Win 2003 AD and Samba 3.0.2

[ManicAJK]

I am in the middle of implementing a windows 2003 active directory domain. The windows side of it is going fine but we are struggling to get samba working with the new domain properly.
I have 4 AD domain controllers all running integrated DNS and WINS. We joined one of our test Unix boxes running true64 and samba 3.0.2 to the new domain with no problems at all and set it's host domain to be that of the new domain. I can ping the unix box with no trouble as well as perform reverse lookups on it's IP address
The problem is that I can browse to the unix server and access the samba shares fine if I use \\xxx.xxx.xxx.xxx but if i try and browse to the machine using \\servername format i get numerous errors. If browsing via windows explorer i get prompted for a username and password and no matter what combination I use nothing works. If browsing via a net view command from the command prompt I get a system error 5 access is denied message.
The new win2k3 domain has a 2 way trust to our present live NT4 domain and any client on the NT4 domain has no trouble in browsing to the machine via \\servername or \\xxx.xxx.xxx.xxx.
The unix machine has joined the win2k3 domain with no trouble as I can see the machine account in the AD admin tool. I am ut of ideas, can anybody help????

 

[xmsre]

In that case, just one trace. We should be able to see the flow of requests and tickets, then we can figure out if there is a problem locating the correct KDC. If it gets to the KDC, then we can see if there are any problems with the tickets.

 

[ManicAJK]

dam, i have not installed the monitoring tools of the win2k3 cd and as i am at home i cannot put the cd into the servers cdrom drive. I'll do it first thing tomorrow morning!

 

[ManicAJK]

haha luckily just found a cd in another cd so copying it over now

 

[ManicAJK]

Network Monitor trace Thu 01/15/04 20:09:58 Captur 1.txt

**********************************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
32 0.890625 00508BAED657 LOCAL UDP Src Port: Unknown (1077); Dst Port: Kerberos (88); Length = 163 (0xA3) bernie - IP IMSERV-DC1-SC IP

+ FRAME: Base frame properties
+ ETHERNET: EType = Internet IP (IPv4)
+ IP: Protocol = UDP - User Datagram; Packet ID = 34417; Total IP Length = 183; Options = No Options
+ UDP: Src Port: Unknown (1077); Dst Port: Kerberos (88); Length = 163 (0xA3)

00000: 00 0B DB 93 39 EA 00 50 8B AE D6 57 08 00 45 00 ..Û?9ê.P?®ÖW..E.
00010: 00 B7 86 71 40 00 80 11 A6 EC AC 13 3A 75 AC 13 .·?q@.?.¦ì¬.:u¬.
00020: 3A 3C 04 35 00 58 00 A3 C8 A3 6A 81 98 30 81 95 :<.5.X.£È£j?0?
00030: A1 03 02 01 05 A2 03 02 01 0A A4 81 88 30 81 85 ¡....¢....¤?0?
00040: A0 07 03 05 00 50 00 00 10 A1 14 30 12 A0 03 02  ....P...¡.0. ..

**********************************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
46 0.890625 00508BAED657 LOCAL UDP Src Port: Unknown (1084); Dst Port: Kerberos (88); Length = 245 (0xF5) bernie - IP IMSERV-DC1-SC IP

+ FRAME: Base frame properties
+ ETHERNET: EType = Internet IP (IPv4)
+ IP: Protocol = UDP - User Datagram; Packet ID = 34424; Total IP Length = 265; Options = No Options
+ UDP: Src Port: Unknown (1084); Dst Port: Kerberos (88); Length = 245 (0xF5)

00000: 00 0B DB 93 39 EA 00 50 8B AE D6 57 08 00 45 00 ..Û?9ê.P?®ÖW..E.
00010: 01 09 86 78 40 00 80 11 A6 93 AC 13 3A 75 AC 13 ..?x@.?.¦?¬.:u¬.
00020: 3A 3C 04 3C 00 58 00 F5 C4 6F 6A 81 EA 30 81 E7 :<.<.X.õÄojê0ç
00030: A1 03 02 01 05 A2 03 02 01 0A A3 50 30 4E 30 4C ¡....¢....£P0N0L
00040: A1 03 02 01 02 A2 45 04 43 30 41 A0 03 02 01 03 ¡....¢E.C0A ....

