2011/3/11 Brian O'Mahony <[email protected]>:
> Hi there, just recently joined this list as I seem to be having a little
> trouble that I am hoping someone can help with.
>
> I recently installed a RHEL5.5 server and updated samba to
> samba3-3.4.11-42.el5.x86_64.rpm. I had never set up samba to authenticate
> with ADS so I read a little bit and dove right in. The server now works fine,
> so when I browse to \\machinename<file:///\\machinename> no login box pops
> up, and I see the shares, and every user in the domain can write to them.
>
> So far so good. I then try to replicate this on another server and then the
> problems started. Here is the procedure I followed:
>
> I copied smb.conf, krb5.conf over to the new server from the working copy.
> Edited nsswitch.conf to add winbind to the end of passwd, group and shadow.
>
> I then ran "kinit admin". This worked. I than ran kdestroy to destroy the
> token.
>
> [root@rhel5u5live ~]# net ads join -U ictadmin
> Enter ictadmin's password:
> Using short domain name -- XXX
> Joined 'RHEL5U5LIVE' to realm 'xxx.com'
> [root@rhel5u5live ~]# net ads testjoin
> Join is OK
> [root@rhel5u5live ~]# wbinfo -u | grep brian.om
> XXX/brian.omahony
>
>
> So it seems to be able to look up users etc on the Domain controller. How
> ever when I browse to \\machinename<file:///\\machinename> a login box pops
> up. I *know* I must have forgotten something, but cant figure out what.
Welcome to my world. I have exactly the same issue - one server works
fine, the other doesn't, even though all the wb tests seem to be fine.
Is it an XP client, by any chance?
I've narrowed it down to a kerberos issue, I believe. If you run
net use \\servername\share /user:XXX/brian.omahony
does it work correctly without asking for a password? This seems to be
NTLM vs Kerberos auth, but I can't get any further than that.
One thing to check, make sure that you have FQDN entries in the
server's /etc/hosts (or as reverse entries in DNS) for your dc and the
server itself. ie when you do
dig -x 192.168.6.10
(the ip address of the server, obviously) from the server, do you get
the full domain name or just the hostname? Various pages suggest that
might be the cause of the problem, although it doesn't help me.
Geoff
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
