Hi All,
I have setup Samba using Kerberos on CentOS 5.2 linux server. All work fine for all the machines that are on the main domain.
The issue I have is that I have another PC which is on a complete workgroup/domain and Samba will not let it connect.
krb5.conf
Code:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
EXAMPLE.COM = {
kdc = rex.example.com
admin_server = rex.example.com
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
smb.conf
Code:
[global]
workgroup = EXAMPLE
server string = Samba Server Version %v
load printers = no
log file = /var/log/samba/%m.log
max log size = 50
encrypt passwords = yes
username map = /etc/samba/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
;allow trusted domains = No
;idmap backend = idmap_rid:ONLING=500-100000000
;idmap uid = 500-100000000 idmap gid = 500-100000000
;log level = 1
;syslog = 0
;template shell = /bin/bash
;template homedir = /home/%U
;winbind use default domain = yes
;winbind enum users = Yes
;winbind enum groups = Yes
;winbind nested groups = Yes
;printcap name = CUPS printing = cups
# logs split per m/achine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 50
security = ads
realm = EXAMPLE.COM
[homes]
comment = Home Directories
valid users = %D\%U
read only = No
browseable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[top]
comment = Top level
path = /
browseable = yes
valid users = %D\steve.ling
public = no
guest ok = no
force user = root
force group = root
writable = yes
As mentioned above as it sits all the pc that are on that "EXAMPLE.COM" domain can access the folders.
The problem is that I have a pc that is on EXMAPLE2.COM domain and I get this in the samba log for that pc.
pc name = EXAMPLE2\steve.ling
LOG
Code:
[2008/09/25 21:46:08, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2222)
cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine REX.EXAMPLE.COM. Error was NT_STATUS_ACCESS_DENIED
[2008/09/25 21:46:08, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2640)
cli_rpc_pipe_open_schannel: failed to get schannel session key from server REX.EXAMPLE.COM for domain EXAMPLE.
[2008/09/25 21:46:08, 0] auth/auth_domain.c:connect_to_domain_password_server(119)
connect_to_domain_password_server: unable to open the domain client session to machine REX.EXAMPLE.COM. Error was : NT_STATUS_ACCESS_DENIED.
[2008/09/25 21:46:08, 0] auth/auth_domain.c:domain_client_validate(220)
domain_client_validate: Domain password server not available.
Done any one have any idea what I am doing wrong?
NOTE:
Now if you look in smb.conf code above, I commented out some lines as I was testing samba to work with winbind & kerberos but the issue is that the connections are slow. But in this setup all my pc could connect no issue to all folders.
Thanks in advance
Samba 3.0.28 Kerberos setup will not let guest DOMAIN connect
