon, 20 Dec 2004 17:16:38 -0800 >>>> >>>>Brian Kesting wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Someone told me once to try to remove the Samba server from the domain, >>>>>rename it, and rejoin the domain......would that solve any problems in >>>>>your opinion? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>That is an odd solution, unless AD is mangled with respect to the samba >>>>server name. Methinks you have a kerberos problem. My servers are >>>>FreeBSD, but I do have a bare bones guide for setting up samba as an AD >>>>member server in FreeBSD. If you use Linux it can only be a reference, >>>>but it's an easy read. >>>> >>>><http://www.fsklaw.com/fbsdconfig.html> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>---------- Original Message ---------------------------------- >>>>>From: "Brian Kesting" <[EMAIL PROTECTED]> >>>>>Reply-To: [EMAIL PROTECTED] >>>>>Date: Mon, 20 Dec 2004 18:05:47 -0600 >>>>> >>>>>I read something about nscd causing problems before I even installed the >>>>>system, so I never even installed that service. >>>>> >>>>>Here is an updated /var/log/samba/log.winbindd file.....btw, thanks for >>>>>the quick help and tips so far, I appreciate it. >>>>> >>>>>[2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>>>krb5_cc_get_principal failed (No such file or directory) >>>>>[2004/12/20 17:38:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:43:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:45:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>>user 'root' does not exist >>>>>[2004/12/20 17:49:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:52:26, 1] libads/ldap_utils.c:ads_do_search_retry(77) >>>>>ads_search_retry: failed to reconnect (Invalid credentials) >>>>> >>>>> >>>>>---------- Original Message ---------------------------------- >>>>>From: Brett Stevens <[EMAIL PROTECTED]> >>>>>Date: Tue, 21 Dec 2004 10:33:30 +1100 >>>>> >>>>>One thing I moticed when having simmilar problems is that for some reason >>>>>nscd seems to be a problem stop this service and restart all samba services >>>>>including smbd nmbd and winbind >>>>> >>>>>Let us know how it goes. >>>>> >>>>>Brett Stevens >>>>> >>>>>-----Original Message----- >>>>>From: Brian Kesting [mailto:[EMAIL PROTECTED] >>>>>Sent: Tuesday, December 21, 2004 10:29 AM >>>>>To: [EMAIL PROTECTED] >>>>>Subject: [Samba] winbind problems >>>>> >>>>> >>>>>Hello, >>>>> >>>>>I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected >>>>>this server successfully to a Windows 2000 Active Directory (mixed mode). >>>>>I >>>>>have nsswitch.conf, krb5.conf configured and winbind seems to be running >>>>>properly for the most part. With wbinfo I can get all of my user and group >>>>>information. Problem is, it seems that at random times, the samba server >>>>>just stops authenticating the windows user names and accounts. If I >>>>>restart >>>>>the winbind or smb service, then all seems to be well again for a while. >>>>>Right now the only way I can keep this running is to run a cron job that >>>>>restartes the samba and winbind services every hour. This is really >>>>>bugging >>>>>me as I cannot figure out what is going on. Can anyone help me? I have >>>>>included some of my configuration and log files below. Thanks in advance. >>>>> >>>>>---------/etc/samba/smb.conf---------- >>>>># Samba Configuration File >>>>> >>>>>[global] >>>>> workgroup = WAYNE >>>>> realm = WAYNE.LOCAL >>>>> server string = Samba Server >>>>> security = ADS >>>>> password server = adserver.wayne.local >>>>> encrypt passwords = yes >>>>> idmap uid = 10000-20000 >>>>> idmap gid = 10000-20000 >>>>> template shell = /bin/bash >>>>> winbind use default domain = no >>>>> winbind separator = / >>>>> >>>>>[users] >>>>> comment = Users on Linux >>>>> path = /home/WAYNE >>>>> read only = No >>>>> browseable = Yes >>>>> >>>>>---------/etc/nsswitch.conf------- >>>>>passwd: files winbind >>>>>group: files winbind >>>>>hosts: files dns wins winbind >>>>>networks: files dns >>>>> >>>>>---------/etc/krb5.conf----------- >>>>>[libdefaults] >>>>> default_realm = WAYNE.LOCAL >>>>> clockskew = 300 >>>>> >>>>>[realms] >>>>>WAYNE.LOCAL = { >>>>> kdc = police.wayne.local >>>>> default_domain = WAYNE.LOCAL >>>>> kpasswd_server = adserver.wayne.local >>>>>} >>>>>[domain_realm] >>>>> .WAYNE.LOCAL = WAYNE.LOCAL >>>>>[appdefaults] >>>>>pam = { >>>>> ticket_lifetime = 365d >>>>> renew_lifetime = 365d >>>>> forwardable = true >>>>> proxiable = false >>>>> retain_after_close = true >>>>> minimum_uid = 0 >>>>>} >>>>> >>>>>----------/var/log/samba/log.smbd-------- >>>>>[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>>>15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>>>15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >>> >>> >>> >>>>>15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/LIEUTENANT1$ is invalid on this system >>>>>. >>>>>. >>>>>. >>>>>[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20 >>>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20 >>>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system >>>>> >>>>>----------/var/log/samba/log.winbindd------------------- >>>>>[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>>>krb5_cc_get_principal failed (No such file or directory) [2004/12/20 >>>>>16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>>user 'root' does not exist >>>>>[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>>user 'root' does not exist >>>>>[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>>[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>> >>>>>???? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >> >> >> >> >> >> > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba