I have version 5 installed, that was just the output of klist Ya i have followed that and still no luck. Accually, now im getting different errors! GAH!
When i try to connect after restarting the services, the logfile seems to show its passing the domain FEDORAFTP.....which makes NO sence [2007/12/28 14:14:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029) Doing spnego session setup [2007/12/28 14:14:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2007/12/28 14:14:57, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739) Got user=[redwards] domain=[FEDORAFTP] workstation=[PIP03572] len1=24 len2=24 now i have the WTF going on lol On Dec 28, 2007 2:01 PM, Dale Schroeder <[EMAIL PROTECTED]> wrote: > Maybe it was a typo, but you mentioned Kerberos 4 in the original post. > Do you have version 5 installed? > > > Kerberos 4 ticket cache: /tmp/tkt0 > > klist: You have no tickets cached > > [EMAIL PROTECTED] /]# > > Not knowing everything you've done, perhaps try comparing what you did to > the following two articles. These are what I follow. > > http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 > > http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1 > > They cover Samba/winbind/nsswitch/kerberos/pam - everything needed for ADS > integration. > > Dale > > Ryan wrote: > > Thanks, but now it throws a different error :( > > From log of computer tryin to connect to the share > > [2007/12/28 13:40:54, 3] > libads/kerberos_verify.c:ads_secrets_verify_ticket(279) > ads_secrets_verify_ticket: enc type [23] failed to decrypt with error > Decrypt integrity check failed > [2007/12/28 13:40:54, 3] libads/kerberos_verify.c:ads_verify_ticket(427) > ads_verify_ticket: krb5_rd_req with auth failed (Decrypt integrity check > failed) > [2007/12/28 13:40:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(316) > Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! > [2007/12/28 13:40:54, 3] smbd/error.c:error_packet_set(106) > error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > [2007/12/28 13:40:54, 3] smbd/process.c:timeout_processing(1328) > timeout_processing: End of file from client (client has disconnected). > > > noticed this in the log.smbd file > > > [2007/12/28 13:40:19, 3] libads/sasl.c:ads_sasl_spnego_bind(222) > ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED] > [2007/12/28 13:40:19, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache > found) > [2007/12/28 13:40:19, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] > expiration Fri, 28 Dec 2007 23:40:19 CST > > > Any other thoughts? :) > > Cheers! > > > On Dec 28, 2007 1:29 PM, Dale Schroeder <[EMAIL PROTECTED]> > wrote: > > > Ryan, > > > > In your share try prefacing domain users and groups with the workgroup: > > > > admin users = @"PIPFS#Domain Users" > > valid users = @"PIPFS#Domain Users" > > > > This is required since Samba 3.0.23. > > > > Good luck, > > Dale > > > > Ryan wrote: > > > Afternoon! > > > > > > Let me apologize first if this is something soooo simple, but i have > > been > > > working on this for days and I'm still stuck on one part. > > > > > > Where to start. Small user environment (under 100 users) using Active > > > Directory on Win 2k3 server. Running Fedora 8 on a server, and I am > > trying > > > to get it added to the domain, and to be able to access a share using > > > Windows usernames and passwords. > > > > > > The server (known from here as fedoraftp) can kinit > > > > > > [EMAIL PROTECTED] /]# kinit Administrator > > > Password for [EMAIL PROTECTED]: > > > [EMAIL PROTECTED] /]# klist > > > Ticket cache: FILE:/tmp/krb5cc_0 > > > Default principal: [EMAIL PROTECTED] > > > > > > Valid starting Expires Service principal > > > 12/28/07 12:44:31 12/28/07 22:44:35 krbtgt/[EMAIL PROTECTED] > > > renew until 12/29/07 12:44:31 > > > > > > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > > klist: You have no tickets cached > > > [EMAIL PROTECTED] /]# > > > > > > It can join the domain > > > [EMAIL PROTECTED] /]# net ads join -U Administrator > > > Administrator's password: > > > Using short domain name -- DOMAIN > > > Joined 'FEDORAFTP' to realm 'DOMAIN.LOCAL' > > > [EMAIL PROTECTED] /]# > > > > > > wbinfo -u, wbinfo -g, getent passwd and getent group both show correct > > > information (not going to show output). I can also login locally on > > > fedoraftp using my windows username and password and not have any > > issues. > > > What i cannot get to work is accessing the share, as it wont take any > > > username/password thrown at it. > > > > > > smb.conf > > > [global] > > > log file = /var/log/samba/log.%m > > > guest account = admin > > > load printers = no > > > show add printer wizard = No > > > idmap gid = 10000-20000 > > > smb passwd file = /etc/samba/smbpasswd > > > unix password sync = yes > > > guest ok = yes > > > encrypt passwords = yes > > > realm = PIPFS.LOCAL > > > template shell = /bin/bash > > > netbios name = FEDORAFTP > > > cups options = raw > > > server string = Fedora Server Ver %v > > > idmap uid = 10000-20000 > > > password server = 192.168.0.240 > > > winbind nested groups = yes > > > workgroup = PIPFS > > > dns proxy = no > > > passwd program = /usr/bin/passwd %u > > > obey pam restrictions = yes > > > os level = 20 > > > security = ads > > > preferred master = no > > > max log size = 50 > > > winbind separator = # > > > winbind cache time = 0 > > > log level = 3 > > > winbind enum users = yes > > > winbind enum groups = yes > > > winbind use default domain = yes > > > passdb backend = tdbsam > > > > > > [FTP] > > > msdfs root = yes > > > inherit permissions = yes > > > writeable = yes > > > admin users = @"domain users" > > > path = /home/ftpshare/ > > > create mask = 700 > > > directory mask = 700 > > > valid users = admin,@"domain users", > > > inherit acls = yes > > > ; public=yes > > > > > > Output of /var/log/samba/log.smbd > > > > > > [2007/12/28 12:53:05, 0] smbd/server.c:main(944) > > > smbd version 3.0.28-0.fc8 started. > > > Copyright Andrew Tridgell and the Samba Team 1992-2007 > > > [2007/12/28 12:53:05, 2] param/loadparm.c:do_section(3796) > > > Processing section "[FTP]" > > > [2007/12/28 12:53:05, 3] param/loadparm.c:lp_add_ipc(2711) > > > adding IPC service > > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117) > > > reloading printcap cache > > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223) > > > reload status: ok > > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117) > > > reloading printcap cache > > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223) > > > reload status: ok > > > [2007/12/28 12:53:05, 2] lib/interface.c:add_interface(81) > > > added interface ip=192.168.0.50 bcast=192.168.0.255 nmask= > > 255.255.255.0 > > > [2007/12/28 12:53:05, 3] smbd/server.c:main(982) > > > loaded services > > > [2007/12/28 12:53:05, 3] smbd/server.c:main(997) > > > Becoming a daemon. > > > [2007/12/28 12:53:05, 2] lib/tallocmsg.c:register_msg_pool_usage(105) > > > Registered MSG_REQ_POOL_USAGE > > > [2007/12/28 12:53:05, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75) > > > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133) > > > store_gid_sid_cache: gid 0 in cache -> > > > S-1-5-21-3422581952-716862249-2814536807-1002 > > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133) > > > > > store_gid_sid_cache: gid 10000 in cache -> S-1-5-32-544 > > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133) > > > store_gid_sid_cache: gid 10001 in cache -> S-1-5-32-545 > > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208) > > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358) > > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > > get_privileges: No privileges assigned to SID [S-1-22-1-0] > > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > > get_privileges: No privileges assigned to SID [S-1-5-2] > > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > > get_privileges: No privileges assigned to SID [S-1-5-11] > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > > se_access_check: user sid is S-1-22-1-0 > > > se_access_check: also S-1-5-32-544 > > > se_access_check: also S-1-1-0 > > > se_access_check: also S-1-5-2 > > > se_access_check: also S-1-5-11 > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > > se_access_check: user sid is S-1-22-1-0 > > > se_access_check: also S-1-5-32-544 > > > se_access_check: also S-1-1-0 > > > se_access_check: also S-1-5-2 > > > se_access_check: also S-1-5-11 > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > > se_access_check: user sid is S-1-22-1-0 > > > se_access_check: also S-1-5-32-544 > > > se_access_check: also S-1-1-0 > > > se_access_check: also S-1-5-2 > > > se_access_check: also S-1-5-11 > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > > se_access_check: user sid is S-1-22-1-0 > > > se_access_check: also S-1-5-32-544 > > > se_access_check: also S-1-1-0 > > > se_access_check: also S-1-5-2 > > > se_access_check: also S-1-5-11 > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > > se_access_check: user sid is S-1-22-1-0 > > > se_access_check: also S-1-5-32-544 > > > se_access_check: also S-1-1-0 > > > se_access_check: also S-1-5-2 > > > se_access_check: also S-1-5-11 > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > > se_access_check: user sid is S-1-22-1-0 > > > se_access_check: also S-1-5-32-544 > > > se_access_check: also S-1-1-0 > > > se_access_check: also S-1-5-2 > > > se_access_check: also S-1-5-11 > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > > se_access_check: user sid is S-1-22-1-0 > > > se_access_check: also S-1-5-32-544 > > > se_access_check: also S-1-1-0 > > > se_access_check: also S-1-5-2 > > > se_access_check: also S-1-5-11 > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > > se_access_check: user sid is S-1-22-1-0 > > > se_access_check: also S-1-5-32-544 > > > se_access_check: also S-1-1-0 > > > se_access_check: also S-1-5-2 > > > se_access_check: also S-1-5-11 > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > > se_access_check: user sid is S-1-22-1-0 > > > se_access_check: also S-1-5-32-544 > > > se_access_check: also S-1-1-0 > > > se_access_check: also S-1-5-2 > > > se_access_check: also S-1-5-11 > > > [2007/12/28 12:53:05, 3] libsmb/namequery.c:get_dc_list(1489) > > > get_dc_list: preferred server list: "192.168.0.240, 192.168.0.240" > > > [2007/12/28 12:53:05, 3] libads/ldap.c:ads_connect(394) > > > Connected to LDAP server 192.168.0.240 > > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > > > ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 > > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > > > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 > > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > > > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 > > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > > > ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 > > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222) > > > ads_sasl_spnego_bind: got server principal name = > > [EMAIL PROTECTED] > > > [2007/12/28 12:53:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) > > > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache > > found) > > > [2007/12/28 12:53:05, 3] > > libsmb/clikrb5.c:ads_cleanup_expired_creds(528) > > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] > > > expiration Fri, 28 Dec 2007 22:53:05 CST > > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208) > > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358) > > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133) > > > > > store_gid_sid_cache: gid 10008 in cache -> > > > S-1-5-21-1220945662-682003330-839522115-513 > > > [2007/12/28 12:53:05, 3] > > passdb/lookup_sid.c:fetch_gid_from_cache(1089) > > > fetch gid from cache 10000 -> S-1-5-32-544 > > > [2007/12/28 12:53:05, 3] > > passdb/lookup_sid.c:fetch_gid_from_cache(1089) > > > fetch gid from cache 10001 -> S-1-5-32-545 > > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208) > > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358) > > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > > get_privileges: No privileges assigned to SID > > > [S-1-5-21-3422581952-716862249-2814536807-501] > > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > > get_privileges: No privileges assigned to SID > > > [S-1-5-21-1220945662-682003330-839522115-513] > > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > > get_privileges: No privileges assigned to SID [S-1-5-2] > > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > > get_privileges: No privileges assigned to SID [S-1-5-32-546] > > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > > get_privileges: No privileges assigned to SID [S-1-22-2-10008] > > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > > get_privileges: No privileges assigned to SID [S-1-5-32-545] > > > [2007/12/28 12:53:05, 3] > > passdb/lookup_sid.c:fetch_gid_from_cache(1089) > > > fetch gid from cache 10008 -> > > S-1-5-21-1220945662-682003330-839522115-513 > > > [2007/12/28 12:53:05, 3] > > passdb/lookup_sid.c:fetch_gid_from_cache(1089) > > > fetch gid from cache 10001 -> S-1-5-32-545 > > > [2007/12/28 12:53:05, 3] > > printing/printing.c:start_background_queue(1388) > > > start_background_queue: Starting background LPQ thread > > > [2007/12/28 12:53:05, 2] smbd/server.c:open_sockets_smbd(458) > > > waiting for a connection > > > > > > > > > The main thing i see in the log from the computer trying to connect is > > (log > > > is huge...not going to post it all) > > > > > > [2007/12/28 12:56:55, 2] smbd/service.c:make_connection_snum(616) > > > user 'DOMAIN#redwards' (from session setup) not permitted to access > > this > > > share (FTP) > > > [2007/12/28 12:56:55, 3] smbd/error.c:error_packet_set(106) > > > error packet at smbd/reply.c(514) cmd=117 (SMBtconX) > > > NT_STATUS_ACCESS_DENIED > > > > > > redwards is part of the group "Domain Users" > > > Im at a HUGE loss right now how to go about this, as im still pretty > > green > > > to this whole type of setup. Any advice would be helpful. If more > > info is > > > required, please ask and ill provide it as i would like to resolve > > this > > > issue. > > > > > > Cheers! > > > > > > > ------------------------------ > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.516 / Virus Database: 269.17.11/1201 - Release Date: 12/28/2007 > 11:51 AM > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
