Sorry for the long post, but I prefer to keep a copy of what I think is need for this thread ...
As requested, here are my smb.conf ... I have left in my comment to show what I have been changing and see if it makes a differance ... plus some shares ( not all that I use ) ...
# Global parameters
[global]
workgroup = TEST-ZA
realm = TEST-ZA.CORP
security = ads
# netbios aliases = nasrec
server string = Samba Server %v %h
interfaces = eth0*,lo
bind interfaces only = Yes
# encrypt passwords = Yes
# update encrypted = Yes
# min passwd length = 4
# pam password change = Yes
# passwd program = /usr/bin/passwd %u
# passwd chat debug = Yes
# unix password sync = Yes
# username map = /etc/samba/smbusers
# admin users = administrator, TEST-ZA\administrator
log file = /var/log/samba/%m.log
max log size = 150
time server = Yes
unix extensions = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon script = login.bat
logon drive = l:
domain logons = no
# lm announce = yes
preferred master = no
domain master = no
# dns proxy = yes
# wins support = yes
# wins server = *
# wins server = naszadc01.test-za.corp, naszadc02.test-za.corp
wins server = 10.1.1.16, 10.1.1.17
utmp = Yes
message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s
comment = Test Nasrec Linux Box
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
inherit permissions = Yes
map archive = No
# name resolve order = host, wins
# password server = *
password server = 10.1.1.16, 10.1.1.17
# ldap suffix = dc=test-za,dc=corp
# ldap idmap suffix = ou=idmap
# ldap admin dn = cn=root,dc=test-za,dc=corp
ldap suffix = dc=test,dc=co,dc=za
ldap admin dn = cn=Manager,dc=test,dc=co,dc=za
ldap idmap suffix = ou=idmap
# ldap ssl = start tls
ldap ssl = no
# ldap passwd sync = yes
# winbind separator = + # idmap backend = ldap:ldap://localhost idmap backend = ldap:ldap://zeus.test.co.za idmap uid = 10000-20000 idmap gid = 10000-20000
# client schannel = no # server schannel = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
# winbind trusted domains only = yes# template shell = /sbin/nologin
# template shell = /bin/bash
# template homedir = /home/%D/%U
template homedir = /home/TEST-ZA/%U load printers = yes
printing = cups
printcap = cups# log level = 1
# guest account = NULL
restrict anonymous = yes[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
public = yes
writable = no
write list = root, Administrator, TEST-ZA\Administrator
printer admin = root, Administrator, TEST-ZA\Administrator
vfs object = extd_audit[print$]
comment = Printer Driver Download Area
path = /home/services/smb/printers/drivers
browseable = No
# browseable = yes
guest ok = Yes
# guest ok = no
# read only = yes
read only = no
# write list = @ntadmin, root, Administrator
write list = root, Administrator, TEST-ZA\Administrator
printer admin = root, Administrator, TEST-ZA\Administrator
vfs object = extd_audit[netlogon]
comment = Network Logon share
path = /home/services/smb/netlogon
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
guest ok = Yes#[profiles] # path = /etc/samba/profiles # read only = No # create mask = 0600 # directory mask = 0700 # browseable = No # csc policy = disable
[homes]
comment = Home Directory for %u and %D\%S
read only = No
# valid users = %D\%S, %S
create mask = 0600
force create mode = 0600
directory mask = 0700
force directory mode = 0700
profile acls = yes
veto files = /Maildir/ /.recycle/
browseable = No
vfs object = recycle
vfs_recycle_bin:noversions = *.doc|*.xls|*.ppt
vfs_recycle_bin:exclude_dir = /tmp|/temp|/cache|/profile
vfs_recycle_bin:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.lnk
vfs_recycle_bin:maxsize = 0
vfs_recycle_bin:touch = yes
vfs_recycle_bin:versions = no
vfs_recycle_bin:keeptree = yes
vfs_recycle_bin:repository = .recycle/%U[public]
comment = Public Stuff
path = /home/services/smb/public
read only = No
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
guest ok = Yes
oplocks = No
level2 oplocks = No
veto files = /.recycle/
vfs object = extd_audit recycle
vfs_recycle_bin:noversions = *.doc|*.xls|*.ppt
vfs_recycle_bin:exclude_dir = /tmp|/temp|/cache
vfs_recycle_bin:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.lnk
vfs_recycle_bin:maxsize = 0
vfs_recycle_bin:touch = yes
vfs_recycle_bin:versions = no
vfs_recycle_bin:keeptree = yes
vfs_recycle_bin:repository = .recycleAs requested my krb5.conf ...
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] ticket_lifetime = 24000 default_realm = TEST-ZA.CORP # dns_lookup_realm = true # dns_lookup_kdc = true # default_tgs_enctypes = des-cbc-md5 des-cbc-crc # default_tkt_enctypes = des-cbc-md5 des-cbc-crc # permitted_enctypes = des-cbc-md5 des-cbc-crc # kdc_req_checksum_type = 2 # checksum_type = 2 # ccache_type = 1 # forwardable = true # proxiable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
# default_domain = example.com
}SCANIA-ZA.CORP = {
kdc = 10.1.1.16
# kdc = naszadc01.test-za.corp
# kdc = naszadc02.test-za.corp# default_domain = test-za.corp }
[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM .test-za.corp = TEST-ZA.CORP test-za.corp = TEST-ZA.CORP
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}I hope this helps ..
Mailed Lee
P.S. Remember this works with Samba 3.0.0 and not Samba 3.0.1 ...
I'd like to have a copy of your smb.conf and krb5.conf files. I have had the same problem like you for weeks and still without success.
Okay, first I throught that maybe this a problem with Samba3, but I know that I have been able to use this, so I tried on both Samba 3.0.0 (FC1 rpms ) and Samba 3.0.1 ( compiled on FC1 by myself rpms ) ...
At first I had no joy with either, so I throught that maybe I had done something wrong ( blush! ) ... So, I went back to basics ... I found that if I removed all the funky options in /etc/krb5.conf and used Samba 3.0.0, all seems to work fine ( expect for know bugs in 3.0.0, understandable ) ... I think upgraded to Samba 3.0.1, and I could not access the Samba server again using is hostname ...
So now I have two servers for test, both with FC1 and all the updates, one with Samba 3.0.0 ( FC1 rpms ) and the other with Samba 3.0.1 ( self maybe rpms ).
| I have a Win2K3 ADS domain, I have two FedoraCore systems, one with | Samba 3.0.0 and the other with Samba 3.0.1. Both give me the same problem. | | If I try access the Samba shares from Win2K3 using the host number, I | get prompted for a username and password, and no matter what I type in, | I can't get in. | | If I use the Samba server IP address, I am able to get into shares | without been prompted for user details, but Point'nPrint don't work, it | too requests user details. | | I do seem to be getting two errors in my logs ... First in smbd.log | | [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948) | getpeername failed. Error was Transport endpoint is not connected | [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948) | getpeername failed. Error was Transport endpoint is not connected | | And the other in the machine log with the IP address eg ... | 10.1.1.20.log | [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) | Failed to verify incoming ticket! | [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) | Failed to verify incoming ticket! | | But in the machine log with the hostname, I am getting normal | messages ... | | I have tried to make changes in /etc/krb5.conf, but I don't get any | further ... | | I have tried a few status checks with net, all hosts work fine ... | | [EMAIL PROTECTED] samba]# net lookup ldap | 10.1.1.16:389 | 10.1.1.17:389 | | [EMAIL PROTECTED] samba]# net lookup dc | 10.1.1.16 | 10.1.1.17 | | But net lookup kdc, master domain don't return any thing, so I don't | know what else to look for ...
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
