Find the answer to your Linux question:
Results 1 to 6 of 6
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Samba issues when joining 2003 ADS

    Greetings to all that have trod the way of Samba,

    I’m having some particular problems implementing Samba to work with Server 2003 ADS. I’ve “googled” my way around and read a number of discussion threads without finding any answers.

    Before I describe the particular problem, I would like to say that it is possible to get Samba server to join an AD 2003 directory and to actually work as a file server allowing AD users to have proper authentication. You will find the configuration files below.

    Our goal was to implement a single 2003 AD server and have users from 10 subnets use it as a central point of authentication (subnets are involved with different physical locations). The file sharing issue was going to be solved by implementing a Samba server at each of the 10 subnets. One of the subnets contains the actual Server 2003 running AD. I have managed to implement a single Samba server on the same subnet as the 2003 AD server. Each user now has a roaming profile that is stored on the Samba server.

    My problem is that Samba looses the connection to AD when put on a different subnet that the AD 2003 server is based. I am able to ‘net ads join’ to 2003 AD but as soon as there is a user that has a roaming profile logs into AD, the connection with Samba server drops. I can confirm that fact by issuing the command ‘net ads info’ and get a response “Didn’t find the ldap server!” instead of the usual:

    LDAP server:
    LDAP server name: ops-server2003
    Realm: RHB.LOCAL
    Bind Path: dc=RHB,dc=LOCAL
    LDAP port: 389
    Server time: Tue, 24 May 2005 16:59:17 GMT
    KDC server:
    Server time offset: 1
    There are also errors in the System log on Server 2003 that indicate that the server had trouble authenticating itself:

    While processing a TGS request for the target server host/uni-samba.rhb.local, the account UNI-SAMBA$@RHB.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 16.  The accounts available etypes were 23  -133  -128  3  1.
    I’m able to rejoin the AD by running the commands ‘kdestroy’ and ‘kinit’. It seems to take about 2 minutes to join the domain, after which it prints the message:

    [2005/05/24 17:02:37, 0] libads/ldap.c:ads_add_machine_acct(1368)
      ads_add_machine_acct: Host account for uni-samba already exists - modifying old account
    Using short domain name -- RHB
    Joined 'UNI-SAMBA' to realm 'RHB.LOCAL'
    At this time the System logs on 2003 AD are filled with the KDC error mentioned above.

    I’m in no way an expert in Samba nor Linux. Something is telling me that there is an issue with Kerberos and possibly the fact that we are dealing with a subnet. The funny part is that everything works great on the same subnet that 2003 AD is on (Samba, Kerberos, AD ..).

    Has anyone experienced this similar occurrence while trying to implement Samba servers for file storage and roaming profiles using Server 2003 AD? I will be glad if someone can have some input in this matter.

    Thank you,

    ************************************************** ******************
    [Configuration files and versions]

    Linux uni-samba 2.6.11-1.14_FC3 #1 Thu Apr 7 19:23:49 EDT 2005 i686 i686 i386 GNU/Linux

    # rpm -qa | grep samba
    # rpm -qa | grep krb5
    ************************************************** ******************

    [Samba smb.conf file]

    # testparm
    Load smb config files from /etc/samba/smb.conf
    Processing section "[home]"
    Processing section "[readonly]"
    Loaded services file OK.
    Server role: ROLE_DOMAIN_MEMBER
    Press enter to see a dump of your service definitions
    # Global parameters
            workgroup = RHB
            realm = RHB.LOCAL
            server string = University Samba Server
            security = ADS
            password server = ops-server2003.rhb.local
            log file = /var/log/samba/%m.log
            max log size = 50
            socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
            idmap uid = 16777216-33554431
            idmap gid = 16777216-33554431
            profile acls = Yes
            cups options = raw
            comment = Samba Home
            path = /home
            read only = No
            guest ok = Yes
            comment = Read-Only Directory
            path = /home/readonly
            guest ok = Yes
    ************************************************** ******************

    [Kerberos krb5.conf file]

     vim /etc/krb5.conf
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
     default_realm = RHB.LOCAL
     dns_lookup_realm = false
     dns_lookup_kdc = false
     RHB.LOCAL = {
      kdc = ops-server2003.rhb.local:88
      admin_server = ops-server2003.rhb.local:749
      default_domain = rhb.local
     .rhb.local = RHB.LOCAL
     rhb.local = RHB.LOCAL
     profile = /var/kerberos/krb5kdc/kdc.conf
     pam = {
       debug = false
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
    ************************************************** ******************

  2. #2

    I faced some problem while joining to ADS in keberos , and i have changed the following entry in /etc/krb5.conf with ipaddress of admin server

    it was working , pls check the same once

    admin_server = ipaddress:749

  3. #3
    Thank you for the suggestion, but I dropped the idea of Fedora Core 3 after weeks of trying to solve this problem. I solved it by going to Enterprise edition of Red Hat.

  4. $spacer_open
  5. #4

    have you configured the win2k3 ads with samba 3 as a file server ?

    are you able to map home and tmp folders automatically in domain users

    Pls revert

  6. #5
    Quote Originally Posted by daneek
    Thank you for the suggestion, but I dropped the idea of Fedora Core 3 after weeks of trying to solve this problem. I solved it by going to Enterprise edition of Red Hat.
    ya,me too.

  7. #6
    Using RHEL 4 WS, I was able to use the same settings listed above and configured Samba 3 as a file server to store remote profiles from all the users using AD. So far it has been working fine (over 5 months now). I'm running about 10 Samba servers for about 100 users. This is the most economical way of file sharing.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts