Win 2003 AD and Samba 3.0.2

[ManicAJK]

I am in the middle of implementing a windows 2003 active directory domain. The windows side of it is going fine but we are struggling to get samba working with the new domain properly.
I have 4 AD domain controllers all running integrated DNS and WINS. We joined one of our test Unix boxes running true64 and samba 3.0.2 to the new domain with no problems at all and set it's host domain to be that of the new domain. I can ping the unix box with no trouble as well as perform reverse lookups on it's IP address
The problem is that I can browse to the unix server and access the samba shares fine if I use \\xxx.xxx.xxx.xxx but if i try and browse to the machine using \\servername format i get numerous errors. If browsing via windows explorer i get prompted for a username and password and no matter what combination I use nothing works. If browsing via a net view command from the command prompt I get a system error 5 access is denied message.
The new win2k3 domain has a 2 way trust to our present live NT4 domain and any client on the NT4 domain has no trouble in browsing to the machine via \\servername or \\xxx.xxx.xxx.xxx.
The unix machine has joined the win2k3 domain with no trouble as I can see the machine account in the AD admin tool. I am ut of ideas, can anybody help????

 

[ManicAJK]

I have created a new user account for the unix box and set it to require DES encryption, used ktpass.exe to map the computer account to the user account and exported to bernie.keytab, ftp'd this file to the unix box and used ktutil to read the keytab into memory and write it to krb5.keytab.
This still does not appear to work and having read through most of those articles you sent me I appear to have done every stage listed. There are no secuirty errors in the domain controllers security log and I have changed the password of the krbtgt account (only once).
I have also removed the DES-CBC-CRC entry from the krb5.conf file.
I have no user account on the unix box which corresponds to a user account on the AD domain, could this be my stumbling point?

 

[xmsre]

If you're not seeing errors on the KDC, I suspect you're not getting there.

In [realms], try putting the port # at the end of the KDC= line; ie. kdc = imserv-dc1-sc.im-serv.com:88


Take a close look at domain realms also:

If your UNIX computer’s DNS name does not include the realm name—for example, foobar.reskit.com does not include ntdom.reskit.com—you may be required to map the hostname to the Kerberos realm name manually, as follows:

[domain_realm] .foobar.reskit.com = NTDOM. RESKIT.COM Without this entry, your Kerberos applications might try to connect to the wrong realm and fail, which can be frustrating to debug.

 

[ManicAJK]

i am reasonably sure the domain realms are correct, i will try adding the port number to the config file tomorrow and see if it makes any differnce.
One thing I have noticed is that when i log onto the unix box via telnet I get the following error

login: Client not found in Kerberos database while getting initial credentials

If I add a user account to my active directory which matches the account i use to log onto the unix box the above error goes away. This also allows me to log onto the samba share but it still prompts me for a username and password initially and will only except username and password not domain\username and password. Pressumably if it would accept domain\username and password it would not prompt me at all and go straight into the samba share.
Aaaagggghhhhhhh!

 

[xmsre]

Certainy this points to account mapping. Just for clarity:

This is a Unix/linux box, or a Windows 2K or higher box accessing the Samba share on the Unix/linux server?

"If I add a user account to my active directory which matches the account i use to log onto the unix box the above error goes away."

Sounds like you're trying to passthrough for an account that doesn't exist in the target realm.

 

[ManicAJK]

i have just spotted something which is a possible mistake. When I generated the keytab file for the unix box and then read it into memory using ktutil on the unix box it showed as

ktutil: rkt /usr/users/aknight/bernie.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 host/bernie@IM-SERV.COM

should it not read host/bernie.im-serv.com@IM-SERV.COM?

Have I made a config error when generating this keytab?

 

[ManicAJK]

this is a win2k3 box on a win2k3 AD domain running in windows 2000 native mode trying to access a samba share on a unix box running true64 and samba 3.0.2

 

[xmsre]

When you started talking about the matching local unix account, you had me worried.


The format should be:

HOST/DNS_Name_Of_Unix_Host/AD_FQDN

so, I believe you are correct.

 

[ManicAJK]

Time to log a support call with microsoft i think as nothing i do seems to correct this problem. Maybe they can take a detailed look at my kerberos setup and find a problem that I cannot see. This is the only thing holding up my AD roll-out which is why it is so annoying.
Thanks.

 

[rzs0502]

In your [global] portion of the smb.conf file,
Have your tried adding
wins server = xxx.xxx.xxx.xxx

Also, I see you have winbind partially configured.
Is the windbind daemon running?
If you are using winbind, and your daemon is inactive, you will have all sorts of access denied issues.

Add
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
hostname lookups = Yes

Also edit /etc/nsswitch.conf
passwd: files winbind
group: files winbind

Then start the winbind daemon.



