[CLUE-Tech] Samba Workstation?

Mike Staver staver at fimble.com
Sun Sep 5 22:17:18 MDT 2004 

>>  From what I understand, it can - but as you can see by my last posts 
>> to this list I can't get it to work with Samba 3.0.X, damn it.
> 
> [...]
> 
>> I'm trying to get Samba to authenticate against Active Directory on 
>> Windows 2003 server, and it *was* working fine - and then over last 
>> weekend, it magically quit working and I can't get it to work again.
> 
> 
> Why are you trying to do this with Kerberos?  It adds complexity to your 
> Samba setup and isn't necessarily required by AD.
> 
> When it was working, was that with Kerberos or not?  Any chance anyone 
> changed the AD settings and that broke it?  There are quite a few things 
> that AD can be picky about that Samba might not support.

I was using Kerberos because that's what all the documenation, including 
the stuff on Samba's project site, said to do.  They said if I wanted 
the Active Directory auth to work, I needed Kerberos.  I'm not sure why 
- I'd certainly be open to any other methods that would allow me to set 
file permissions from windows for a Samba share.

As far as it working and then not working anymore - no, nobody changed 
anything in AD. I'm the only administrator for my company, and I 
definitely didn't touch anything on the network over the weekend when it 
quit working.  Some people have suggested that I needed to run the "net" 
command again and rejoin AD, so I went through that whole process to no 
avail.  Then somebody else suggeste I need a new "ticket", so I used 
kinit and klist to verify that I had a valid ticket - and it still 
didn't work.  The errors in my logs are:

[2004/08/31 17:43:47, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
   Username MYCOMPANY.COM+mike$ is invalid on this system
[2004/08/31 17:43:47, 1] smbd/service.c:make_connection_snum(619)
   mike (10.0.0.8) connect to service html initially as user mstaver 
(uid=1001, gid=0) (pid 5893)
[2004/08/31 17:43:47, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
   Username MYCOMPANY.COM+mike$ is invalid on this system
[2004/08/31 17:43:47, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
   Username MYCOMPANY.COM+mike$ is invalid on this system
[2004/08/31 17:43:51, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
   get_domain_user_groups: primary gid of user [hawkbug] is not a Domain 
group !
   get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/31 17:44:08, 1] smbd/service.c:close_cnum(801)
   mike (10.0.0.8) closed connection to service html
[2004/09/02 13:15:43, 0] lib/util_sock.c:get_peer_addr(978)
   getpeername failed. Error was Transport endpoint is not connected
[2004/09/02 13:15:43, 0] lib/util_sock.c:get_peer_addr(978)
   getpeername failed. Error was Transport endpoint is not connected
[2004/09/02 13:15:43, 0] lib/access.c:check_access(328)
[2004/09/02 13:15:43, 0] lib/util_sock.c:get_peer_addr(978)
   getpeername failed. Error was Transport endpoint is not connected
   Denied connection from  (0.0.0.0)
[2004/09/02 13:15:43, 1] smbd/process.c:process_smb(883)
[2004/09/02 13:15:43, 0] lib/util_sock.c:get_peer_addr(978)
   getpeername failed. Error was Transport endpoint is not connected
   Connection denied from 0.0.0.0
[2004/09/02 13:15:43, 0] lib/util_sock.c:write_socket_data(413)
   write_socket_data: write failure. Error = Connection reset by peer
[2004/09/02 13:15:43, 0] lib/util_sock.c:write_socket(438)
   write_socket: Error writing 5 bytes to socket 22: ERRNO = Connection 
reset by peer

I've blown away the account in AD created with the net command in linux, 
and then recreated it after all my AD servers had been updated with the 
changes, and these errors keep showing up and things still don't work. 
I've found very little help on google looking up these messages, most 
don't pertain to what I'm doing.

Personally, I think there is a serious bug in Samba or Kerberos right 
now, and possibly not many people are doing this yet since the 
funcationality is new with the Samba 3.X series.  I could be wrong 
though, and it could be a simple config error - but I just don't get why 
it did work and then stopped.

Something else I should mention is that since I added this kerberos 
garbage, everytime I log into the linux box over SSH or telnet, the 
system hangs for about a minute and then finally logs me in.  Then when 
I try to SU, I get the same thing but it eventually works - but the 
accounts I'm logging into are local system accounts, not AD accounts.

More information about the clue-tech mailing list