Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 05-24-2005, 04:40 PM   #1
LQ Newbie
Registered: May 2005
Posts: 1

Rep: Reputation: 0
Problems joining Samba to ADS 2003

Greetings to all that have trod the way of Samba,

I’m having some particular problems implementing Samba to work with Server 2003 ADS. I’ve “googled” my way around and read a number of discussion threads without finding any answers.

Before I describe the particular problem, I would like to say that it is possible to get Samba server to join an AD 2003 directory and to actually work as a file server allowing AD users to have proper authentication. You will find the configuration files below.

Our goal was to implement a single 2003 AD server and have users from 10 subnets use it as a central point of authentication (subnets are involved with different physical locations). The file sharing issue was going to be solved by implementing a Samba server at each of the 10 subnets. One of the subnets contains the actual Server 2003 running AD. I have managed to implement a single Samba server on the same subnet as the 2003 AD server. Each user now has a roaming profile that is stored on the Samba server.

My problem is that Samba looses the connection to AD when put on a different subnet that the AD 2003 server is based. I am able to ‘net ads join’ to 2003 AD but as soon as there is a user that has a roaming profile logs into AD, the connection with Samba server drops. I can confirm that fact by issuing the command ‘net ads info’ and get a response “Didn’t find the ldap server!” instead of the usual:

LDAP server:
LDAP server name: ops-server2003
Bind Path: dc=RHB,dc=LOCAL
LDAP port: 389
Server time: Tue, 24 May 2005 16:59:17 GMT
KDC server:
Server time offset: 1
There are also errors in the System log on Server 2003 that indicate that the server had trouble authenticating itself:

While processing a TGS request for the target server host/uni-samba.rhb.local, the account UNI-SAMBA$@RHB.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 16.  The accounts available etypes were 23  -133  -128  3  1.
I’m able to rejoin the AD by running the commands ‘kdestroy’ and ‘kinit’. It seems to take about 2 minutes to join the domain, after which it prints the message:

[2005/05/24 17:02:37, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for uni-samba already exists - modifying old account
Using short domain name -- RHB
Joined 'UNI-SAMBA' to realm 'RHB.LOCAL'
At this time the System logs on 2003 AD are filled with the KDC error mentioned above.

I’m in no way an expert in Samba nor Linux. Something is telling me that there is an issue with Kerberos and possibly the fact that we are dealing with a subnet. The funny part is that everything works great on the same subnet that 2003 AD is on (Samba, Kerberos, AD ..).

Has anyone experienced this similar occurrence while trying to implement Samba servers for file storage and roaming profiles using Server 2003 AD? I will be glad if someone can have some input in this matter.

Thank you,

[Configuration files and versions]

Linux uni-samba 2.6.11-1.14_FC3 #1 Thu Apr 7 19:23:49 EDT 2005 i686 i686 i386 GNU/Linux

# rpm -qa | grep samba

# rpm -qa | grep krb5

[Samba smb.conf file]

# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[home]"
Processing section "[readonly]"
Loaded services file OK.
Press enter to see a dump of your service definitions

# Global parameters
        workgroup = RHB
        realm = RHB.LOCAL
        server string = University Samba Server
        security = ADS
        password server = ops-server2003.rhb.local
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        profile acls = Yes
        cups options = raw

        comment = Samba Home
        path = /home
        read only = No
        guest ok = Yes

        comment = Read-Only Directory
        path = /home/readonly
        guest ok = Yes

[Kerberos krb5.conf file]

 vim /etc/krb5.conf
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = RHB.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false

  kdc = ops-server2003.rhb.local:88
  admin_server = ops-server2003.rhb.local:749
  default_domain = rhb.local

 .rhb.local = RHB.LOCAL
 rhb.local = RHB.LOCAL

 profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
joining RHEL to ADS errors? paul_mat Linux - Networking 1 01-16-2006 08:24 AM
FC4 Samba and ADS problems saylestock Linux - Networking 9 09-20-2005 04:01 PM
Samba 3.014 joining 2003 AD guitarman85281 Linux - Networking 11 05-06-2005 02:41 PM
Samba as a Windows 2003 ADS member bigdumbchimp Linux - Networking 0 09-16-2004 10:22 PM
2003 .NET Server joining Samba Domain kofi Linux - Software 1 03-04-2004 02:20 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:45 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration