Re: [Samba] security = ADS

HErE arE my ConF file=20

=
----------------------------------------SMB.conf----------------------
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D =
Global Settings =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D
=20
[global]
=20
netbios name =3D smbserver_name
realm =3D MYREALM.NET

=20
workgroup =3D mydomain
=20

server string =3D %h server (Samba %v)
=20

password server =3D addc01.MYREALM.NET=20
security =3D ADS
=20
=20

wins support =3D yes
=20

include =3D /etc/samba/dhcp.conf

dns proxy =3D no
=20

name resolve order =3D lmhosts host wins bcast
=20
#### Debugging/Accounting ####

log file =3D /var/log/samba/log.%m
=20
# Put a capping on the size of the log files (in Kb).
max log size =3D 1000
=20
syslog =3D 0
panic action =3D /usr/share/samba/panic-action %d
=20
=20
####### Authentication #######

encrypt passwords =3D yes

passdb backend =3D tdbsam guest
=20
obey pam restrictions =3D yes
=20
guest account =3D guest
invalid users =3D root

passwd program =3D /usr/bin/passwd %u
passwd chat =3D *Enter\snew\sUNIX\spassword:* %n\n =
*Retype\snew\sUNIX\spassword:* %n\n .
=20
=20
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= 3D=3D=3D=3D=3D=3D=3D =
Share Definitions =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D
=20
[homes]
comment =3D Home Directories
browseable =3D yes
writable =3D yes
preserver case =3D yes
short preserve case =3D yes
=20
[public]
comment =3D Software and tool downloads
browseable =3D yes
path =3D /usr/share/public
writable =3D no=20
public =3D yes
=20

writable =3D no
=20
create mask =3D 0700

directory mask =3D 0700
=20
[printers]
comment =3D All Printers
browseable =3D no
path =3D /tmp
printable =3D yes
public =3D no
writable =3D no
create mode =3D 0700
=20
[print$]
comment =3D Printer Drivers
path =3D /var/lib/samba/printers
browseable =3D yes
read only =3D yes
guest ok =3D no

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D

------------------------------krb5.conf--------------------------

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D



[logging]
default =3D FILE:/var/log/kerberos/krb5libs.log
kdc =3D FILE:/var/log/kerberos/krb5kdc.log
admin_server =3D FILE:/var/log/kerberos/kadmind.log
=20
[libdefaults]
default_realm =3D MYREALM.NET
=20
[relams]
MYREALM.NET=3D {
kdc =3D addc01.MYREALM.NET=20
}
=20
[domain_realms]
.addc01.myrealm.net =3D MYREALM.NET

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D



These are the only files that i have editted to get to this point. I =
really appreciate your help.





----- Original Message -----=20
From: Tom Skeren=20
To: Rashaad S. Hyndman=20
Sent: Thursday, July 22, 2004 7:25 PM
Subject: Re: [Samba] security =3D ADS


Rashaad S. Hyndman wrote:

That seems to be an interesting concept but does work in this case for =
some
reason. Here is what i did:


C:\Documents and Settings\rshyndman>net use * \\10.55.222.82\public\
System error 67 has occurred.

The network name cannot be found.Try right clicking on My Computer and =
use map-network-drive function.



C:\Documents and Settings\rshyndman>ping 10.55.222.82

Pinging 10.55.222.82 with 32 bytes of data:

Reply from 10.55.222.82: bytes=3D32 time<10ms TTL=3D64
Reply from 10.55.222.82: bytes=3D32 time<10ms TTL=3D64

Interesting thing here is that is says name not found but i can ping =
both by
name and ip. You think mapping name to ip in the hosts file will help? =
Hmmm
:-(

----- Original Message -----=20
From: "Tom Skeren" <tms3@fskklaw.com>
To: "Rashaad S. Hyndman" <IslandBwoy@ToughGuy.net>
Cc: <samba@lists.samba.org>
Sent: Thursday, July 22, 2004 4:07 PM
Subject: Re: [Samba] security =3D ADS


Yes I've seen this behavior a LOT. I've replied to it. For some
reason, the Samba when joined to ads needs to contacted for shares by IP
addy. The XP shares then authenticate properly.

Try \\ipaddy-samba-server\share-name. If you connect, do a netstat -an
on the samba server. You'll see the XP box connected to port 445. I
suspect that in an ads environment, the XP boxes default to connecting
to shares on 445. I suspect smbd, or nmbd are mishandling this when
netbios names are used.

Rashaad S. Hyndman wrote:

Hi all,

I've been fighting with joining my samba server (debian) to my active
directory domain for 4 days now. The problem here is that users =
in my
active directory domain on windows machines are not able to browse my =
samba
shares without being prompted for authentication.
I can:
- Join the domain from samba server using net ads
- View list of tickets when brownsing window shares with klist
- list window shares without being prompted with "smbclient -k -L
<windows_servername>
I can NOT:
- use "net use * \\<smb_servername>\share" from window based machine.
(this resultes in "The password or user name is invalid for
\\delshare\public" (delshare being my samba server name)
I have no clue what to do from here. I've looked over my smb.conf file =
20
times likewise my krb5.conf file
Any suggestions would be greatly appreciated. I've arn out of tests.

R.


=20
=20

=20
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba