HPE Community
Operating System - HP-UX
1819950 Members
3268 Online
109607 Solutions
New Discussion юеВ

Samba 3.0.7 and Active Directory

 
Franke, Dirk
Occasional Advisor

тАО01-18-2005 07:52 PM

тАО01-18-2005 07:52 PM

Samba 3.0.7 and Active Directory

Hello,

i have installed Version 3.0.7 based HP CIFS Server A.02.01 on HPUX 11.11. I downloaded it from http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA
I downloaded the HP CIFS Server 3.0a Administrators Guide from HP and installed the patches PHCO_26089, PHNE_23949, PHCO_25796P, PHCO_17030 and the LDAP-UX-Client as required in the document.
I created the machine account in the Active Directory and checked "assign this computer account a pre windows 2000 account". The samba should be a member server of the Active Directory domain.
After the installation i run the setup_samba script to create a smb.conf-file.
I modified the krb5.conf like this:

[libdefaults]
default_realm = DOMAIN.COM
default_tkt_enctypes = DES-CBC-CRC
default_tgs_enctypes = DES-CBC-CRC
ccache_type = 2
[realms]
DOMAIN.COM = {
kdc = dc.domain.com:88
admin_server = dc.andritz.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

This krb5.conf is printed in the CIFS Admin docu.
I get a ticket with kinit

kinit admin@DOMAIN.COM
Password for admin@DOMAIN.COM:
hpuxserver-admin $ klist
Ticket cache: /tmp/krb5cc_0
Default principal: admin@DOMAIN.COM

Valid starting Expires Service principal
01/19/05 09:44:26 01/19/05 19:43:19 krbtgt/DOMAIN.COM@DOMAIN.COM

Is this ticket correct? krbtgt/DOMAIN.COM@DOMAIN.COM
Should it not be hpuxserver@DOMAIN.COM ??

If i want to join the domain with:

./net ads join -U hemmig99@ANDRITZ.COM -d 10

I get the following error:

[2005/01/19 09:47:13, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
ads_sasl_spnego_bind: got server principal name =dc$@DOMAIN.COM
[2005/01/19 09:47:13, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file found
)
[2005/01/19 09:47:13, 1] libsmb/clikrb5.c:ads_krb5_mk_req(389)
ads_krb5_mk_req: krb5_get_credentials failed for dc$@DOMAIN.COM (KRB5
error code 52)
[2005/01/19 09:47:13, 0] utils/net_ads.c:ads_startup(186)
ads_connect: KRB5 error code 52
[2005/01/19 09:47:13, 2] utils/net.c:main(792)
return code = -1

My smb.conf created via the setup scipt:

[global]
passdb backend = ldapsam:ldap://HEMSMS001.ANDRITZ.COM
ldap server = HEMSMS001.ANDRITZ.COM
ldap group suffix = ou=Groups
ldap user suffix = ou=Accounts
ldap suffix = dc=andritz,dc=com
ldap admin dn = cn=hemmig99

# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
workgroup = ANDRITZ

# Kerberos Realm name for the AD
realm = ANDRITZ.COM

# Netbios name of this machine
netbios name = HEMSUXRZ001

# server string is the equivalent of the NT Description field
server string = Samba 3.0 Server
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/opt/samba/log.%m

# Put a capping on the size of the log files (in Kb).
max log size = 1000

# Security mode. Use 'ads' for configuring with W2K domain and
# use Kerberos as authentication protocol.
security = ADS

# Use password server option only with security = server or domain
password server = hemsms001, *

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = yes

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest

# Use password server option only with security = server
# password server: the netbios names of systems which will
# be used to authenticate logins.
# Use password server option only with security = server or domain
# password server = *
; password server =

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
; encrypt passwords = yes
; smb passwd file = /var/opt/samba/private/smbpasswd

# The following are needed to allow password changing from Windows to
# update the unix sytsem password also.
# NOTE1: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
; unix password sync = Yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passw
d:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names which is specified
# by smbusers.map.
; username map = /etc/opt/samba/smbusers.map

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
; include = /etc/opt/samba/smb.conf.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details.
socket options = TCP_NODELAY

# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255

# Cause this host to announce itself to local subnets here.
; remote announce = 192.168.1.255 192.168.2.44

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply.
; local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable.
; os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job.
domain master = auto

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election.
; preferred master = yes
preferred master = auto

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
domain logons = no

# if you enable domain logons then you may want a per-machine or
# per user logon script with %m.bat or %U.bat.
# For example, run a specific logon batch file per workstation (machine).
; logon script = %m.bat

# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below.
; logon path = \\%L\Profiles\%U

# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are NOT
# on the local network segment.
# - OR - are not deliberately to be known via lmhosts or via WINS.
; name resolve order = wins lmhosts bcast

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server.
; wins support = yes
wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client used to
# locate password servers, specified as a fully-qualified DNS name or an IP
# address.
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both.
wins server = 10.2.13.5

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups if NetBIOS name isn't found in WINS. The built-in default
# for versions 1.9.17 is yes, this has been changed in version 1.9.18 to no.
; dns proxy = no

# Default case is normally upper case for all DOS files.
; default case = lower

# Be very careful with case sensitivity - it can break things!
; case sensitive = no

# Case Preservation can be handy - system default is _no_.
# NOTE: These can be set on a per share basis.
preserve case = yes
short preserve case = no

# This option is mainly used as a compatibility option for Visual C++
# when used against Samba shares.
dos filetime resolution = yes

read only = no
syslog = 0

# Winbind Options. Consult online documentation at http://:901/swa
t/help/winbindd.8.html

; winbind separator = +
; winbind cache time = 10
; template shell = /bin/bash
; template homedir = /home/%D/%U
; idmap uid = 10000-20000

; idmap gid = 10000-20000

#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no

# This one is useful for people to share files
[tmp]
comment = Temporary file space
path = /tmp
read only = no

# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /var/opt/samba/netlogon
; guest ok = yes
; writable = no

Does anyone has any idea??? I am stuck with this problem about a week.