"If you always do what you've always done, you will always be where you've always been."

 

[ManicAJK]

Thanks for the input rzs0502.

winbind enum users = Yes and winbind enum groups = Yes both default to Yes if there is no entry for them in the config file. Just to be sure though, I had added them in.

I can browse the server if i enter invalid login details as we have the following entry in {global}

map to guest = bad user

This suggests that samba is looking up the account details correctly on the AD domain as if it wasn't then it would just let me through as the guet user no matter which account i attempted to connect with (if that makes sense).

Keep the suggestions coming, I can't log a support call with microsoft until tomorrow as they are being slow with setting up our incident support call contract

 

[rzs0502]

What does 'wbinfo -u' give you?
If nothing, try this.

Found a point which states that if samba cannot figure out your ADS server using your realm name, add the following in smb.conf

ads server = your.kerberos.server

Also found this note:
7.4.6. Notes
You must change administrator password at least once after DC install, to create
the right encoding types
W2k doesn’t seem to create the kerberos. udp and ldap. tcp in their defaults
DNS setup. Maybe fixed in service packs?



"If you always do what you've always done, you will always be where you've always been."

 

[ManicAJK]

the administrator has been changed 4 times since install, the kerberos account password has been changed once,
wbinfo -u gives me the following

UKDCS_NT+Wolverton
UKDCS_NT+workshop
UKDCS_NT+Wyoming
UKDCS_NT+Y_Adeyem
UKDCS_NT+Y_Hussai
UKDCS_NT+YE01
UKDCS_NT+YE02
UKDCS_NT+YE03
UKDCS_NT+YE04
UKDCS_NT+Yellowstone
UKDCS_NT+Yonkers
UKDCS_NT+Yukon
UKDCS_NT+Z_Leonar
UKDCS_NT+Z_LeWarn
administrator
Guest
krbtgt
host/jennie
unix
UKDCS_NT$
aknight
host/bernie.im-serv.com

everything with ukdcs_nt in front of it is from our NT4 domain which has a 2 way trust with the AD domain.

 

[ManicAJK]

P.S. I've filtered some of the results out from the UKDCS_NT part as it would have gone on for pages.

 

[rzs0502]

http://www.mail-archive.com/samba@lists.samba.org/msg30402.html

[global]
; smbd settings
log level = 3
log file = /var/log/samba/log.%m
server string = %U [Samba Server %v]
; Active Directory settings
; dns proxy = yes
workgroup = FOO
security = ADS
realm = FOO.COM
local master = no
domain master = no
preferred master = no
os level = 0
; winbind stuff
winbind separator = +
winbind enum users = yes
idmap uid = 10000-20000
winbind enum groups = yes
idmap gid = 10000-20000
winbind use default domain = yes
password server = dc.foo.com
encrypt passwords = yes

[test]
comment = Samba functionality test directory
path = /home/user/test/
read only = no
browsable = yes
writable = yes
guest ok = yes


krb5.conf
--
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = FOO.COM
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
FOO.COM = {
kdc = dc.foo.com:88
admin_server = dc.foo.com:749
default_domain = foo.com
}

[domain_realm]
.foo.com = FOO.COM
foo.com = FOO.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


nsswitch.conf
--
...
passwd: files winbind
shadow: files
group: files winbind
host: files dns winbind



"If you always do what you've always done, you will always be where you've always been."

 

[xmsre]

W2K does create the kerberos and ldap srv records if your DNS supports them [W2K dns does]. One issue can be that if a kerberos packet is over 2K bytes it uses UDP instead of TCP. Some unix kerberos packages don't like that. This behavior can be change through a registry entry.

In certain migration scenarios [read: in-place upgrade] the administrator account won't have a DES key. This is why you can have issues if you use the admin account to join. You change the password to generate a DES key. In other scenarios, the krbtgt is missing a DES key. You change the krbtgt account password to generate one, but only try this once in a ticket lifetime or you'll invalidate all you tickets.

I don't think that's the problem here because we're not seeing failures logged on the KDC. It looks like an issue finding/connecting to the kdc.

 

[ManicAJK]

the administrator account has not been used to join the unix box to the domain, i created another account for this unix box which is a member of the account operators group which has permissions to join a machine to the domain.

 

[xmsre]

A trace, filtered for just the kerberos packets, would really help here.

 

[ManicAJK]

can you tell me how to do that, i'm not very unix literate.

 

[xmsre]

Do it from the windows workstation and Windows KDC server using netmon. Take both traces at the same time and filter for 88 udp and 88 tcp.

 

[ManicAJK]

i'm trying to connect to the unix box from the kdc as my AD domain only consist of the domain controllers and 2 unix boxes so do i just need to run one trace on the kdc?