Samba 3.0.X issue with Suse 9.1 Pro

Mike Staver staver at fimble.com
Mon Aug 30 18:06:54 EDT 2004 

I have a frustating issue with Samba - I'm simply trying to get a Suse
9.1 Pro box to authenticate against my AD domain and share some files
on it.  Here are my conf files:

/etc/samba/smb.conf
-----------------------------
[global]
         workgroup = RTSENTERPRISE
         netbios name = TIMMY
         wins server = 10.0.0.10
         realm = MYCOMPANY.COM
         security = ADS
         password server = pip.MYCOMPANY.com
         server string = TIMMY
         #username map = /etc/samba/smbusers
         #smb passwd file = /etc/samba/smbpasswd
         encrypt passwords = Yes
         socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
         os level = 0
         dns proxy = No
         load printers = No
         winbind separator = +
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         winbind enum users = yes
         winbind enum groups = yes
         template homedir = /home/%D/%U
         template shell = /bin/bash
         winbind use default domain = no

[html]
         comment = html
         browseable = Yes
         read only = No
         path = /srv/www/htdocs
         writeable = yes


/etc/krb5.conf
-----------------------------------------
[libdefaults]
         default_realm = MYCOMPANY.COM
         clockskew = 300

[realms]
MYCOMPANY.COM = {
         kdc = pip.MYCOMPANY.com
         default_domain = RTSENTERPRISE
         kpasswd_server = pip.MYCOMPANY.com
}
YOUR.KERBEROS.REALM = {
         kdc = pip.MYCOMPANY.com
}

[domain_realms]
         .pip.MYCOMPANY.com = MYCOMPANY.com
[domain_realm]
         .RTSENTERPRISE = MYCOMPANY.COM
[appdefaults]
pam = {
         ticket_lifetime = 1d
         renew_lifetime = 1d
         forwardable = true
         proxiable = false
         retain_after_close = true
         minimum_uid = 0
}

Those settings worked fine on Friday... then today I walked into the
office, and I'm now unable to gain write access or change security
permissions to the Samba box using Windows File Sharing like I was on
Friday.  My samba log shows this:

[2004/08/30 14:31:07, 0] smbd/server.c:main(757)
   smbd version 3.0.4-SUSE started.
   Copyright Andrew Tridgell and the Samba Team 1992-2004
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
   getpeername failed. Error was Transport endpoint is not connected
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
   getpeername failed. Error was Transport endpoint is not connected
[2004/08/30 14:31:45, 0] lib/access.c:check_access(328)
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
   getpeername failed. Error was Transport endpoint is not connected
   Denied connection from  (0.0.0.0)
[2004/08/30 14:31:45, 1] smbd/process.c:process_smb(883)
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
   getpeername failed. Error was Transport endpoint is not connected
   Connection denied from 0.0.0.0
[2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket_data(413)
   write_socket_data: write failure. Error = Connection reset by peer
[2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket(438)
   write_socket: Error writing 5 bytes to socket 22: ERRNO = Connection
reset by peer
[2004/08/30 14:31:45, 0] lib/util_sock.c:send_smb(630)
   Error writing 5 bytes to client. -1. (Connection reset by peer)
[2004/08/30 14:31:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
   Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:31:48, 1] smbd/service.c:make_connection_snum(619)
   10.0.0.1 (10.0.0.1) connect to service html initially as user
administrator (uid=0, gid=0) (pid 3240)
[2004/08/30 14:31:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
   Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:31:50, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
   Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:31:54, 0]
rpc_server/srv_util.c:get_domain_user_groups(376)
   get_domain_user_groups: primary gid of user [hawkbug] is not a
Domain group !
   get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 14:32:22, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
   Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:32:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
   Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:32:27, 0]
rpc_server/srv_util.c:get_domain_user_groups(376)
   get_domain_user_groups: primary gid of user [hawkbug] is not a
Domain group !
   get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 14:32:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
   Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:32:33, 1] smbd/service.c:close_cnum(801)
   10.0.0.1 (10.0.0.1) closed connection to service html
[2004/08/30 14:51:07, 1] smbd/service.c:make_connection_snum(619)
   mike (10.0.0.8) connect to service html initially as user mstaver
(uid=1001, gid=0) (pid 3396)
[2004/08/30 14:51:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
   Failed to verify incoming ticket!
[2004/08/30 14:51:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
   Failed to verify incoming ticket!
[2004/08/30 14:51:18, 0]
rpc_server/srv_util.c:get_domain_user_groups(376)
   get_domain_user_groups: primary gid of user [hawkbug] is not a
Domain group !
   get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 14:51:31, 0]
smbd/posix_acls.c:create_canon_ace_lists(1381)
   create_canon_ace_lists: unable to map SID
S-1-5-21-894072087-884895359-931750244-500 to uid or gid.

Yet, I'm able to join the domain just fine:

timmy:/var/log/samba # net ads join -U Administrator
Administrator's password:
[2004/08/30 14:44:33, 0] libads/ldap.c:ads_add_machine_acct(1006)
   Host account for timmy already exists - modifying old account
Using short domain name -- RTSENTERPRISE
Joined 'TIMMY' to realm 'MYCOMPANY.COM'

And, commands like this work:

timmy:/var/log/samba # smbclient -L timmy -Umstaver
Password:
Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE]

         Sharename       Type      Comment
         ---------       ----      -------
         html            Disk      html
         root            Disk      root
         IPC$            IPC       IPC Service (TIMMY)
         ADMIN$          IPC       IPC Service (TIMMY)
Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE]

         Server               Comment
         ---------            -------
         PIP
         TIMMY                TIMMY

         Workgroup            Master
         ---------            -------
         RTSENTERPRISE        PIP

Can somebody point me in the right direction of where I need to go
next?  I don't understand why this worked great on Friday, and then
quit working today.  On another note I would also like to get this box
working so I can log into it at the shell using AD users from windows.
  Right now everytime I try to log into it via ssh using the standard
users I created in Suse, it works - but seems to take forever to
decide to let me in.  So, it's hanging on something and I'm not sure
what to do next.
-- 

                                 -Mike Staver
                                  staver at fimble.com
                                  mstaver at globaltaxnetwork.com

More information about the Discuss mailing list