Re: [Samba] bad encryption type when accessing AD member server
On Tue, 30 Sep 2003, Henning Holtschneider wrote: [2003/09/29 13:17:02, 3] libads/kerberos_verify.c:ads_verify_ticket(317) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) I replaced Debian's default krb5.conf (which looks like MIT Kerberos' sample file) with the minimum configuration described in the Samba documentation and finally the connection from the Windows clients works! Don't know why I didn't try that earlier ... The problem is that the Debian krb5-config package installed a default krb5.conf that was too restrictive with the encryption types. I already filed a bug against the krb5-config package which has been acknowledged by the developer. I guess future new installations shouldn't expose this problem. Alex -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty not safety. --Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: bad encryption type when accessing AD member server
On Thu, 2 Oct 2003, Derek T. Yarnell wrote: Can you send me your working krb5.conf file? I am having the same problem (not running debian) and trying to figure out what I need to have in it is a pain. Less is more in this case. Try _removing_ anything about the enctypes in krb5.conf and only define the realm, like mentioned in the Samba HOWTO collection: http://www.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#id2877790 If you use the mentioned minimal config, everything should work fine. Alex -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty not safety. --Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbclient et al: -k by default?
Hello, I tried to find something in the HOWTOs and the mailing list, but failed so far... Is it possible to tell smbclient and the other command line client utils to use kerberos auth by default? security=ads is already set, smbclient -k works fine. I just don't want to specify -k at the commandline all the time but configure that somewhere in smb.conf It would also be nice to have smbclient launch the kinit process if kerberos auth is specified and no valid ticket is found... Alex -- Jede neue Erkenntnis muß zwei Hürden überwinden: das Vorurteil der 'Fachleute', und die Beharrlichkeit eingeschliffener Denksysteme. --Herophilus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbindd instability, inconsistent handling of Domain name
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 20 Sep 2003, Gerald (Jerry) Carter wrote: | After restarting winbindd, it works again for a while. What's the proper | way to produce useful debugging information for the developers? I think this has already been fixed in our CVS tree. The bedian packaging script should be fine for RC4 so you might just want to build your own package from that tree and see if things work better for you. That's fixed, thanks, and AFAIR I posted that fact to the list on Wed, 10 Sep 2003 21:11:11 +0200 (CEST). | user::rwx | user:DOMAIN+username:rwx | | When I create the ACL with setfacl -m u:INTERNAL.DOMAIN.COM:username:rwx, | only DOMAIN+username (the short NETBIOS name of the domain) is listed in | the ACL. Haven't we already talked about this one? I'm having serious deja vu here. winbindd mostly operates on the short name of the do9main. Yep, this is also a non-issue because INTERNAL.DOMAIN.COM is correctly mapped to DOMAIN by winbindd. | [admin] | browsable = no | path = /mnt/admin | public = no | write list = DOMAIN+username | | This won't work. Windows domain user username gets Access denied when | trying to create a file on the share. | | However, this works: | | write list = INTERNAL.DOMAIN.COM+username | | Is this a bug or a configuration problem on my side? did you define the workgroup and realm in smb.conf? Yes, I did. Just compiled the latest CVS HEAD branch stuff and tested it again. The problem won't occur if I set writable to yes, it will only occur if writable is set to no and there's a write list statement. Here's what I get from the logs when I try to create a directory on a share configured as explained above: /* First, username.c returns [EMAIL PROTECTED] instead of [EMAIL PROTECTED]: */ [2003/09/22 14:32:04, 3] smbd/sesssetup.c:reply_spnego_kerberos(178) Ticket name is [EMAIL PROTECTED] [2003/09/22 14:32:04, 5] lib/username.c:Get_Pwnam(288) Finding user INTERNAL.DOMAIN.COM+user [2003/09/22 14:32:04, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is internal.domain.com+user [2003/09/22 14:32:04, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [INTERNAL.DOMAIN.COM+user]! [...] /* here, the realm+username is used again */ [2003/09/22 14:32:04, 10] passdb/pdb_get_set.c:pdb_set_username(593) pdb_set_username: setting username INTERNAL.DOMAIN.COM+username, was [2003/09/22 14:32:04, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493) element 11 - now SET [...] /* finally, the create directory call fails */ [2003/09/22 14:32:04, 5] smbd/filename.c:unix_convert(323) New file test1 [2003/09/22 14:32:04, 3] smbd/dosmode.c:unix_mode(110) unix_mode(test1) returning 0744 [2003/09/22 14:32:04, 5] smbd/files.c:file_new(122) allocated file structure 9230, fnum = 13326 (1 used) [2003/09/22 14:32:04, 2] smbd/open.c:open_directory(1303) open_directory: failing create on read-only share [2003/09/22 14:32:04, 5] smbd/files.c:file_free(385) freed files structure 13326 (0 used) [2003/09/22 14:32:04, 10] smbd/trans2.c:set_bad_path_error(1785) set_bad_path_error: err = 13 bad_path = 0 [2003/09/22 14:32:04, 3] smbd/error.c:error_packet(94) error string = Permission denied [2003/09/22 14:32:04, 3] smbd/error.c:error_packet(113) error packet at smbd/trans2.c(1797) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED Hope this helps to find the problem... if not, I'll send you the whole log directly. Thanks again for your help hunting down this problem... Alex - -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty not safety. --Benjamin Franklin, 1759 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/bvhfNf7NP+s4C+YRAopGAKCJXKHsWtcakml+RuCavTI7jb0oOACdFFv6 hn//IBiqSeNFEaTyjDao7do= =ByDR -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Latest Samba Disto for Os390/Unix ?
On Fri, 19 Sep 2003 [EMAIL PROTECTED] wrote: (I have tried downloading the 'samba-latest.tar.gz' file from the mirror site,but as I cannot unzip/untar it,due to not having the 'gzip' program !). Therfore I am not sure how compatible it may or may not be with my Os390/Uss platform. C'mon John, are you a system administrator for an S/390? :-) If I understand you correctly, you are trying to tell us that Samba might not be compatible with your OS because your OS doesn't have a certain unzipping program installed by default? You sound like a Windows user who fails to install WinZip... www.gzip.org has the gzip source, in case there's no binaries available for your OS. If you fail to build gzip, you will most likely have a hard time building Samba... AFAIR OS/390 allows you to host other operating systems that might work, then you could e.g. install Debian and run Samba in that virtual machine... scnr Alex -- Life is what happens to you while you're busy making other plans. --John Lennon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Seeking advice: ADS domain, Samba3 server locally and via WAN
Hello, from the Samba3 docs I learnt that Samba currently cannot function as an ADS secondary domain controller. Imagine the following setup: At location A of a company, I have a W2K ADS domain controller and a Samba3 machine as an ADS member server. Connectivity is via 2Mbit to the Internet. At location B, which is located in another country and connected to the Internet with a DSL line (1MBit down, 256kBit uplink) (of course everything done via VPN), I'd like to setup another Samba3 server as a domain member. No W2K server over there. The users of the W2K clients at location B should use login scripts and shares only from their local Samba server. * is this feasible and does it make sense? * how much traffic do I have to expect from the ADS member server at site B to the domain controller at site A? * how much traffic, if at all, do I have to expect from the W2K clients at site B to the ADS domain controller at site A? Thanks in advance for your advice! Alex -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty not safety. --Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Installing additional features after install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 9 Sep 2003 [EMAIL PROTECTED] wrote: How can i install features for samba3.0rc2 after installing with rpm?? I want to have the feature disk quota. You cannot install features that are not compiled into the binary. If quota support isn't included in your rpm, you will have to get the SRPM from http://at.samba.org/ftp/Binary_Packages/RedHat/SRPMS/ then run configure with the appropriate switches and recompile. I dont'know how to automatically build RPMs, but http://www.rpm.org/RPM-HOWTO/build-it.html knows. You might also have a look at http://at.samba.org/samba/devel/docs/html/Samba-HOWTO-Collection.html#compiling regards Alex - -- Life is what happens to you while you're busy making other plans. --John Lennon -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/XtJwNf7NP+s4C+YRAvmFAJ4s8nU4QUCJUVueC5b6tqxOUf47cACgogI8 G98SuIVc8ICbfiw8j6lhn84= =WiIR -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RESOLVED: winbindd instability, inconsistent handling of Domain name
On Mon, 8 Sep 2003, Alexander List wrote: After a while, wbinfo [-u|-g] returns server:/var/log/samba# wbinfo -g Error looking up domain groups winbindd issue solved in 3.0.0rc3. The problem with smbd persists, will try to debug a little more and post a bug to bugzilla. Alex -- Life is what happens to you while you're busy making other plans. --John Lennon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbindd instability, inconsistent handling of Domain name
Hello world, I'm currently experimenting with a new Samba server that is to be integrated in an existing ADS domain. System is Debian Woody, plus samba 3.0.0beta2+3.0.0rc2-1 and necessary dependencies. Kernel is 2.4.21 + Debian patches + XFS ii libc6 2.3.2-5GNU C Library: Shared libraries and Linux bigberta 2.4.21-4-686-xfs #1 Mon Aug 25 15:44:37 CEST 2003 i686 smbd, nmbd and winbindd are working fine, I could joint the AD Domain in native mode, created partitions using XFS (with ACL support), and wbinfo -u bzw. wbinfo -g list the domain users and groups correctly. My first problem: After a while, wbinfo [-u|-g] returns server:/var/log/samba# wbinfo -g Error looking up domain groups After restarting winbindd, it works again for a while. What's the proper way to produce useful debugging information for the developers? My second problem: I created a directory /mnt/admin with this ACL: # file: . # owner: root # group: root user::rwx user:DOMAIN+username:rwx group::r-x mask::rwx other::r-x When I create the ACL with setfacl -m u:INTERNAL.DOMAIN.COM:username:rwx, only DOMAIN+username (the short NETBIOS name of the domain) is listed in the ACL. I created the following Samba share: [admin] browsable = no path = /mnt/admin public = no write list = DOMAIN+username This won't work. Windows domain user username gets Access denied when trying to create a file on the share. However, this works: write list = INTERNAL.DOMAIN.COM+username Is this a bug or a configuration problem on my side? Another thing I found in the winbindd log file: [2003/09/07 16:36:26, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(147) user 'MACHINE$' does not exist MACHINE$ is the Windows client I'm using to access the share. Thanks for any hints! Alex -- UNLESS someone like you cares a whole awful lot, nothing is going to get better. It's not. --Dr. Seuss, fromThe Lorax -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
