Re: [Samba] MS06-035 problems?

2006-07-20 Thread Alan Munter 
It was a false alarm, it turns out.  The guy who was installing the
machine forgot to edit the selinux configuration on the default FC5
install.  It was in permissive mode, but it needed to be disabled in
order for it to work.

Thanks,

Alan

On Thu, 2006-07-13 at 12:52 -0500, Gerald (Jerry) Carter wrote:

 Alan Munter wrote:
 
  I just patched our domain controllers with MS06-035 
  because it said it was just fixing a couple of memory
  leak problems with SMB in srvsvc.
  
  Now, this afternoon, one of my colleagues tried to 
  join a FC5 machine to our active directory using
  the recipe that we have been using for years
  (which worked yesterday, according to him), and 
  it fails on net ads join.
  
  No changes have been made to the domain controllers 
  other than the Black Tuesday patches.
  
  Here's a log dump from net -d4 ads join.  We get the error:
 
 What version of Samba is this 3.0.22 ?
 
  [2006/07/12 15:55:14, 3]
  libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(571) 
verify_service_password: get_service_ticket failed: KDC has no support
  for encryption type
 
 Ignore that.  It's not the issue.
 
  Any ideas of what's going on?  Need more info?  Did MS 
  sneak some more changes into the server service that
  they aren't talking about in that patch?
 
 Need more details.  What do level 10 debug logs from smbd tell you about
 the failed authentication?
 
 
 
 cheers, jerry


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] MS06-035 problems?

2006-07-12 Thread Alan Munter 
I just patched our domain controllers with MS06-035 because it said it
was just fixing a couple of memory leak problems with SMB in srvsvc.  

Now, this afternoon, one of my colleagues tried to join a FC5 machine to
our active directory using the recipe that we have been using for years
(which worked yesterday, according to him), and it fails on net ads
join.

No changes have been made to the domain controllers other than the Black
Tuesday patches.

Here's a log dump from net -d4 ads join.  We get the error:

[2006/07/12 15:55:14, 3]
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(571) 
  verify_service_password: get_service_ticket failed: KDC has no support
for encryption type

The krb5.conf was copied from the machine that worked yesterday.

The computer account actually made it into the active directory despite
the errors, apparently.  

In trying to debug the problems I deleted the computer account from AD,
had him shut down smb and winbind, had him clear out /var/log/samba and
the secrets file in /etc/samba and restart our recipe to add the stuff
to the domain.  He reported after that procedure that the computer was
able to join the domain, but now authentication fails when trying to log
in.

Any ideas of what's going on?  Need more info?  Did MS sneak some more
changes into the server service that they aren't talking about in that
patch?

Thanks,

Alan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba 3, member of ADS, new trust between small ADS and large one

2005-02-08 Thread Alan Munter 
We have been running a few Linux machines (FC2) as members of our Win2k3
Active Directory domain.  They were all humming along fine using winbind
for logins and ldap on a local server for the SID-UID/GID mappings.

Things seem to have changed, however, when a one-way trust was set up
between our small AD domain and a much larger one.  The trust was set up
to allow members of the larger domain sit down at our computers and
login, however, it seems that now winbind or ldap or both are choking on
the ~3500 new people.

From a Samba linux member of the domain:

wbinfo -t works
wbinfo -u works most of the time, but is sometimes slow at getting
started and fast at printing all 3500 names once it starts
wbinfo -g same as wbinfo -u

getent password frequently hangs after listing the local /etc/password
contents and when it does go on it seems to get incrementally further in
the list of 3500 people before it finally timesout each time I run it

getent group works with many fewer entries

So my question is, what is going on and what can I do to help the
situation?  I actually would like to just deny the logins from the
larger domain from logging in to the Samba ADS domain computers, but
perhaps this is not possible with the trust set up between the Win2k3
domains.  Is the bottleneck our ldap server, or is there some
artifically configured maximum result size coming from a basically
default install of openldap?

Thanks in advance for any help.

Alan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3, member of ADS, new trust between small ADS and large one

2005-02-08 Thread Alan Munter 
It works!  Just confirmed that this solved the problem.  

Thanks, Jerry!

On Tue, 2005-02-08 at 14:29, Gerald (Jerry) Carter wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Alan Munter wrote:
 
 | So my question is, what is going on and what can I do
 | to help the situation?  I actually would like to just deny the
 | logins from the larger domain from logging in to the Samba
 | ADS domain computers,
 
 'allow trusted domains = no'
 
 
 
 
 
 cheers, jerry
 =
 Alleviating the pain of Windows(tm)  --- http://www.samba.org
 GnuPG Key- http://www.plainjoe.org/gpg_public.asc
 I never saved anything for the swim back. Ethan Hawk in Gattaca
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.2.5 (GNU/Linux)
 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
 iD8DBQFCCRM2IR7qMdg1EfYRAi8TAJ48viskULY9kYU64nULGAHgC60NhwCfUMKp
 sRaZqiQCFCOJrFIPjiCGLmo=
 =sbbJ
 -END PGP SIGNATURE-
 
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] 3.0.2 works with kerberos 1.2.7 for a while, then stops

2004-03-18 Thread Alan Munter 
I installed RH9 and the RH9 binary rpm of samba-3.0.2a from the ftp
site.  I added default_realm, kdc, and [domain_realm] sections to my
krb5.conf file because for some reason it can't get them from DNS
(haven't worked that out yet) and with a small edit of smb.conf was able
to join the new samba install to our 2k3 active directory.  wbinfo -t
and kinit and stuff all worked as did getent password.  

Then I used swat to make a share and set valid users = '@MYDOMAIN\Domain
Users' and browsed to it from a Windows XP machine which was a member of
the domain.  I made a folder in the share, verified that it had the
correct UID/GID mapping.  All was good.

Then all of a sudden it stopped working.  Now I am getting log entries
like:

[2004/03/18 15:57:57, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/03/18 15:57:57, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518)
  Doing spnego session setup
[2004/03/18 15:57:57, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549)
  NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
  Got OID 1 2 840 48018 1 2 2
[2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
  Got OID 1 2 840 113554 1 2 2
[2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(427)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(430)
  Got secblob of size 1211
[2004/03/18 15:57:57, 3] libads/kerberos_verify.c:ads_verify_ticket(323)
  ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/03/18 15:57:57, 3] libads/kerberos_verify.c:ads_verify_ticket(330)
  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/03/18 15:57:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/03/18 15:57:57, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2004/03/18 15:57:57, 3] smbd/error.c:error_packet(118)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

I know.  Folks will say that I need to upgrade MIT kerberos to 1.3.1,
which I will do, however I am curious about why it used to work and then
just stopped working.  I was messing around with swat at the time, but I
did not change any of the global settings, only shares.

Any ideas?

Alan
-- 
Alan E. Munter NIST Center for Neutron Research
Physical Scientist 100 Bureau Dr., Stop 8562
[EMAIL PROTECTED]   Gaithersburg, MD 20899-8562
http://www.ncnr.nist.gov/  (301)975-6244

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] comments/questions about HOWTO collection contents

2003-10-21 Thread Alan Munter 
I am trying to get Samba 3.0.0 going on a RedHat 9.0 machine to join my
Win 2003 ADS domain and use winbind for authentication and running into
snags getting shares, local login permissions, and PAM to work
consistently.

I am trying to follow the instructions in chapter 7 (mostly 7.4) and
chapter 21 and am finding some confusing things.

In 7.4.1 the first line that must be in smb.conf is 

realm = your.kerberos.REALM

given all of the issues with case-sensitivity and kerberos realms I am
not sure if that means that I should use the FQDN of my AD domain, if it
should be in all caps, or lowercase or what.  Does the case matter for
that statement?

Next, in 7.6.3 it says that Windows 2003 requires SMB signing and gives
the option client use snpego = yes to use.  Well, I forgot to add this
one before doing the net ads join stuff (since it was at the end of
the chapter way after the net ads commands and I did not read the whole
chapter first), and I was still able to join the domain and verify that
it created a computer account for my Samba workstation.  Not sure what
the signing is used for.  Maybe this is the result of the functional
level of my AD domain?

Actually, I am also confused about functional levels.  Microsoft, in the
help pages for domain functional levels in Server 2003, lists 4
different domain functional levels and 3 different forest functional
levels for the Windows 2003 Server.  The 4 domain functional levels
are:  Windows 2000 mixed, Windows 2000 native, Windows Server 2003
interim, and Windows Server 2003.  The 3 forest functional levels are:
Windows 2000, Windows Server 2003 interim, Windows Server 2003.  The
interim levels are related to upgrading from an NT4 to 2003 domain, but
the others are all selectable on the Win2003 DC.  

I have gotten various responses to questions about which of those
functional levels is compatible with having Samba 3.0 join the domain as
a full member.  I think that section 7.6.3 should include that kind of
info (or if it exists elsewhere in the docs and I am just an idiot for
not finding it I take the blame. 8) ).  

Next, in 21.5.3.3 the uid and gid map lines given in the winbind config
example look wierd to me since the two of them are not consistent: one
uses idmap and one uses winbind.  In searching the lists I see some
people using idmap uid and idmap gid and some people using winbind uid
and winbind gid and even others using winbind idmap uid and winbind
idmap gid.  Which is it?

Next, in 21.5.3.4 the example does not seem to match the paragraph above
it.  The whole command confuses me.  I thought the command would be
something like

root# net ads join -S PDC -U Administrator

not 

root# net rpc join...

also the paragraph says that the commands makes the Samba server join
the PDC domain.  Seems like it should read make the Samba server join
the domain controlled by the server called PDC.  It goes on to say
where DOMAIN is the name of your Windows domain. but DOMAIN is not
used in the example.  Anyway, I think I understand what it is trying to
say, but it is still confusing.

Lastly, the last sentence of 21.5.3.6 says 

If you restart the smbd, nmbd, and winbindd daemons at this point, you
should be able to connect to the Samba server as a Domain Member just as
if you were a local user.

I am not sure how to test this.  Does that mean that I should be able to
go to some Windows machine that is part of the domain, log on with a
domain account, browse to my Samba server, double-click, type my domain
username/password, and access the server?

Basically since I am new to this stuff I am just adding options and
taking them out randomly in some cases.  For instance, like the winbind
use default domain = yes option in smb.conf (which I found out about
through reading the list archives).  This is not in the HOWTO collection
anywhere, but it seems to have a big difference on how it all works.  It
stops the domain from being prepended to your users and groups.  I
briefly had the sshd setup working with winbindd in PAM and before
adding the winbind use default domain line I had to type
MYDOMAIN+username to log in locally to the Linux machine.  Not sure if
that is how it is supposed to work or not.

OK.  Too long already.  The most valuable feedback for me from one of
the samba.org addresses would be probably info about how much they
charge per hour for configuration consulting (over the phone, email, or
using a login to poke at the config files) if such is available.  That
would solve two of my problems: give something back to the creators of
this amazing product and get my config up and humming in the shortest
amount of time.

Thanks,

Alan
-- 
Alan E. Munter NIST Center for Neutron Research
Physical Scientist 100 Bureau Dr., Stop 8562
[EMAIL PROTECTED]   Gaithersburg, MD 20899-8562
http://www.ncnr.nist.gov/  (301)975-6244

-- 
To unsubscribe from this list go to the following URL and

[Samba] mystified by interaction between krb5.conf, smb.conf, and winbindd

2003-10-10 Thread Alan Munter 
I am stumped here.  I am a novice at using samba to do MS Active
Directory stuff, but I have read everything I could find in the HOWTO
collection and on the linux.samba cache of the list and am still stuck.

A bit of background... I have set up a Windows 2003 server as a domain
controller here and configured it to be the DNS for a ficticious domain
for internal use only.  The domain functional level is Windows 2003.  I
am calling the domain windomain.nist.gov and have set up the Win2003
server to do DNS and AD authentication for the windomain domain.

I have a Redhat 7.3 machine on my desk that I wanted to add to the AD
domain and do authentication to it using winbind.  I uninstalled the
samba rpms supplied by redhat and installed the samba 3.0.0 binary rpm
compiled for redhat 7.3 by Gerald Carter.  I also got the source for MIT
Kerberos5 1.3.1, compiled it with the prefix /usr/kerberos (since that
is where redhat installs the kerberos stuff) and just installed it on
top of the redhat supplied kerberos stuff since there were too many
dependencies to remove the redhat ones.

I was able to use kinit to get a kerberos ticket and then add my Linux
Samba machine to the AD domain.  I modified smb.conf and krb5.conf and
started winbind and am able to use wbinfo to check some things, but not
others.  

I cannot seem to get wbinfo -u/wbinfo -g and wbinfo -t/wbinfo -a to
work simultaneously unless I play a little trick with my krb5.conf
file.  

Here is what happens:

/etc/init.d/smb start
/etc/init.d/winbind start

[EMAIL PROTECTED] bin]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_UNSUCCESSFUL (0xc001)
Could not check secret

[EMAIL PROTECTED] bin]# wbinfo -u
Administrator
Guest
SUPPORT_388945a0
krbtgt
amunter
IUSR_WINSERVER
IWAM_WINSERVER

so -u worked but -t failed.  Then I go into krb5.conf and comment out
the kdc line like so:

[realms]
WINDOMAIN.NIST.GOV = {
admin_server = winserver.windomain.nist.gov
default_domain = WINDOMAIN.NIST.GOV
#kdc = winserver.windomain.nist.gov
}

and now they both work.  However when I then restart winbind with that
line commented out

/etc/init.d/winbind restart

now wbinfo -t still works to check the secret, but wbinfo -u does
not work to get the list of users.

Here are the relevant files:

-
krb5.conf
-
[libdefaults]
default_realm = WINDOMAIN.NIST.GOV

[realms]
WINDOMAIN.NIST.GOV = {
admin_server = winserver.windomain.nist.gov
default_domain = WINDOMAIN.NIST.GOV
kdc = winserver.windomain.nist.gov
}

[domain_realm]
.ncnr.nist.gov = WINDOMAIN.NIST.GOV
ncnr.nist.gov = WINDOMAIN.NIST.GOV

[logging]
kdc = CONSOLE

-
section of smb.conf
-
[global]
   workgroup = WINDOMAIN
   server string = Alan's Samba 3.0 Server
   realm = WINDOMAIN.NIST.GOV
   security = ADS
   winbind separator = +
   winbind use default domain = yes
   idmap uid = 1-2
   winbind gid = 1-2
   winbind enum users = yes
   winbind enum groups = yes
   client use spnego = yes
   template homedir = /home/WINDOMAIN
   template shell = /bin/bash
   password server = WINSERVER

-

I only have one DNS server in resolv.conf and that is pointing to the
windows DC.  

Any suggestions for what is going wrong or what other log files I should
look at to figure out whats up?

Thanks for any suggestions,

Alan
-- 
Alan E. Munter NIST Center for Neutron Research
Physical Scientist 100 Bureau Dr., Stop 8562
[EMAIL PROTECTED]   Gaithersburg, MD 20899-8562
http://www.ncnr.nist.gov/  (301)975-6244

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba