Hi,
As Cedric suggested (thank you very much, man !!), I´ve downgraded my
Samba
from 3.0.1 to 3.0.0 and it worked !! There´s no more password asking
window and no more Kerboros ticket errors.
Now I´m facing a new, weird problem: when my users can´t print 0(I´ve
installed Cups to manage the Deskjet 840c), they receive an access
denied -
unable to connect error message when they try to print.
From the Samba server box I can print using cat somefile /dev/lp0.
I´ve tried to change permissions, 777-ing both printer spool directory and
/dev/lp0. The computer sharing options are: writable=yes, guest ok = yes,
browseable = yes...etc).
What is missing ?? Is there any config I´m forgetting ?
Thanks in advance,
Lindolfo Rodrigues
-- Cabeçalho inicial ---
De: Cedric Puddy [EMAIL PROTECTED]
Para: samba_list [EMAIL PROTECTED]
Cópia: samba [EMAIL PROTECTED]
Data: Tue, 6 Jan 2004 19:42:27 -0500 (EST)
Assunto: Re: [Samba] Samba + Active Directory
On Tue, 6 Jan 2004, samba_list wrote:
Hi,
I´m having much trouble on configuring Samba to work on an Active
Directory
environment.
Using getent password I´m able to see AD´s users. wbinfo -u and
wbinfo -g
also work fine.
When someone from a Windows try to access my Samba server, the smd
password
window is shown (I think that the autehntication would be transparent,
wouldn't it ?), any password I provide is rejected: I tried AD
users using
either the plain username and the DOMAIN\username form. I tried
also using
my root password, without any success.
The logs are saying:
[2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
Failed to verify incoming ticket!
[2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
Failed to verify incoming ticket!
Is there any special configuration I have to do on Active Directory to
become AD authentication available to Samba ?
Almost certainly, you are running version 3.0.1, which as best
I've been able to determine breaks kerberos ticket handling
in the case of a Win2k/XP box trying to access SAMBA.
I've reported the problem to the list, and several others have
as well in recent times, but as yet, I haven't noticed a clear
answer as to what is broken. One fellow said that he was
testing 3.0.1 with the libads code changes reverted to 3.0.0, but
I don't believe he's reported back yet. (I'd be *very* interested
in beta testing that! :)
What works for me is going to back to version 3.0.0.
The reason that's not good for me is becuase I have
a whole bunch of existing unix users that I want to
map properly to existing windows users of the same
names, and 3.0.1 is supposed to do that automaticly.
If that's not a concern for you, then you might not
have any reason to care which version you are running.
I'm using the redhat RPMS, and doing this sequence
successfully downgrades me from 3.0.1 - 3.0.0:
ensure that you have an admin ticket with
kinit, if you do the net ads leave/join
bits...
net ads leave
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
/etc/rc.d/init.d/smb stop
/etc/rc.d/init.d/winbind stop
rpm -Uvh --force /usr/src/rpms/samba-3.0.0-2_rh9.i386.rpm
cp /etc/samba/smb.conf.bak /etc/samba/smb.conf
/etc/rc.d/init.d/smb start
/etc/rc.d/init.d/winbind start
net ads join
The above process assumes that you've got the rpm file
downloaded in /usr/src/rpms, that you have the right
rpms for your system (in my case, rh9), and guarentees that
your smb.conf file doesn't get accidentally wiped out.
I'm don't believe that the net ads leave/join part is
strictly necessary. I've just been doing it whenever I
upgrade/downgrade out of pedantdry. My understanding
is that it shouldn't be necessary, because the shared
secrets/etc should be stored in the Samba TDB databases
somewhere...
In my case, simply changing to 3.0.0 immediately makes
everything work, and going to 3.0.1 immediately mades
everything break.
If you want further confirmation that you are having
the same problem I am, increase the logging level to
something like 5, and look for unknown key table type
errors shortly before the Failed to verify ticket
error in your /var/log/samba/log.workstation file
(assuming that you put your logs in the default linux
location :)
I hope that helps,
Best Regards,
-Cedric Puddy
I´ve already installed PAM and followed all intructions at samba.org,
but is
not working.
Could someone please help me ?
Thanks in advance,
Lindolfo
P.S.: I´ve already checked both servers´ time, they are syncronized.
--
-
| CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
| 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157
\
Cedric Puddy, IS Director [EMAIL