************************************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
60 0.906250 00508BAED657 LOCAL UDP Src Port: Unknown (1091); Dst Port: Kerberos (88); Length = 1223 (0x4C7) bernie - IP IMSERV-DC1-SC IP

+ FRAME: Base frame properties
+ ETHERNET: EType = Internet IP (IPv4)
+ IP: Protocol = UDP - User Datagram; Packet ID = 34431; Total IP Length = 1243; Options = No Options
+ UDP: Src Port: Unknown (1091); Dst Port: Kerberos (88); Length = 1223 (0x4C7)

00000: 00 0B DB 93 39 EA 00 50 8B AE D6 57 08 00 45 00 ..Û?9ê.P?®ÖW..E.
00010: 04 DB 86 7F 40 00 80 11 A2 BA AC 13 3A 75 AC 13 .Û?@.?.¢º¬.:u¬.
00020: 3A 3C 04 43 00 58 04 C7 5E BC 6C 82 04 BB 30 82 :<.C.X.Ç^¼l?.»0?
00030: 04 B7 A1 03 02 01 05 A2 03 02 01 0C A3 82 04 48 .·¡....¢....£?.H
00040: 30 82 04 44 30 82 04 40 A1 03 02 01 01 A2 82 04 0?.D0?.@¡....¢?.

 

[ManicAJK]

there appears to be nothing from tcp port 88, only udp 88

 

[xmsre]

Notice that it's using UDP. Try:

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474

http://support.microsoft.com/default.aspx?scid=kb;en-us;320903

It never gets there.

 

[ManicAJK]

does the above trace not show that the unix box is getting to the kdc even if it is via udp, else surely it wouldn't show up in the trace log.

 

[xmsre]

I never see a response from bernie, so the assumption is it never gets it.

 

[ManicAJK]

bernie is the unix box so do you mean you never see a response imserv-dc1-sc?

 

[ManicAJK]

my fault, i must have filtered too much traffic, there is return packets as seen below



Network Monitor trace Thu 01/15/04 22:09:49 bernie.txt

*************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
221 4.437500 Bernie Mac LOCAL UDP Src Port: Unknown (1779); Dst Port: Kerberos (88) 172.19.58.117 IMSERV-DC1-SC IP

+ FRAME: Base frame properties
+ ETHERNET: EType = Internet IP (IPv4)
+ IP: Protocol = UDP - User Datagram; Packet ID = 51845; Total IP Length = 183; Options = No Options
+ UDP: Src Port: Unknown (1779); Dst Port: Kerberos (88); Length = 163 (0xA3)

00000: 00 0B DB 93 39 EA 00 50 8B AE D6 57 08 00 45 00 ..Û?9ê.P?®ÖW..E.
00010: 00 B7 CA 85 40 00 80 11 62 D8 AC 13 3A 75 AC 13 .·Ê?@.?.bج.:u¬.
00020: 3A 3C 06 F3 00 58 00 A3 B8 AF 6A 81 98 30 81 95 :<.ó.X.£¸¯j?0?
00030: A1 03 02 01 05 A2 03 02 01 0A A4 81 88 30 81 85 ¡....¢....¤?0?
00040: A0 07 03 05 00 50 00 00 10 A1 14 30 12 A0 03 02  ....P...¡.0. ..

************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
222 4.437500 LOCAL Bernie Mac UDP Src Port: Kerberos (88); Dst Port: Unknown (1779) IMSERV-DC1-SC 172.19.58.117

+ FRAME: Base frame properties
+ ETHERNET: EType = Internet IP (IPv4)
+ IP: Protocol = UDP - User Datagram; Packet ID = 3042; Total IP Length = 209; Options = No Options
+ UDP: Src Port: Kerberos (88); Dst Port: Unknown (1779); Length = 189 (0xBD)

00000: 00 50 8B AE D6 57 00 0B DB 93 39 EA 08 00 45 00 .P?®ÖW..Û?9ê..E.
00010: 00 D1 0B E2 00 00 80 11 00 00 AC 13 3A 3C AC 13 .Ñ.â..?...¬.:<¬.
00020: 3A 75 00 58 06 F3 00 BD 00 51 7E 81 B2 30 81 AF :u.X.ó.½.Q~²0¯
00030: A0 03 02 01 05 A1 03 02 01 1E A4 11 18 0F 32 30  ....¡....¤...20
00040: 30 34 30 31 31 35 32 31 31 35 33 35 5A A5 05 02 040115211535Z¥..

*************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
235 4.453125 Bernie Mac LOCAL UDP Src Port: Unknown (1786); Dst Port: Kerberos (88) 172.19.58.117 IMSERV-DC1-SC IP

+ FRAME: Base frame properties
+ ETHERNET: EType = Internet IP (IPv4)
+ IP: Protocol = UDP - User Datagram; Packet ID = 51852; Total IP Length = 265; Options = No Options
+ UDP: Src Port: Unknown (1786); Dst Port: Kerberos (88); Length = 245 (0xF5)

00000: 00 0B DB 93 39 EA 00 50 8B AE D6 57 08 00 45 00 ..Û?9ê.P?®ÖW..E.
00010: 01 09 CA 8C 40 00 80 11 62 7F AC 13 3A 75 AC 13 ..Ê?@.?.b¬.:u¬.
00020: 3A 3C 06 FA 00 58 00 F5 0D BF 6A 81 EA 30 81 E7 :<.ú.X.õ.¿jê0ç
00030: A1 03 02 01 05 A2 03 02 01 0A A3 50 30 4E 30 4C ¡....¢....£P0N0L
00040: A1 03 02 01 02 A2 45 04 43 30 41 A0 03 02 01 03 ¡....¢E.C0A ....

************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
236 4.453125 LOCAL Bernie Mac UDP Src Port: Kerberos (88); Dst Port: Unknown (1786) IMSERV-DC1-SC 172.19.58.117

+ FRAME: Base frame properties
+ ETHERNET: EType = Internet IP (IPv4)
+ IP: Protocol = UDP - User Datagram; Packet ID = 3049; Total IP Length = 1306; Options = No Options
+ UDP: Src Port: Kerberos (88); Dst Port: Unknown (1786); Length = 1286 (0x506)

page 1


Network Monitor trace Thu 01/15/04 22:09:49 bernie.txt


00000: 00 50 8B AE D6 57 00 0B DB 93 39 EA 08 00 45 00 .P?®ÖW..Û?9ê..E.
00010: 05 1A 0B E9 00 00 80 11 00 00 AC 13 3A 3C AC 13 ...é..?...¬.:<¬.
00020: 3A 75 00 58 06 FA 05 06 86 DE 6B 82 04 FA 30 82 :u.X.ú..?Þk?.ú0?
00030: 04 F6 A0 03 02 01 05 A1 03 02 01 0B A2 2E 30 2C .ö ....¡....¢.0,
00040: 30 2A A1 03 02 01 03 A2 23 04 21 49 4D 2D 53 45 0*¡....¢#.!IM-SE

*************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
250 4.453125 Bernie Mac LOCAL UDP Src Port: Unknown (1793); Dst Port: Kerberos (88) 172.19.58.117 IMSERV-DC1-SC IP

+ FRAME: Base frame properties
+ ETHERNET: EType = Internet IP (IPv4)
+ IP: Protocol = UDP - User Datagram; Packet ID = 51859; Total IP Length = 1243; Options = No Options
+ UDP: Src Port: Unknown (1793); Dst Port: Kerberos (88); Length = 1223 (0x4C7)

00000: 00 0B DB 93 39 EA 00 50 8B AE D6 57 08 00 45 00 ..Û?9ê.P?®ÖW..E.
00010: 04 DB CA 93 40 00 80 11 5E A6 AC 13 3A 75 AC 13 .ÛÊ?@.?.^¦¬.:u¬.
00020: 3A 3C 07 01 00 58 04 C7 B7 13 6C 82 04 BB 30 82 :<...X.Ç·.l?.»0?
00030: 04 B7 A1 03 02 01 05 A2 03 02 01 0C A3 82 04 48 .·¡....¢....£?.H
00040: 30 82 04 44 30 82 04 40 A1 03 02 01 01 A2 82 04 0?.D0?.@¡....¢?.

************************************************************************************************************************
Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr
251 4.453125 LOCAL Bernie Mac UDP Src Port: Kerberos (88); Dst Port: Unknown (1793) IMSERV-DC1-SC 172.19.58.117

+ FRAME: Base frame properties
+ ETHERNET: EType = Internet IP (IPv4)
+ IP: Protocol = UDP - User Datagram; Packet ID = 3056; Total IP Length = 1238; Options = No Options
+ UDP: Src Port: Kerberos (88); Dst Port: Unknown (1793); Length = 1218 (0x4C2)

00000: 00 50 8B AE D6 57 00 0B DB 93 39 EA 08 00 45 00 .P?®ÖW..Û?9ê..E.
00010: 04 D6 0B F0 00 00 80 11 00 00 AC 13 3A 3C AC 13 .Ö.ð..?...¬.:<¬.
00020: 3A 75 00 58 07 01 04 C2 4F EC 6D 82 04 B6 30 82 :u.X...ÂOìm?.¶0?
00030: 04 B2 A0 03 02 01 05 A1 03 02 01 0D A3 0D 1B 0B .² ....¡....£...
00040: 49 4D 2D 53 45 52 56 2E 43 4F 4D A4 14 30 12 A0 IM-SERV.COM¤.0. 


















page 2


 

[xmsre]

Try installing the kerberos parser so we can see the contents.

We are getting responses, so we should see something in the logs on IMSERV-DC1-SC. Try changing your audit policy to log both successes and failures.

Just out of curiosity, are the clocks on the two boxes in sync?

 

[ManicAJK]

where do i get the kerberos parser from? Is it with the win2k3 support tools or do i have to download it from somewhere?

 

[ManicAJK]

i have these in the security log which correspond to the time the trace was taken from.


Authentication Ticket Request:
User Name: bernie$
Supplied Realm Name: IM-SERV.COM
User ID: IM-SERV\bernie$
Service Name: krbtgt
Service ID: IM-SERV\krbtgt
Ticket Options: 0x50000010
Result Code: -
Ticket Encryption Type: 0x3
Pre-Authentication Type: 2
Client Address: 172.19.58.117
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:


Service Ticket Request:
User Name: BERNIE$@IM-SERV.COM
User Domain: IM-SERV.COM
Service Name: IMSERV-DC1-SC$
Service ID: IM-SERV\IMSERV-DC1-SC$
Ticket Options: 0x50800000
Ticket Encryption Type: 0x17
Client Address: 172.19.58.117
Failure Code: -
Logon GUID: {bbf3b006-893b-774a-c1aa-4e0b840dbf27}
Transited Services: -



Special privileges assigned to new logon:
User Name: bernie$
Domain: IM-SERV
Logon ID: (0x0,0x32544B)
Privileges: SeChangeNotifyPrivilege

I can see no security failures listed in the log and i am showing successes, failures, error, warning and information.

 

[ManicAJK]

clocks are indeed in synch within 5 minutes of each other as required

 

[xmsre]

I believe that came from the SMS version of netmon 2.1

 

[ManicAJK]

hmmm, that's a problem, we don't own a copy of SMS, i have read a few articles that said microsoft released a kerberos parser dll for netmon with windows 2003 resource kit but i have installed the kit and it makes no reference to a kerberos parser dll at all and even the microsoft support website comes back with no results.

 

[ManicAJK]

i have also noticed that when i do a wbinfo -N bernie, the winbindd service crashes, not sure whether this is related or not.

 

[rzs0502]

That command would query the WINS Server for the IP address of bernie
Are you using a WINS Server? Only one can be used on the Network (according to Samba docs)

wins server = xxx.xxx.xxx.xxx

Or if you donot have a WINS Server, let Samba do it.

wins support = yes



&quot;If you always do what you've always done, you will always be where you've always been.&quot;

 

[ManicAJK]

yes we have an active wins service running on the domain controller and Bernie is set to point to this machine for WINS lookups as in the statement you have suggested.

 

[xmsre]

I believe it's called krbparser.dll and you install it just like any other netmon parser.

It actually looks like you get a ticket, I just wanted to see the flow, and check the preauthentication method.

what does your ldap.conf look like?