Fix provided below. On Tue, 2004-07-20 at 18:06, Greg Folkert wrote: > Okay, the jist of this whole thing, I get this infamous (?) problem, I > have been trying to search though the archives of samba-general on gmane > and also in my archive of this list. I have only seen requests for the > magical answer. > > Environment: W2K/W2K3 mixed ADS going Native ADS only soon. Samba 3.0.4 > compiled from source on a RHEL AS30 machine. MIT Kerberos v1.3.4 also > compiled from source. > > Kernel == 2.4.21-15.0.2.ELhugemem #1 SMP Wed Jun 16 22:36:51 EDT 2004 > i686 athlon i386 GNU/Linux > > > Here is the problem in a nutshell: > > [EMAIL PROTECTED] root]# net ads join Computers -S mydc1.mynetwork.com > [2004/07/20 15:06:09, 0] libads/ldap.c:ads_join_realm(1336) > ads_add_machine_acct: Insufficient access > ads_join_realm: Insufficient access > > and the important pieces of smb.conf: > > [global] > workgroup = MYNETWORK > netbios name = ROAR > server string = Lotsa Room > security = ADS > realm = MYNETWORK.COM > auth methods = winbind > password server = mydc1.mynetwork.com > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n . > lanman auth = No > ntlm auth = No > client NTLMv2 auth = Yes > client lanman auth = No > client plaintext auth = No > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 10000 > smb ports = 445 > disable netbios = Yes > max xmit = 65535 > name resolve order = host wins lmhosts bcast > #tried both spnego Yes and No same diff. > use spnego = Yes > # use spnego = No > server signing = auto > deadtime = 10080 > socket options = IPTOS_LOWDELAY TCP_NODELAY > logon path = > logon home = > os level = 49 > preferred master = No > local master = No > domain master = No > dns proxy = No > ldap ssl = no > idmap uid = 10000-40000 > idmap gid = 10000-40000 > winbind separator = + > winbind nested groups = Yes > winbind cache time = 20 > template homedir = /home/%D/%U > invalid users = root > ea support = Yes > hide special files = Yes > hide unreadable = Yes > > And here is my klist: > > [EMAIL PROTECTED] root]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 07/20/04 16:21:53 07/21/04 02:22:01 krbtgt/[EMAIL PROTECTED] > renew until 07/21/04 16:21:53 > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > Yes, [EMAIL PROTECTED] has rights to create users and machines in the > AD Tree in "Computers" > > So, now, given that this is an existing problem in v3.0.4, I have to > show the way I configured and compiled it. I also compiled MIT Kerberos > v1.3.4 the proper way (similar to this). Personally I like integrations. > > Here is the configure for samba v3.0.4: > > ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \ > --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \ > --datadir=/usr/share --includedir=/usr/include \ > --libdir=/usr/lib --libexecdir=/usr/libexec \ > --localstatedir=/var --sharedstatedir=/usr/com \ > --mandir=/usr/share/man --infodir=/usr/share/info > --with-acl-support --with-automount \ > --with-codepagedir=/usr/share/samba/codepages --with-fhs \ > --with-libsmbclient --with-lockdir=/var/cache/samba --with-pam \ > --with-pam_smbpass --with-piddir=/var/run \ > --with-privatedir=/etc/samba --with-quotas --with-smbmount \ > --with-swatdir=/usr/share/swat --with-syslog --with-utmp \ > --with-vfs --without-smbwrapper --with-ads --with-winbind \ > --with-krb5 > > Here is the configure for krb5-1.3.4: > > ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \ > --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \ > --datadir=/usr/share --includedir=/usr/include \ > --libdir=/usr/lib --libexecdir=/usr/libexec \ > --localstatedir=/var --sharedstatedir=/usr/com \ > --mandir=/usr/share/man --infodir=/usr/share/info CC=gcc \ > CFLAGS="-O2 -g -pipe -march=i386 -mcpu=i686 -I/usr/include/et \ > -fPIC" LDFLAGS= CPPFLAGS="-I/usr/include/et" --enable-shared \ > --enable-static --bindir=/usr/kerberos/bin \ > --mandir=/usr/kerberos/man --sbindir=/usr/kerberos/sbin \ > --datadir=/usr/kerberos/share --localstatedir=/var/kerberos \ > --with-krb4 --with-system-et --with-system-ss --without-tcl \ > --enable-dns > > Now, maybe this could be one of those problems where some one has had a > chance to fix this. Or maybe someone used a workaround, or knows WHY. > > All I know, W2K/W2K3 AD driven Kerberos is heavily undocumented. And > provides little in the way of useful logs... telling me what might be > the problem on that end. > > Much thanks to anyone that has a good fix or knows where to look or > *SOMETHING*
Much thanks to ME! I went home after asking this. I ate dinner, did some online gaming... did the family thing. I decided to start over with a fresh smb.conf. I logged into the machine, check my kerberos ticket, being still valid, and having changed nothing for 2+ hours, I thought what the heck. I tried again: [EMAIL PROTECTED] root]# net ads join Computers -S mydc1.mynetwork.com [2004/07/20 19:36:12, 0] libads/ldap.c:ads_add_machine_acct(1086) Warning: ads_set_machine_sd: Unexpected information received Using short domain name -- MYNETWORK Joined 'ROAR' to realm 'MYNETWORK.COM' I have to say, this baffles me. But is understandable, given I have worked with Novell Netware and eDIR (or NDS as it was previously known) for 9+ years. Time was nearly always the fix for these kinds of things. Replication issues, Synchronization issue, massive changes and overall performance. Patience is a virtue even these days. I just wish some companies did have this virtue as well. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba