Re: [Samba] MS06-035 problems?
It was a false alarm, it turns out. The guy who was installing the machine forgot to edit the selinux configuration on the default FC5 install. It was in permissive mode, but it needed to be disabled in order for it to work. Thanks, Alan On Thu, 2006-07-13 at 12:52 -0500, Gerald (Jerry) Carter wrote: Alan Munter wrote: I just patched our domain controllers with MS06-035 because it said it was just fixing a couple of memory leak problems with SMB in srvsvc. Now, this afternoon, one of my colleagues tried to join a FC5 machine to our active directory using the recipe that we have been using for years (which worked yesterday, according to him), and it fails on net ads join. No changes have been made to the domain controllers other than the Black Tuesday patches. Here's a log dump from net -d4 ads join. We get the error: What version of Samba is this 3.0.22 ? [2006/07/12 15:55:14, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(571) verify_service_password: get_service_ticket failed: KDC has no support for encryption type Ignore that. It's not the issue. Any ideas of what's going on? Need more info? Did MS sneak some more changes into the server service that they aren't talking about in that patch? Need more details. What do level 10 debug logs from smbd tell you about the failed authentication? cheers, jerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] MS06-035 problems?
I just patched our domain controllers with MS06-035 because it said it was just fixing a couple of memory leak problems with SMB in srvsvc. Now, this afternoon, one of my colleagues tried to join a FC5 machine to our active directory using the recipe that we have been using for years (which worked yesterday, according to him), and it fails on net ads join. No changes have been made to the domain controllers other than the Black Tuesday patches. Here's a log dump from net -d4 ads join. We get the error: [2006/07/12 15:55:14, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(571) verify_service_password: get_service_ticket failed: KDC has no support for encryption type The krb5.conf was copied from the machine that worked yesterday. The computer account actually made it into the active directory despite the errors, apparently. In trying to debug the problems I deleted the computer account from AD, had him shut down smb and winbind, had him clear out /var/log/samba and the secrets file in /etc/samba and restart our recipe to add the stuff to the domain. He reported after that procedure that the computer was able to join the domain, but now authentication fails when trying to log in. Any ideas of what's going on? Need more info? Did MS sneak some more changes into the server service that they aren't talking about in that patch? Thanks, Alan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3, member of ADS, new trust between small ADS and large one
We have been running a few Linux machines (FC2) as members of our Win2k3 Active Directory domain. They were all humming along fine using winbind for logins and ldap on a local server for the SID-UID/GID mappings. Things seem to have changed, however, when a one-way trust was set up between our small AD domain and a much larger one. The trust was set up to allow members of the larger domain sit down at our computers and login, however, it seems that now winbind or ldap or both are choking on the ~3500 new people. From a Samba linux member of the domain: wbinfo -t works wbinfo -u works most of the time, but is sometimes slow at getting started and fast at printing all 3500 names once it starts wbinfo -g same as wbinfo -u getent password frequently hangs after listing the local /etc/password contents and when it does go on it seems to get incrementally further in the list of 3500 people before it finally timesout each time I run it getent group works with many fewer entries So my question is, what is going on and what can I do to help the situation? I actually would like to just deny the logins from the larger domain from logging in to the Samba ADS domain computers, but perhaps this is not possible with the trust set up between the Win2k3 domains. Is the bottleneck our ldap server, or is there some artifically configured maximum result size coming from a basically default install of openldap? Thanks in advance for any help. Alan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3, member of ADS, new trust between small ADS and large one
It works! Just confirmed that this solved the problem. Thanks, Jerry! On Tue, 2005-02-08 at 14:29, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan Munter wrote: | So my question is, what is going on and what can I do | to help the situation? I actually would like to just deny the | logins from the larger domain from logging in to the Samba | ADS domain computers, 'allow trusted domains = no' cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCCRM2IR7qMdg1EfYRAi8TAJ48viskULY9kYU64nULGAHgC60NhwCfUMKp sRaZqiQCFCOJrFIPjiCGLmo= =sbbJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.2 works with kerberos 1.2.7 for a while, then stops
I installed RH9 and the RH9 binary rpm of samba-3.0.2a from the ftp site. I added default_realm, kdc, and [domain_realm] sections to my krb5.conf file because for some reason it can't get them from DNS (haven't worked that out yet) and with a small edit of smb.conf was able to join the new samba install to our 2k3 active directory. wbinfo -t and kinit and stuff all worked as did getent password. Then I used swat to make a share and set valid users = '@MYDOMAIN\Domain Users' and browsed to it from a Windows XP machine which was a member of the domain. I made a folder in the share, verified that it had the correct UID/GID mapping. All was good. Then all of a sudden it stopped working. Now I am getting log entries like: [2004/03/18 15:57:57, 2] smbd/sesssetup.c:setup_new_vc_session(591) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(518) Doing spnego session setup [2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(549) NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) Got OID 1 2 840 48018 1 2 2 [2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) Got OID 1 2 840 113554 1 2 2 [2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(427) Got OID 1 3 6 1 4 1 311 2 2 10 [2004/03/18 15:57:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(430) Got secblob of size 1211 [2004/03/18 15:57:57, 3] libads/kerberos_verify.c:ads_verify_ticket(323) ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2004/03/18 15:57:57, 3] libads/kerberos_verify.c:ads_verify_ticket(330) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2004/03/18 15:57:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2004/03/18 15:57:57, 3] smbd/error.c:error_packet(94) error string = No such file or directory [2004/03/18 15:57:57, 3] smbd/error.c:error_packet(118) error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE I know. Folks will say that I need to upgrade MIT kerberos to 1.3.1, which I will do, however I am curious about why it used to work and then just stopped working. I was messing around with swat at the time, but I did not change any of the global settings, only shares. Any ideas? Alan -- Alan E. Munter NIST Center for Neutron Research Physical Scientist 100 Bureau Dr., Stop 8562 [EMAIL PROTECTED] Gaithersburg, MD 20899-8562 http://www.ncnr.nist.gov/ (301)975-6244 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] comments/questions about HOWTO collection contents
I am trying to get Samba 3.0.0 going on a RedHat 9.0 machine to join my Win 2003 ADS domain and use winbind for authentication and running into snags getting shares, local login permissions, and PAM to work consistently. I am trying to follow the instructions in chapter 7 (mostly 7.4) and chapter 21 and am finding some confusing things. In 7.4.1 the first line that must be in smb.conf is realm = your.kerberos.REALM given all of the issues with case-sensitivity and kerberos realms I am not sure if that means that I should use the FQDN of my AD domain, if it should be in all caps, or lowercase or what. Does the case matter for that statement? Next, in 7.6.3 it says that Windows 2003 requires SMB signing and gives the option client use snpego = yes to use. Well, I forgot to add this one before doing the net ads join stuff (since it was at the end of the chapter way after the net ads commands and I did not read the whole chapter first), and I was still able to join the domain and verify that it created a computer account for my Samba workstation. Not sure what the signing is used for. Maybe this is the result of the functional level of my AD domain? Actually, I am also confused about functional levels. Microsoft, in the help pages for domain functional levels in Server 2003, lists 4 different domain functional levels and 3 different forest functional levels for the Windows 2003 Server. The 4 domain functional levels are: Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The 3 forest functional levels are: Windows 2000, Windows Server 2003 interim, Windows Server 2003. The interim levels are related to upgrading from an NT4 to 2003 domain, but the others are all selectable on the Win2003 DC. I have gotten various responses to questions about which of those functional levels is compatible with having Samba 3.0 join the domain as a full member. I think that section 7.6.3 should include that kind of info (or if it exists elsewhere in the docs and I am just an idiot for not finding it I take the blame. 8) ). Next, in 21.5.3.3 the uid and gid map lines given in the winbind config example look wierd to me since the two of them are not consistent: one uses idmap and one uses winbind. In searching the lists I see some people using idmap uid and idmap gid and some people using winbind uid and winbind gid and even others using winbind idmap uid and winbind idmap gid. Which is it? Next, in 21.5.3.4 the example does not seem to match the paragraph above it. The whole command confuses me. I thought the command would be something like root# net ads join -S PDC -U Administrator not root# net rpc join... also the paragraph says that the commands makes the Samba server join the PDC domain. Seems like it should read make the Samba server join the domain controlled by the server called PDC. It goes on to say where DOMAIN is the name of your Windows domain. but DOMAIN is not used in the example. Anyway, I think I understand what it is trying to say, but it is still confusing. Lastly, the last sentence of 21.5.3.6 says If you restart the smbd, nmbd, and winbindd daemons at this point, you should be able to connect to the Samba server as a Domain Member just as if you were a local user. I am not sure how to test this. Does that mean that I should be able to go to some Windows machine that is part of the domain, log on with a domain account, browse to my Samba server, double-click, type my domain username/password, and access the server? Basically since I am new to this stuff I am just adding options and taking them out randomly in some cases. For instance, like the winbind use default domain = yes option in smb.conf (which I found out about through reading the list archives). This is not in the HOWTO collection anywhere, but it seems to have a big difference on how it all works. It stops the domain from being prepended to your users and groups. I briefly had the sshd setup working with winbindd in PAM and before adding the winbind use default domain line I had to type MYDOMAIN+username to log in locally to the Linux machine. Not sure if that is how it is supposed to work or not. OK. Too long already. The most valuable feedback for me from one of the samba.org addresses would be probably info about how much they charge per hour for configuration consulting (over the phone, email, or using a login to poke at the config files) if such is available. That would solve two of my problems: give something back to the creators of this amazing product and get my config up and humming in the shortest amount of time. Thanks, Alan -- Alan E. Munter NIST Center for Neutron Research Physical Scientist 100 Bureau Dr., Stop 8562 [EMAIL PROTECTED] Gaithersburg, MD 20899-8562 http://www.ncnr.nist.gov/ (301)975-6244 -- To unsubscribe from this list go to the following URL and
[Samba] mystified by interaction between krb5.conf, smb.conf, and winbindd
I am stumped here. I am a novice at using samba to do MS Active Directory stuff, but I have read everything I could find in the HOWTO collection and on the linux.samba cache of the list and am still stuck. A bit of background... I have set up a Windows 2003 server as a domain controller here and configured it to be the DNS for a ficticious domain for internal use only. The domain functional level is Windows 2003. I am calling the domain windomain.nist.gov and have set up the Win2003 server to do DNS and AD authentication for the windomain domain. I have a Redhat 7.3 machine on my desk that I wanted to add to the AD domain and do authentication to it using winbind. I uninstalled the samba rpms supplied by redhat and installed the samba 3.0.0 binary rpm compiled for redhat 7.3 by Gerald Carter. I also got the source for MIT Kerberos5 1.3.1, compiled it with the prefix /usr/kerberos (since that is where redhat installs the kerberos stuff) and just installed it on top of the redhat supplied kerberos stuff since there were too many dependencies to remove the redhat ones. I was able to use kinit to get a kerberos ticket and then add my Linux Samba machine to the AD domain. I modified smb.conf and krb5.conf and started winbind and am able to use wbinfo to check some things, but not others. I cannot seem to get wbinfo -u/wbinfo -g and wbinfo -t/wbinfo -a to work simultaneously unless I play a little trick with my krb5.conf file. Here is what happens: /etc/init.d/smb start /etc/init.d/winbind start [EMAIL PROTECTED] bin]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc001) Could not check secret [EMAIL PROTECTED] bin]# wbinfo -u Administrator Guest SUPPORT_388945a0 krbtgt amunter IUSR_WINSERVER IWAM_WINSERVER so -u worked but -t failed. Then I go into krb5.conf and comment out the kdc line like so: [realms] WINDOMAIN.NIST.GOV = { admin_server = winserver.windomain.nist.gov default_domain = WINDOMAIN.NIST.GOV #kdc = winserver.windomain.nist.gov } and now they both work. However when I then restart winbind with that line commented out /etc/init.d/winbind restart now wbinfo -t still works to check the secret, but wbinfo -u does not work to get the list of users. Here are the relevant files: - krb5.conf - [libdefaults] default_realm = WINDOMAIN.NIST.GOV [realms] WINDOMAIN.NIST.GOV = { admin_server = winserver.windomain.nist.gov default_domain = WINDOMAIN.NIST.GOV kdc = winserver.windomain.nist.gov } [domain_realm] .ncnr.nist.gov = WINDOMAIN.NIST.GOV ncnr.nist.gov = WINDOMAIN.NIST.GOV [logging] kdc = CONSOLE - section of smb.conf - [global] workgroup = WINDOMAIN server string = Alan's Samba 3.0 Server realm = WINDOMAIN.NIST.GOV security = ADS winbind separator = + winbind use default domain = yes idmap uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes client use spnego = yes template homedir = /home/WINDOMAIN template shell = /bin/bash password server = WINSERVER - I only have one DNS server in resolv.conf and that is pointing to the windows DC. Any suggestions for what is going wrong or what other log files I should look at to figure out whats up? Thanks for any suggestions, Alan -- Alan E. Munter NIST Center for Neutron Research Physical Scientist 100 Bureau Dr., Stop 8562 [EMAIL PROTECTED] Gaithersburg, MD 20899-8562 http://www.ncnr.nist.gov/ (301)975-6244 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba