Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
I have a frustating issue with Samba - I'm simply trying to get a Suse 9.1 Pro box to authenticate against my AD domain and share some files on it. Here are my conf files: /etc/samba/smb.conf ----------------------------- [global] workgroup = RTSENTERPRISE netbios name = TIMMY wins server = 10.0.0.10 realm = MYCOMPANY.COM security = ADS password server = pip.MYCOMPANY.com server string = TIMMY #username map = /etc/samba/smbusers #smb passwd file = /etc/samba/smbpasswd encrypt passwords = Yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY os level = 0 dns proxy = No load printers = No winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = no [html] comment = html browseable = Yes read only = No path = /srv/www/htdocs writeable = yes /etc/krb5.conf ----------------------------------------- [libdefaults] default_realm = MYCOMPANY.COM clockskew = 300 [realms] MYCOMPANY.COM = { kdc = pip.MYCOMPANY.com default_domain = RTSENTERPRISE kpasswd_server = pip.MYCOMPANY.com } YOUR.KERBEROS.REALM = { kdc = pip.MYCOMPANY.com } [domain_realms] .pip.MYCOMPANY.com = MYCOMPANY.com [domain_realm] .RTSENTERPRISE = MYCOMPANY.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = true minimum_uid = 0 } Those settings worked fine on Friday... then today I walked into the office, and I'm now unable to gain write access or change security permissions to the Samba box using Windows File Sharing like I was on Friday. My samba log shows this: [2004/08/30 14:31:07, 0] smbd/server.c:main(757) smbd version 3.0.4-SUSE started. Copyright Andrew Tridgell and the Samba Team 1992-2004 [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected [2004/08/30 14:31:45, 0] lib/access.c:check_access(328) [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected Denied connection from (0.0.0.0) [2004/08/30 14:31:45, 1] smbd/process.c:process_smb(883) [2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected Connection denied from 0.0.0.0 [2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket_data(413) write_socket_data: write failure. Error = Connection reset by peer [2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket(438) write_socket: Error writing 5 bytes to socket 22: ERRNO = Connection reset by peer [2004/08/30 14:31:45, 0] lib/util_sock.c:send_smb(630) Error writing 5 bytes to client. -1. (Connection reset by peer) [2004/08/30 14:31:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:31:48, 1] smbd/service.c:make_connection_snum(619) 10.0.0.1 (10.0.0.1) connect to service html initially as user administrator (uid=0, gid=0) (pid 3240) [2004/08/30 14:31:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:31:50, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:31:54, 0] rpc_server/srv_util.c:get_domain_user_groups(376) get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2004/08/30 14:32:22, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:32:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:32:27, 0] rpc_server/srv_util.c:get_domain_user_groups(376) get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2004/08/30 14:32:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(248) Username MYCOMPANY.COM+chef$ is invalid on this system [2004/08/30 14:32:33, 1] smbd/service.c:close_cnum(801) 10.0.0.1 (10.0.0.1) closed connection to service html [2004/08/30 14:51:07, 1] smbd/service.c:make_connection_snum(619) mike (10.0.0.8) connect to service html initially as user mstaver (uid=1001, gid=0) (pid 3396) [2004/08/30 14:51:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! [2004/08/30 14:51:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! [2004/08/30 14:51:18, 0] rpc_server/srv_util.c:get_domain_user_groups(376) get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that [2004/08/30 14:51:31, 0] smbd/posix_acls.c:create_canon_ace_lists(1381) create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-500 to uid or gid. Yet, I'm able to join the domain just fine: timmy:/var/log/samba # net ads join -U Administrator Administrator's password: [2004/08/30 14:44:33, 0] libads/ldap.c:ads_add_machine_acct(1006) Host account for timmy already exists - modifying old account Using short domain name -- RTSENTERPRISE Joined 'TIMMY' to realm 'MYCOMPANY.COM' And, commands like this work: timmy:/var/log/samba # smbclient -L timmy -Umstaver Password: Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE] Sharename Type Comment --------- ---- ------- html Disk html root Disk root IPC$ IPC IPC Service (TIMMY) ADMIN$ IPC IPC Service (TIMMY) Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE] Server Comment --------- ------- PIP TIMMY TIMMY Workgroup Master --------- ------- RTSENTERPRISE PIP Can somebody point me in the right direction of where I need to go next? I don't understand why this worked great on Friday, and then quit working today. On another note I would also like to get this box working so I can log into it at the shell using AD users from windows. Right now everytime I try to log into it via ssh using the standard users I created in Suse, it works - but seems to take forever to decide to let me in. So, it's hanging on something and I'm not sure what to do next. -- -Mike Staver staver at fimble.com mstaver at globaltaxnetwork.com
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |