Problems with Samba 3.0.10 and winbind 1.3.4-17 on REL4

dmildh · 08-22-2005, 08:09 PM

I am currently using Redhat ES 4 and am having a heck of a time with the setup. Right now I am using the default samba and winbind packages that are included with this distribution:

krb5-workstation-1.3.4-17
samba-3.0.10-1.4E

Able to successfully join the ADS domain and do wbinfo -u and -g queries, create tickets with kinit dmildh@mydomain.com and list them with klist.

Also able to access the server's share from my Windows XP SP2 workstation by ip address but not by the DNS name.

Getting the following error message in the smbd.log file:

[2005/08/22 17:38:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!

Tried removing theses lines from krb5.conf with no luck:

#default_tgs_enctypes = des-cbc-crc des-cbc-md5
#default_tkt_enctypes = des-cbc-crc des-cbc-md5

I noticed a lot of people are having the same problem but I have not found a solution anywhere and would like to solve this once and for all! Is this a software bug because I have almost the exact same setup running correctly on REL 3

tp11235 · 08-23-2005, 04:03 AM

Have you set up a LMHOSTS file on the windows box. I found this solved a very similar problem.

In C:\WINDOWS\System32\Drivers\etc there is a sample file LMHOSTS.SAM that has some readme data. The XP help system also has documentation on the subject.

Basically you need a simple text file with a list of ip addresses and host names on your network. Separate the ip and hostname with a space. If you add #PRE after each one it pre loads it into the name cache, but don't ask me what that means! I found it worked with or without the #PRE.

192.168.1.34 myhost1
192.168.1.37 myhost2 #PRE

etc.

Save it as a textfile with no extension in the same directory.

Go to Network Connections and right click on the network connection you are using then select properties.
Scroll down to Internet Protocol and select properties for that, then "advanced" You might as well check everything here, but you probably know this stuff.

Under DNS I added the IP of my Linux server as a DNS server (lowest priority).
Under WINS I added my server as a WINS server. (I have enabled WINS support in my SAMBA setup).
Then select Enable LMHOSTS lookup.

Good luck.

Tim.

slacky · 08-23-2005, 08:36 AM

Try adding "client schannel = no" into your smb.conf, and then restarting samba and winbind. I just had issues with Samba this fixed which I believe were caused by installing Windows 2000 Security Update Rollup 1 to our domain controllers.

dmildh · 08-23-2005, 11:39 AM

Thank you both for your replies. For the reply about using the LMHOST file I cannot use the method since I need this Samba server to be accessable from every machine on the network, but I did make sure the server does have a valid resolvable DNS name and reverse lookup since I first thought this was related to DNS.

For the second reply I am already using the "client schannel = no" option in order to fix some performance issue I was having with my working REL3 server.

Here is a copy of my smb.conf file minus some of the specific names to my site:

[global]
# general options
workgroup = CORP
netbios name = SERVERNAME

# winbindd configuration
# default winbind separator is \, which is good if you
# use mod_ntlm since that is the character it uses.
# users only need to know the one syntax
#winbind separator = \

# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
#template homedir = /home/%D/%U
template homedir = /home/%U
template shell = /bin/bash
client schannel = no

# Active directory joining
security = ads
# encrypt passwords = yes is now default in Samba3 -- EnigMa?
encrypt passwords = yes
realm = domainname.ad.local
# this handles the "ads server = " directive as well -- EnigMa?
password server = domaincontroller.corp.ad.local

#Shares
[src]
path = /usr/local/src
public = yes
writable = yes
#valid users = "@DOMAINNAME\GROUPNAME"

slacky · 08-23-2005, 12:20 PM

What version of Samba came with RH3? I'm thinking I've also had the exact same Kerberos issues where you can access it by ip address but not name - I have in my notes that Samba 3.0.1 and 3.0.8 had issues, but 3.0.0, 3.0.2, 3.0.7, and 3.0.14a work fine.

dmildh · 08-23-2005, 02:42 PM

The working REL3 box is running samba-3.0.9-1.3E.3 and krb5-workstation-1.2.7-47.

dmildh · 08-23-2005, 07:54 PM

Looks like the \\dnsname\share works now. I think it just took some time to establish the DNS and propagate it out to all servers. THis is complete

wellssh · 09-28-2005, 09:36 AM

I am having the same issue. I did notice that the winbind separator variable does not like the \, ie. "@DOMAIN\groupname". I've seen suggestions to use a +, ie. "@DOMAIN+groupname". I have Samba 3.0.10-1.4E. I want to include users from a trusted/trusting W2k3 ADS domain.
Has anyone else found this to be true?