Samba issues when joining 2003 ADS

[daneek]

Greetings to all that have trod the way of Samba,

I’m having some particular problems implementing Samba to work with Server 2003 ADS. I’ve “googled” my way around and read a number of discussion threads without finding any answers.

Before I describe the particular problem, I would like to say that it is possible to get Samba server to join an AD 2003 directory and to actually work as a file server allowing AD users to have proper authentication. You will find the configuration files below.

Our goal was to implement a single 2003 AD server and have users from 10 subnets use it as a central point of authentication (subnets are involved with different physical locations). The file sharing issue was going to be solved by implementing a Samba server at each of the 10 subnets. One of the subnets contains the actual Server 2003 running AD. I have managed to implement a single Samba server on the same subnet as the 2003 AD server. Each user now has a roaming profile that is stored on the Samba server.

My problem is that Samba looses the connection to AD when put on a different subnet that the AD 2003 server is based. I am able to ‘net ads join’ to 2003 AD but as soon as there is a user that has a roaming profile logs into AD, the connection with Samba server drops. I can confirm that fact by issuing the command ‘net ads info’ and get a response “Didn’t find the ldap server!” instead of the usual:

Code:

LDAP server: 192.168.48.158
LDAP server name: ops-server2003
Realm: RHB.LOCAL
Bind Path: dc=RHB,dc=LOCAL
LDAP port: 389
Server time: Tue, 24 May 2005 16:59:17 GMT
KDC server: 192.168.48.158
Server time offset: 1

There are also errors in the System log on Server 2003 that indicate that the server had trouble authenticating itself:

Code:

While processing a TGS request for the target server host/uni-samba.rhb.local, the account UNI-SAMBA$@RHB.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 16.  The accounts available etypes were 23  -133  -128  3  1.

I’m able to rejoin the AD by running the commands ‘kdestroy’ and ‘kinit’. It seems to take about 2 minutes to join the domain, after which it prints the message:

Code:

[2005/05/24 17:02:37, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for uni-samba already exists - modifying old account
Using short domain name -- RHB
Joined 'UNI-SAMBA' to realm 'RHB.LOCAL'

At this time the System logs on 2003 AD are filled with the KDC error mentioned above.

I’m in no way an expert in Samba nor Linux. Something is telling me that there is an issue with Kerberos and possibly the fact that we are dealing with a subnet. The funny part is that everything works great on the same subnet that 2003 AD is on (Samba, Kerberos, AD ..).

Has anyone experienced this similar occurrence while trying to implement Samba servers for file storage and roaming profiles using Server 2003 AD? I will be glad if someone can have some input in this matter.

Thank you,

************************************************** ******************
[Configuration files and versions]

Linux uni-samba 2.6.11-1.14_FC3 #1 Thu Apr 7 19:23:49 EDT 2005 i686 i686 i386 GNU/Linux
kernel-2.6.9-1.667
kernel-2.6.11-1.14_FC3

Code:

# rpm -qa | grep samba
samba-client-3.0.10-1.fc3
system-config-samba-1.2.28-0.fc3.1
samba-3.0.10-1.fc3
samba-common-3.0.10-1.fc3

# rpm -qa | grep krb5
krb5-devel-1.3.6-5
krb5-auth-dialog-0.2-1
pam_krb5-2.1.2-1
krb5-workstation-1.3.6-5
krb5-libs-1.3.6-5
krb5-server-1.3.6-5

************************************************** ******************

[Samba smb.conf file]

Code:

# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[home]"
Processing section "[readonly]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = RHB
        realm = RHB.LOCAL
        server string = University Samba Server
        security = ADS
        password server = ops-server2003.rhb.local
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        profile acls = Yes
        cups options = raw

[home]
        comment = Samba Home
        path = /home
        read only = No
        guest ok = Yes

[readonly]
        comment = Read-Only Directory
        path = /home/readonly
        guest ok = Yes

************************************************** ******************

[Kerberos krb5.conf file]

#

Code:

 vim /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = RHB.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 RHB.LOCAL = {
  kdc = ops-server2003.rhb.local:88
  admin_server = ops-server2003.rhb.local:749
  default_domain = rhb.local
 }

[domain_realm]
 .rhb.local = RHB.LOCAL
 rhb.local = RHB.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

************************************************** ******************

[amitkolapkar]

Hi,

I faced some problem while joining to ADS in keberos , and i have changed the following entry in /etc/krb5.conf with ipaddress of admin server

it was working , pls check the same once

admin_server = ipaddress:749

[daneek]

Thank you for the suggestion, but I dropped the idea of Fedora Core 3 after weeks of trying to solve this problem. I solved it by going to Enterprise edition of Red Hat.

[amitkolapkar]

Hi,

have you configured the win2k3 ads with samba 3 as a file server ?

are you able to map home and tmp folders automatically in domain users

Pls revert

[shoum]

Thank you for the suggestion, but I dropped the idea of Fedora Core 3 after weeks of trying to solve this problem. I solved it by going to Enterprise edition of Red Hat.

ya,me too.

[daneek]

Using RHEL 4 WS, I was able to use the same settings listed above and configured Samba 3 as a file server to store remote profiles from all the users using AD. So far it has been working fine (over 5 months now). I'm running about 10 Samba servers for about 100 users. This is the most economical way of file sharing.

DK