Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...
On Fri, 16 Jan 2004, Gerald (Jerry) Carter wrote: Matt McParland wrote: | I saw the same symptoms using Samba 3.0.1 and a | Win2k ADS. | | Entering the IP address in Start - Run works, but | browsing NN or entering the FQDN would not. That brings | up the shares on the Samba server but still can't | access any of those shares. | | It has taken a LONG time just to get to this point. Ironically I'm working on this right now. Apparently entering the IP address causes the win2k client to use encapsulated NTLMSSP rather than a kerberos ticket to connect. With the latest 3.0.2pre binary release I'm actually able to browse the shares and do everything you'd expect. NN works, and so does Start - Run \\hostname. If 3.0.2pre is broken, it's not totally broken because my fileserver seems to work. -- Matt McParland -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...
I saw the same symptoms using Samba 3.0.1 and a Win2k ADS. Entering the IP address in Start - Run works, but browsing NN or entering the FQDN would not. That brings up the shares on the Samba server but still can't access any of those shares. It has taken a LONG time just to get to this point. On Fri, 19 Dec 2003, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lee, please file a bug for me and we'll work on getting this resolved. This is the 3rd report of the same symptoms. Thanks. cheers, jerry C.Lee Taylor wrote: | Greetings ... | |It seems I have really got myself confused ... | |I have a Win2K3 ADS domain, I have two FedoraCore systems, one with | Samba 3.0.0 and the other with Samba 3.0.1. Both give me the same problem. | |If I try access the Samba shares from Win2K3 using the host number, I | get prompted for a username and password, and no matter what I type in, | I can't get in. | |If I use the Samba server IP address, I am able to get into shares | without been prompted for user details, but Point'nPrint don't work, it | too requests user details. | |I do seem to be getting two errors in my logs ... First in smbd.log | | [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948) | getpeername failed. Error was Transport endpoint is not connected | [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948) | getpeername failed. Error was Transport endpoint is not connected | |And the other in the machine log with the IP address eg ... |10.1.1.20.log | [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) | Failed to verify incoming ticket! | [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) | Failed to verify incoming ticket! | |But in the machine log with the hostname, I am getting normal | messages ... | |I have tried to make changes in /etc/krb5.conf, but I don't get any | further ... | |I have tried a few status checks with net, all hosts work fine ... | | [EMAIL PROTECTED] samba]# net lookup ldap | 10.1.1.16:389 | 10.1.1.17:389 | | [EMAIL PROTECTED] samba]# net lookup dc | 10.1.1.16 | 10.1.1.17 | |But net lookup kdc, master domain don't return any thing, so I don't | know what else to look for ... | | Thanks | Mailed | Lee | | - -- ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ If we're adding to the noise, turn off this song --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/4pbCIR7qMdg1EfYRAuOxAJ9BHqjtY7mVCO4JSi57j1e999e1JQCfX5yg 72ROuACLvNWcSmZbLpF2gdQ= =+J2Y -END PGP SIGNATURE- -- Matt McParland -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo looking for hostname as domain
On Thu, 15 Jan 2004, Andrew Bartlett wrote: Anyone know why it would be looking for the hostname as the domain instead of the domain I joined it to? This was fixed shortly after the release of 3.0.2pre1. Does that mean another release is coming? :) Does the CVS version typically compile or does it too bleeding edge? -- Matt McParland -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RH8 Packages
The samba 3.0.1 RPM for RH 8.0 seems to require two different openssl packages. It requires libssl.so.4 and libcrypto.so.2. The first is in openssl 0.9.7 and the second in openssl 0.9.6. Am I missing something? Which versions of those shared libs are actually required? -- Matt McParland -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] krb5_get_credentials failed
Using Samba 3.0.1 packages from samba.org on RH 8.0 kernel 2.4.20.
I'm trying to get winbindd configured so that we can do single-sign on
across Win2k file servers and Samba file servers with ADS. I've configured
Samba to do shares but it prompts for username/password unless the user/pass exists in
smbpassword.
'net ads join' was successful and secrets.tdb was modified. The computer account
shows up in ADS. There is a unix account created for the computer accont
(computer-name$).
Unfortunately, I only had temporary access to create computer accounts. To remove and
add the computer account again (running net ads join again) would require many phone
calls. I'm not sure if that part of the process is failing. It appears not, since
the command executes with no error output and secrets.tdb is modified.
I'm able to get kerberos tickets from the command line with kinit, but
winbind seems to have trouble connecting to ADS and 'wbinfo -u' doesn't
work.
