Alright - I got one more problem licked:
timmy:/home/staver # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: [EMAIL PROTECTED]Issued Expires Principal Aug 30 22:08:56 Aug 31 08:08:56 krbtgt/[EMAIL PROTECTED]
However, from windows I still can't edit the samba shares - everything is still read only, and I restarted the smb and nmb services. My logs are still showing:
[2004/08/30 22:21:58, 0] smbd/server.c:main(757)
smbd version 3.0.4-SUSE started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
[2004/08/30 22:30:41, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/08/30 22:30:41, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/08/30 22:30:41, 0] lib/access.c:check_access(328)
[2004/08/30 22:30:41, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
Denied connection from (0.0.0.0)
[2004/08/30 22:30:41, 1] smbd/process.c:process_smb(883)
[2004/08/30 22:30:41, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
Connection denied from 0.0.0.0
[2004/08/30 22:30:41, 0] lib/util_sock.c:write_socket_data(413)
write_socket_data: write failure. Error = Connection reset by peer
[2004/08/30 22:30:41, 0] lib/util_sock.c:write_socket(438)
write_socket: Error writing 5 bytes to socket 22: ERRNO = Connection reset by peer
[2004/08/30 22:30:41, 0] lib/util_sock.c:send_smb(630)
Error writing 5 bytes to client. -1. (Connection reset by peer)
[2004/08/30 22:30:43, 1] smbd/service.c:make_connection_snum(619)
mike (10.0.0.8) connect to service html initially as user mstaver (uid=1001, gid=0) (pid 3011) [2004/08/30 22:30:56, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 22:31:28, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 22:31:57, 0] smbd/posix_acls.c:create_canon_ace_lists(1381)
create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-1174 to uid or gid.
[2004/08/30 22:31:57, 0] smbd/posix_acls.c:create_canon_ace_lists(1381)
create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-1174 to uid or gid.
[2004/08/30 22:31:57, 0] smbd/posix_acls.c:create_canon_ace_lists(1381)
create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-1174 to uid or gid.
[2004/08/30 22:31:57, 0] smbd/posix_acls.c:create_canon_ace_lists(1381)
create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-1174 to uid or gid.
So, now that klist issue has been resolved (I had to tweak the registry in windows on the AD to fix this) and now it appears I have another issue.
O Plameras wrote:
Just say,
#kinit <your username>
and klist again, just to confirm.
Mike Staver wrote:
timmy:/var/log/samba # klist klist: No ticket file: /tmp/krb5cc_0
So yeah, I guess it is? How do I renew it, or should my linux box automatically renew it now? Thanks for the quick reply!
O Plameras wrote:
On your Samba, what is the output of command:
#klist
Is it possible your ticket has expired ?
Mike Staver wrote:
I have a frustating issue with Samba - I'm simply trying to get a Suse 9.1 Pro box to authenticate against my AD domain and share some files on it. Here are my conf files:
/etc/samba/smb.conf ----------------------------- [global] workgroup = RTSENTERPRISE netbios name = TIMMY wins server = 10.0.0.10 realm = MYCOMPANY.COM security = ADS password server = pip.MYCOMPANY.com server string = TIMMY #username map = /etc/samba/smbusers #smb passwd file = /etc/samba/smbpasswd encrypt passwords = Yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY os level = 0 dns proxy = No load printers = No winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = no
[html] comment = html browseable = Yes read only = No path = /srv/www/htdocs writeable = yes
/etc/krb5.conf ----------------------------------------- [libdefaults] default_realm = MYCOMPANY.COM clockskew = 300
[realms] MYCOMPANY.COM = { kdc = pip.MYCOMPANY.com default_domain = RTSENTERPRISE kpasswd_server = pip.MYCOMPANY.com } YOUR.KERBEROS.REALM = { kdc = pip.MYCOMPANY.com }
[domain_realms] .pip.MYCOMPANY.com = MYCOMPANY.com [domain_realm] .RTSENTERPRISE = MYCOMPANY.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = true minimum_uid = 0 }
Those settings worked fine on Friday... then today I walked into the office, and I'm now unable to gain write access or change security permissions to the Samba box using Windows File Sharing like I was on Friday. My samba log shows this:
