[CLUE-Tech] Samba Workstation?
Mike Staver
staver at fimble.com
Sun Sep 5 22:17:18 MDT 2004
>> From what I understand, it can - but as you can see by my last posts
>> to this list I can't get it to work with Samba 3.0.X, damn it.
>
> [...]
>
>> I'm trying to get Samba to authenticate against Active Directory on
>> Windows 2003 server, and it *was* working fine - and then over last
>> weekend, it magically quit working and I can't get it to work again.
>
>
> Why are you trying to do this with Kerberos? It adds complexity to your
> Samba setup and isn't necessarily required by AD.
>
> When it was working, was that with Kerberos or not? Any chance anyone
> changed the AD settings and that broke it? There are quite a few things
> that AD can be picky about that Samba might not support.
I was using Kerberos because that's what all the documenation, including
the stuff on Samba's project site, said to do. They said if I wanted
the Active Directory auth to work, I needed Kerberos. I'm not sure why
- I'd certainly be open to any other methods that would allow me to set
file permissions from windows for a Samba share.
As far as it working and then not working anymore - no, nobody changed
anything in AD. I'm the only administrator for my company, and I
definitely didn't touch anything on the network over the weekend when it
quit working. Some people have suggested that I needed to run the "net"
command again and rejoin AD, so I went through that whole process to no
avail. Then somebody else suggeste I need a new "ticket", so I used
kinit and klist to verify that I had a valid ticket - and it still
didn't work. The errors in my logs are:
[2004/08/31 17:43:47, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+mike$ is invalid on this system
[2004/08/31 17:43:47, 1] smbd/service.c:make_connection_snum(619)
mike (10.0.0.8) connect to service html initially as user mstaver
(uid=1001, gid=0) (pid 5893)
[2004/08/31 17:43:47, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+mike$ is invalid on this system
[2004/08/31 17:43:47, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+mike$ is invalid on this system
[2004/08/31 17:43:51, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a Domain
group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/31 17:44:08, 1] smbd/service.c:close_cnum(801)
mike (10.0.0.8) closed connection to service html
[2004/09/02 13:15:43, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/09/02 13:15:43, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/09/02 13:15:43, 0] lib/access.c:check_access(328)
[2004/09/02 13:15:43, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
Denied connection from (0.0.0.0)
[2004/09/02 13:15:43, 1] smbd/process.c:process_smb(883)
[2004/09/02 13:15:43, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
Connection denied from 0.0.0.0
[2004/09/02 13:15:43, 0] lib/util_sock.c:write_socket_data(413)
write_socket_data: write failure. Error = Connection reset by peer
[2004/09/02 13:15:43, 0] lib/util_sock.c:write_socket(438)
write_socket: Error writing 5 bytes to socket 22: ERRNO = Connection
reset by peer
I've blown away the account in AD created with the net command in linux,
and then recreated it after all my AD servers had been updated with the
changes, and these errors keep showing up and things still don't work.
I've found very little help on google looking up these messages, most
don't pertain to what I'm doing.
Personally, I think there is a serious bug in Samba or Kerberos right
now, and possibly not many people are doing this yet since the
funcationality is new with the Samba 3.X series. I could be wrong
though, and it could be a simple config error - but I just don't get why
it did work and then stopped.
Something else I should mention is that since I added this kerberos
garbage, everytime I log into the linux box over SSH or telnet, the
system hangs for about a minute and then finally logs me in. Then when
I try to SU, I get the same thing but it eventually works - but the
accounts I'm logging into are local system accounts, not AD accounts.
More information about the clue-tech
mailing list