I've included configuration files and what I thought was the relevant part of the log.
smb.conf:
[global]
workgroup = DOMAIN
realm = REALM
server string = fileserver
security = ADS
password server = pdc
log level = 1
log file = /var/log/samba/%m.log
max log size = 0
preferred master = No
local master = No
domain master = No
enhanced browsing = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
winbind use default domain = Yes
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REALM
[realms]
REALM = {
kdc = pdc
}
[domain_realm]
.pdc = REALM
Relevant parts of winbindd.log:
[2003/12/17 14:37:30, 5] nsswitch/winbindd_cm.c:cm_open_connection(178)
connecting to pdc from fileserver with kerberos principal [EMAIL PROTECTED]
[2003/12/17 14:37:30, 2] libsmb/cliconnect.c:cli_session_setup_spnego(665)
Doing spnego session setup (blob length=106)
[2003/12/17 14:37:30, 3] libsmb/cliconnect.c:cli_session_setup_spnego(690)
got OID=1 2 840 48018 1 2 2
[2003/12/17 14:37:30, 3] libsmb/cliconnect.c:cli_session_setup_spnego(690)
got OID=1 2 840 113554 1 2 2
[2003/12/17 14:37:30, 3] libsmb/cliconnect.c:cli_session_setup_spnego(690)
got OID=1 2 840 113554 1 2 2 3
[2003/12/17 14:37:30, 3] libsmb/cliconnect.c:cli_session_setup_spnego(690)
got OID=1 3 6 1 4 1 311 2 2 10
[2003/12/17 14:37:30, 3] libsmb/cliconnect.c:cli_session_setup_spnego(697)
got [EMAIL PROTECTED]
[2003/12/17 14:37:30, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(509)
Doing kerberos session setup
[2003/12/17 14:37:30, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276)
krb5_get_credentials failed for [EMAIL PROTECTED] (Ticket expired)
[2003/12/17 14:37:30, 4] nsswitch/winbindd_cm.c:cm_open_connection(185)
failed kerberos session setup with NT_STATUS_UNSUCCESSFUL
[2003/12/17 14:37:30, 5] nsswitch/winbindd_cm.c:cm_open_connection(219)
anonymous connection attempt to pdc from fileserver
--
Matt McParland
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbindd probs w/ Samba 3.0 ADS
Hello, I'm using samba 3.0.0. Win2k clients on my network can access their fileshares without entering their username/password as long as their username and password exist in smbpasswd on the Samba server. Now I'm trying to have that information grabbed from ADS so that their passwords are kept synchronized but am having problems with winbindd. winbindd is running but I get nothing from 'wbinfo -u' and 'getent passwd' just returns what's in /etc/passwd. 'wbinfo -u' generates a bunch of SMB, DCERPC, LDAP and RPC_NETLOGON traffic if I do a tcpdump, but I'm not sure what a successful sequence would look like. [EMAIL PROTECTED] pam.d]# wbinfo -p Ping to winbindd succeeded on fd 4 [EMAIL PROTECTED] pam.d]# wbinfo -u Error looking up domain users Results of a 'kinit' on same machine (not sure if relevant): [EMAIL PROTECTED] samba]$ kinit Password for [EMAIL PROTECTED]: [EMAIL PROTECTED] samba]$ ls -l /tmp/k* -rw---1 mcparlandm mcparlandm 1296 Dec 10 11:28 /tmp/krb5cc_531 Selected contents of nsswitch.conf: passwd: files winbind shadow: files group: files winbind Contents of smb.conf: [global] workgroup = DEV realm = DEV.CA server string = Dev File Server security = ADS password server = onncrx1 log level = 10 log file = /var/log/samba/%m.log max log size = 0 preferred master = No local master = No domain master = No enhanced browsing = No dns proxy = No idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = Yes From winbindd.log: [2003/12/10 11:38:43, 6] nsswitch/winbindd.c:new_connection(340) accepted socket 16 [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:winbind_client_read(455) client_read: read 1568 bytes. Need 0 more for a full request. [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:process_request(305) process_request: request fn INTERFACE_VERSION [2003/12/10 11:38:43, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(231) [24138]: request interface version [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:client_write(502) client_write: wrote 1300 bytes. [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:winbind_client_read(455) client_read: read 1568 bytes. Need 0 more for a full request. [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:process_request(305) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2003/12/10 11:38:43, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267) [24138]: request location of privileged pipe [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:client_write(502) client_write: wrote 1300 bytes. [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:client_write(547) client_write: need to write 37 extra data bytes. [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:client_write(502) client_write: wrote 37 bytes. [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:client_write(536) client_write: client_write: complete response written. [2003/12/10 11:38:43, 6] nsswitch/winbindd.c:new_connection(340) accepted socket 20 [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:winbind_client_read(455) client_read: read 0 bytes. Need 1568 more for a full request. [2003/12/10 11:38:43, 5] nsswitch/winbindd.c:winbind_client_read(462) read failed on sock 16, pid 24138: EOF [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:winbind_client_read(455) client_read: read 1568 bytes. Need 0 more for a full request. [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:process_request(305) process_request: request fn LIST_USERS [2003/12/10 11:38:43, 3] nsswitch/winbindd_user.c:winbindd_list_users(585) [24138]: list users [2003/12/10 11:38:43, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(342) refresh_sequence_number: DEV time ok [2003/12/10 11:38:43, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(367) refresh_sequence_number: DEV seq number is now -1 [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:client_write(502) client_write: wrote 1300 bytes. [2003/12/10 11:38:43, 10] nsswitch/winbindd.c:winbind_client_read(455) client_read: read 0 bytes. Need 1568 more for a full request. [2003/12/10 11:38:43, 5] nsswitch/winbindd.c:winbind_client_read(462) read failed on sock 20, pid 24138: EOF -- Matt McParland -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