Thanks for every response.

Dirk
0 Kudos
Reply
8 REPLIES 8
Sandra Skinner
Occasional Advisor

тАО01-20-2005 01:57 AM

тАО01-20-2005 01:57 AM

Re: Samba 3.0.7 and Active Directory

Dirk,
I noticed that when you are trying to join the domain, you are using hemming99. What happens when you do a kinit with hemming99?
I look forward to you reply.
Sandra
0 Kudos
Reply
Franke, Dirk
Occasional Advisor

тАО01-20-2005 02:21 AM

тАО01-20-2005 02:21 AM

Re: Samba 3.0.7 and Active Directory

Hello Sandra,

thanks for your reply. I thougt nobody would reply to my thread ;-).
So i can get a ticket with hemmig99:

hemsuxrz001-root $ kinit hemmig99@ANDRITZ.COM
Password for hemmig99@ANDRITZ.COM:
hemsuxrz001-root $ klist
Ticket cache: /tmp/krb5cc_0
Default principal: hemmig99@ANDRITZ.COM

Valid starting Expires Service principal
01/20/05 16:19:46 01/21/05 02:18:24 krbtgt/ANDRITZ.COM@ANDRITZ.COM

Any other idea?

Thanks in advance

Dirk
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-20-2005 02:32 AM

тАО01-20-2005 02:32 AM

Re: Samba 3.0.7 and Active Directory

I suspect an issue on the Windows ADS side.

Try your connect and then ask the admin to check the servers event log.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Franke, Dirk
Occasional Advisor

тАО01-20-2005 03:04 AM

тАО01-20-2005 03:04 AM

Re: Samba 3.0.7 and Active Directory

Hello,

thanks for your reply.
When i run the net ads join i get the following error on the dc in the security log:

Event ID: 675
Source : Security

Pre-authentication failed:
User Name: hemmig99
User ID: ANDRITZ\hemmig99
Service Name: krbtgt/ANDRITZ
Pre-Authentication Type: 0x2
Failure Code: 0xE
Client Address: 127.0.0.1

I have also thougt about the possibility that the problem could be on the windows-side. I googled a long time about this problem and found only one person solved this problem. He installed the mit MIT 2.6.5 - Lib on the dc. I installed it on the dc but with no result. It still does not work.

Any ideas?

Thank you very much indeed

Dirk
0 Kudos
Reply
Sandra Skinner
Occasional Advisor

тАО01-20-2005 04:32 AM

тАО01-20-2005 04:32 AM

Re: Samba 3.0.7 and Active Directory

Dirk,
Please change some of the lines that I have marked:

[libdefaults]
default_realm = DOMAIN.COM
default_tkt_enctypes = DES-CBC-CRC** change this to DES-CBC-MD5***
default_tgs_enctypes = DES-CBC-CRC **change this to DES-CBC-MD5**
ccache_type = 2
[realms]
DOMAIN.COM = {
kdc = dc.domain.com:88 ***kdc and admin_server should be the same name so if you are using dc.domain.com as the kdc, then the admin_server should be dc.domain.com***
admin_server = dc.andritz.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Please change these items and save the file and try again.
Thank you,
Sandra
0 Kudos
Reply
Dave Poeschel
Occasional Advisor

тАО01-20-2005 11:39 AM

тАО01-20-2005 11:39 AM

Re: Samba 3.0.7 and Active Directory

Hello Dirk,

I noticed that you checked the "pre-Windows
2000" box. If you wish to join as a "native" ADS member which it appears you are based on your configuration and use of Kerberos security, you should NOT check the "pre-Windows 2000" box.

You may join as a "pre-Windows 2000 computer" but you will not be allowed to use kerberos security and would follow the NT Style Domain member procedures.
0 Kudos
Reply
Franke, Dirk
Occasional Advisor

тАО01-20-2005 06:59 PM

тАО01-20-2005 06:59 PM

Re: Samba 3.0.7 and Active Directory

Hello Sandra,

thanks for your reply.
I changed the lines to

default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5

I found two different default_tkt_enctypes and default_tgs_enctypes - settings for HPUX on the HP Website. On with DES-CBC-MD5 and another with DES-CBC-CRC. I tried both and none worked.

I did not get your second point. You wrote that kdc and admin_server should point to the same dc. I configured that in my krb5.conf. Or did i misunderstood you?

With these changes i retried to join the domain and i got the same error.

I followed Daves suggestion and deleted the machine account from the ad. I waited about an hour an recreated it without checking "pre-Windows2000"-box. I thougt this would be the problem. But i get the same error when i join the domain.
Does it matter if i create the machine account upper- or lowercase?? I created it uppercase.
The smbd is stopped when i try to join the domain. Is this correct??
Do i have to configure anything on the windows-domain???
Does anyone have any ideas?

Tank you all very much indeed for your help :-)

Dirk
0 Kudos
Reply
Franke, Dirk
Occasional Advisor

тАО01-20-2005 09:54 PM

тАО01-20-2005 09:54 PM

Re: Samba 3.0.7 and Active Directory

Jipi,

i joined the domain :-)
I deleted the machine account from the ad and used ./net rpc join -U admin -S pdcemulator
=> Joind domain :-)
The error was that i had to use the pdcemulator. No it works
Thanks for your help!!

Dirk
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.