Greetings to all that have trod the way of Samba,
I’m having some particular problems implementing Samba to work with Server 2003 ADS. I’ve “googled” my way around and read a number of discussion threads without finding any answers.
Before I describe the particular problem, I would like to say that it is possible to get Samba server to join an AD 2003 directory and to actually work as a file server allowing AD users to have proper authentication. You will find the configuration files below.
Our goal was to implement a single 2003 AD server and have users from 10 subnets use it as a central point of authentication (subnets are involved with different physical locations). The file sharing issue was going to be solved by implementing a Samba server at each of the 10 subnets. One of the subnets contains the actual Server 2003 running AD. I have managed to implement a single Samba server on the same subnet as the 2003 AD server. Each user now has a roaming profile that is stored on the Samba server.
My problem is that Samba looses the connection to AD when put on a different subnet that the AD 2003 server is based. I am able to ‘
net ads join’ to 2003 AD but as soon as there is a user that has a roaming profile logs into AD, the connection with Samba server drops. I can confirm that fact by issuing the command ‘
net ads info’ and get a response
“Didn’t find the ldap server!” instead of the usual:
Code:
LDAP server: 192.168.48.158
LDAP server name: ops-server2003
Realm: RHB.LOCAL
Bind Path: dc=RHB,dc=LOCAL
LDAP port: 389
Server time: Tue, 24 May 2005 16:59:17 GMT
KDC server: 192.168.48.158
Server time offset: 1
There are also errors in the System log on Server 2003 that indicate that the server had trouble authenticating itself:
Code:
While processing a TGS request for the target server host/uni-samba.rhb.local, the account UNI-SAMBA$@RHB.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 16. The accounts available etypes were 23 -133 -128 3 1.
I’m able to rejoin the AD by running the commands ‘
kdestroy’ and ‘
kinit’. It seems to take about 2 minutes to join the domain, after which it prints the message:
Code:
[2005/05/24 17:02:37, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for uni-samba already exists - modifying old account
Using short domain name -- RHB
Joined 'UNI-SAMBA' to realm 'RHB.LOCAL'
At this time the System logs on 2003 AD are filled with the KDC error mentioned above.
I’m in no way an expert in Samba nor Linux. Something is telling me that there is an issue with Kerberos and possibly the fact that we are dealing with a subnet. The funny part is that everything works great on the same subnet that 2003 AD is on (Samba, Kerberos, AD ..).
Has anyone experienced this similar occurrence while trying to implement Samba servers for file storage and roaming profiles using Server 2003 AD? I will be glad if someone can have some input in this matter.
Thank you,
********************************************************************
[Configuration files and versions]
Linux uni-samba 2.6.11-1.14_FC3 #1 Thu Apr 7 19:23:49 EDT 2005 i686 i686 i386 GNU/Linux
kernel-2.6.9-1.667
kernel-2.6.11-1.14_FC3
Code:
# rpm -qa | grep samba
samba-client-3.0.10-1.fc3
system-config-samba-1.2.28-0.fc3.1
samba-3.0.10-1.fc3
samba-common-3.0.10-1.fc3
# rpm -qa | grep krb5
krb5-devel-1.3.6-5
krb5-auth-dialog-0.2-1
pam_krb5-2.1.2-1
krb5-workstation-1.3.6-5
krb5-libs-1.3.6-5
krb5-server-1.3.6-5
********************************************************************
[Samba smb.conf file]
Code:
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[home]"
Processing section "[readonly]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = RHB
realm = RHB.LOCAL
server string = University Samba Server
security = ADS
password server = ops-server2003.rhb.local
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
profile acls = Yes
cups options = raw
[home]
comment = Samba Home
path = /home
read only = No
guest ok = Yes
[readonly]
comment = Read-Only Directory
path = /home/readonly
guest ok = Yes
********************************************************************
[Kerberos krb5.conf file]
#
Code:
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = RHB.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
RHB.LOCAL = {
kdc = ops-server2003.rhb.local:88
admin_server = ops-server2003.rhb.local:749
default_domain = rhb.local
}
[domain_realm]
.rhb.local = RHB.LOCAL
rhb.local = RHB.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
********************************************************************