[2004/08/30 14:31:07, 0] smbd/server.c:main(757) smbd version 3.0.4-SUSE started. Copyright Andrew Tridgell and the Samba Team 1992-2004 [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected [2004/08/30 14:31:45, 0] lib/access.c:check_access(328) [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected Denied connection from (0.0.0.0) [2004/08/30 14:31:45, 1] smbd/process.c:process_smb(883) [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected Connection denied from 0.0.0.0 [2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket_data(413) write_socket_data: write failure. Error = Connection reset by peer [2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket(438) write_socket: Error writing 5 bytes to socket 22: ERRNO = Connection reset by peer [2004/08/30 14:31:45, 0] lib/util_sock.c:send_smb(630) Error writing 5 bytes to client. -1. (Connection reset by peer) [2004/08/30 14:31:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:31:48, 1] smbd/service.c:make_connection_snum(619) 10.0.0.1 (10.0.0.1) connect to service html initially as user administrator (uid=0, gid=0) (pid 3240) [2004/08/30 14:31:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:31:50, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:31:54, 0] rpc_server/srv_util.c:get_domain_user_groups(376) get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2004/08/30 14:32:22, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:32:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:32:27, 0] rpc_server/srv_util.c:get_domain_user_groups(376) get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2004/08/30 14:32:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:32:33, 1] smbd/service.c:close_cnum(801) 10.0.0.1 (10.0.0.1) closed connection to service html [2004/08/30 14:51:07, 1] smbd/service.c:make_connection_snum(619) mike (10.0.0.8) connect to service html initially as user mstaver (uid=1001, gid=0) (pid 3396) [2004/08/30 14:51:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! [2004/08/30 14:51:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! [2004/08/30 14:51:18, 0] rpc_server/srv_util.c:get_domain_user_groups(376) get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2004/08/30 14:51:31, 0] smbd/posix_acls.c:create_canon_ace_lists(1381) create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-500 to uid or gid.
Yet, I'm able to join the domain just fine:
timmy:/var/log/samba # net ads join -U Administrator Administrator's password: [2004/08/30 14:44:33, 0] libads/ldap.c:ads_add_machine_acct(1006) Host account for timmy already exists - modifying old account Using short domain name -- RTSENTERPRISE Joined 'TIMMY' to realm 'MYCOMPANY.COM'
And, commands like this work:
timmy:/var/log/samba # smbclient -L timmy -Umstaver Password: Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE]
Sharename Type Comment --------- ---- ------- html Disk html root Disk root IPC$ IPC IPC Service (TIMMY) ADMIN$ IPC IPC Service (TIMMY) Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE]
Server Comment --------- ------- PIP TIMMY TIMMY
Workgroup Master --------- ------- RTSENTERPRISE PIP
Can somebody point me in the right direction of where I need to go next? I don't understand why this worked great on Friday, and then quit working today. On another note I would also like to get this box working so I can log into it at the shell using AD users from windows. Right now everytime I try to log into it via ssh using the standard users I created in Suse, it works - but seems to take forever to decide to let me in. So, it's hanging on something and I'm not sure what to do next.
------------------------------------------------------------------------
Subject: Re: [SLUG] Suse 9.1 Pro and Samba 3.0.X From: O Plameras <[EMAIL PROTECTED]> Date: Tue, 31 Aug 2004 08:38:54 +1000 To: Mike Staver <[EMAIL PROTECTED]>
To: Mike Staver <[EMAIL PROTECTED]>
Just say,
#kinit <your username>
and klist again, just to confirm.
Mike Staver wrote:
timmy:/var/log/samba # klist klist: No ticket file: /tmp/krb5cc_0
So yeah, I guess it is? How do I renew it, or should my linux box automatically renew it now? Thanks for the quick reply!
O Plameras wrote:
On your Samba, what is the output of command:
#klist
Is it possible your ticket has expired ?
Mike Staver wrote:
I have a frustating issue with Samba - I'm simply trying to get a Suse 9.1 Pro box to authenticate against my AD domain and share some files on it. Here are my conf files:
/etc/samba/smb.conf ----------------------------- [global] workgroup = RTSENTERPRISE netbios name = TIMMY wins server = 10.0.0.10 realm = MYCOMPANY.COM security = ADS password server = pip.MYCOMPANY.com server string = TIMMY #username map = /etc/samba/smbusers #smb passwd file = /etc/samba/smbpasswd encrypt passwords = Yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY os level = 0 dns proxy = No load printers = No winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = no
[html] comment = html browseable = Yes read only = No path = /srv/www/htdocs writeable = yes
/etc/krb5.conf ----------------------------------------- [libdefaults] default_realm = MYCOMPANY.COM clockskew = 300
[realms] MYCOMPANY.COM = { kdc = pip.MYCOMPANY.com default_domain = RTSENTERPRISE kpasswd_server = pip.MYCOMPANY.com } YOUR.KERBEROS.REALM = { kdc = pip.MYCOMPANY.com }
[domain_realms] .pip.MYCOMPANY.com = MYCOMPANY.com [domain_realm] .RTSENTERPRISE = MYCOMPANY.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = true minimum_uid = 0 }
Those settings worked fine on Friday... then today I walked into the office, and I'm now unable to gain write access or change security permissions to the Samba box using Windows File Sharing like I was on Friday. My samba log shows this:
[2004/08/30 14:31:07, 0] smbd/server.c:main(757) smbd version 3.0.4-SUSE started. Copyright Andrew Tridgell and the Samba Team 1992-2004 [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected [2004/08/30 14:31:45, 0] lib/access.c:check_access(328) [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected Denied connection from (0.0.0.0) [2004/08/30 14:31:45, 1] smbd/process.c:process_smb(883) [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected Connection denied from 0.0.0.0 [2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket_data(413) write_socket_data: write failure. Error = Connection reset by peer [2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket(438) write_socket: Error writing 5 bytes to socket 22: ERRNO = Connection reset by peer [2004/08/30 14:31:45, 0] lib/util_sock.c:send_smb(630) Error writing 5 bytes to client. -1. (Connection reset by peer) [2004/08/30 14:31:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:31:48, 1] smbd/service.c:make_connection_snum(619) 10.0.0.1 (10.0.0.1) connect to service html initially as user administrator (uid=0, gid=0) (pid 3240) [2004/08/30 14:31:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:31:50, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:31:54, 0] rpc_server/srv_util.c:get_domain_user_groups(376) get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2004/08/30 14:32:22, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:32:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:32:27, 0] rpc_server/srv_util.c:get_domain_user_groups(376) get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2004/08/30 14:32:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:32:33, 1] smbd/service.c:close_cnum(801) 10.0.0.1 (10.0.0.1) closed connection to service html [2004/08/30 14:51:07, 1] smbd/service.c:make_connection_snum(619) mike (10.0.0.8) connect to service html initially as user mstaver (uid=1001, gid=0) (pid 3396) [2004/08/30 14:51:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! [2004/08/30 14:51:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! [2004/08/30 14:51:18, 0] rpc_server/srv_util.c:get_domain_user_groups(376) get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2004/08/30 14:51:31, 0] smbd/posix_acls.c:create_canon_ace_lists(1381) create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-500 to uid or gid.
Yet, I'm able to join the domain just fine:
timmy:/var/log/samba # net ads join -U Administrator Administrator's password: [2004/08/30 14:44:33, 0] libads/ldap.c:ads_add_machine_acct(1006) Host account for timmy already exists - modifying old account Using short domain name -- RTSENTERPRISE Joined 'TIMMY' to realm 'MYCOMPANY.COM'
And, commands like this work:
timmy:/var/log/samba # smbclient -L timmy -Umstaver Password: Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE]
Sharename Type Comment --------- ---- ------- html Disk html root Disk root IPC$ IPC IPC Service (TIMMY) ADMIN$ IPC IPC Service (TIMMY) Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE]
Server Comment --------- ------- PIP TIMMY TIMMY
Workgroup Master --------- ------- RTSENTERPRISE PIP
Can somebody point me in the right direction of where I need to go next? I don't understand why this worked great on Friday, and then quit working today. On another note I would also like to get this box working so I can log into it at the shell using AD users from windows. Right now everytime I try to log into it via ssh using the standard users I created in Suse, it works - but seems to take forever to decide to let me in. So, it's hanging on something and I'm not sure what to do next.
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
