# let's have fun helping me troubleshoot samba!  whee!

## jmahler

Here's the situation - 

Our network is primarily a Windows 2000 / 2003 domain with Active Directory, let's call it OMGHELP.local for now.  It has a whole bunch of Windows 2000 and XP clients all on the latest SP's and patches, and about a dozen servers (mostly 2003, a few 2000).  DNS, WINS, and DHCP all are run on 2003 servers and have run effectively and quite well for a good long time.

I've been experimenting with adding Linux into the network in order to replace file servers and print servers etc, and I'm running into problems with Samba integration.

I have one server in particular that's giving me issues - we'll call it Opiate.

one user (mine - we'll call it mahlerj) from Active Directory can authenticate to it.  No others can, which is a big problem - my user account passes through to the share and can read/write no problems at all, but everyone else on the domain, no matter what their groups are in AD, gets prompted for a user/pass and can't get in.  That's what I need to fix - the authentication.

here's the smb.conf - 

```

[global]

        netbios name = OPIATE

        #socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

        idmap uid = 10000-20000

        winbind enum users = yes

        winbind gid = 10000-20000

        workgroup = OMGHELP

        os level = 20

        winbind enum groups = yes

        password server = *

        preferred master = no

        winbind separator = +

        max log size = 50

        log file = /var/log/samba3/log.%m

        encrypt passwords = yes

        dns proxy = no

        realm = OMGHELP.LOCAL

        security = ads

   use spnego = yes

   client use spnego = yes

   wins server = 10.1.10.19

[backup]

   comment = Backup Area 200G

   writeable = yes

   path = /backup/current

   force user = jeremy 

```

Any thoughts would be very very very very very very appreciated.

Seriously.

 :Smile:   Thanks in advance guys - you all rock.

----------

## beandog

Did you fix your nsswitch.conf?

That is the biggest PITA to remember, because its not a samba file, and everytime you upgrade glibc you usually write over it without thinking about the consequences.

Basically, nsswitch.conf tells it where to resolve addresses and all that hoo ha.

Add "winbind" to passwd: and group: and then "wins" to hosts:

Here's a snippet of mine:

```
passwd:      compat winbind

shadow:      compat

group:       compat winbind

hosts:       files dns wins

networks:    files dns

```

----------

## jmahler

Okay, here's my current one.

still not working.  

```

# /etc/nsswitch.conf:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      files compat winbind ldap

shadow:      files compat ldap

group:       files compat winbind ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns wins

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

----------

## beandog

Did you do net ads join and kinit -U Administrator and all that stuff?

Does wbinfo -u and wbinfo -g show all the users and groups in AD?

----------

## jmahler

 *beandog wrote:*   

> Did you do net ads join and kinit -U Administrator and all that stuff?
> 
> Does wbinfo -u and wbinfo -g show all the users and groups in AD?

 

yep

and yes.

 :Smile: 

i did, and the commands do show the users/groups.

is there a status or diagnostic i could maybe run?

----------

## beandog

I would tail the output of the samba log to see WHY it's asking them to give uname/pwd.

```
tail -f /var/log/samba/samba.log
```

For the record, I have had the same thing crop up on my end too.  I think I fixed it by using force group and force user to log in as (which it looks like you're doing), but in my case, it helped simply because I wanted the directory world writeable/readable.

anyway, here's my conf I should have posted before.. mebbe that will help.

```
[global]

        netbios name = SMBSERVER

        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind enum users = yes

        winbind enum groups = yes

        winbind gid = 10000-20000

        workgroup = WORKGROUP

        os level = 20

        password server = ADSERVER

        preferred master = no

        max log size = 50

        log file = /var/log/samba/samba.log

        encrypt passwords = yes

        dns proxy = no

        realm = WORKGROUP.DOMAIN.COM

        security = domain

        wins server = <ip address of ADSERVER>

        wins proxy = no

        log level = 2

        server string = smbserver

[tmp]

        comment = tmp files

        force user = <user name>

        force group = users

        path = /path/to/tmp

        read only = no
```

----------

## jmahler

interesting-  your 'security' is set to domain instead of ADS - 

why is that?

----------

## beandog

I don't know, but I had it in there before, and it was commented out.  I just removed it from my example.  I guess the other one didn't work.  I can't remember, it's been a while.  :Smile: 

----------

## beandog

One other thing -- what Windows OS is your AD server running?

----------

## jmahler

 *beandog wrote:*   

> I don't know, but I had it in there before, and it was commented out.  I just removed it from my example.  I guess the other one didn't work.  I can't remember, it's been a while. 

 

gotcha  :Smile: 

the DC's are all 2003.

here's one line from /var/log/samba3/log.smbd - 

```

[2005/10/03 12:10:22, 0] lib/util_sock.c:get_peer_addr(1150)

  getpeername failed. Error was Transport endpoint is not connected

```

that was when i had a client try to connect,

----------

## beandog

Hmm, I've never seen that problem before.

Are you using OpenLDAP?  Because I know that recently the new upgrade required you to run a revdep-rebuild.  It's a long shot, but maybe that's could be the source of one of your Samba problems.

Also, which version of Samba are you running 3.0.14 or 3.0.20?  Either one should work fine, but upgrading to the latest unstable wouldn't hurt if you haven't already.

I haven't played with AD on 2003 at all, we're using 2000 here, so I'm not sure what problems that would introduce.

----------

## jmahler

Okay, going to check versions - samba looked to be 3.0.13, didn't check ldap yet.  gonna do that next.

----------

## jmahler

well okay, it gets stranger.   :Smile: 

(of course)

I'm now working from home, so i jump through the VPN and putty into it.  Retraced my steps, discovering that after I run:

```

wbinfo -u
```

it works.  i can connect to it from other user accounts.

as soon as I restart samba however, ie 

```

/etc/init.d/samba restart
```

i then can't connect to the server.

weird.

any idea what's going on here?

----------

## beandog

I would try kinit again.  See if that gives you any errors.

http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain

----------

## jmahler

 *beandog wrote:*   

> I would try kinit again.  See if that gives you any errors.
> 
> http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain

 

that's the wiki i originally followed - whoever wrote it is a wonderful person.  :Smile: 

```

Password for administrator@omghelp.local:

kinit(v5): KDC reply did not match expectations while getting initial credentials

```

oooo interesting... what does this tell us?

----------

## jmahler

 *jmahler wrote:*   

>  *beandog wrote:*   I would try kinit again.  See if that gives you any errors.
> 
> http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain 
> 
> that's the wiki i originally followed - whoever wrote it is a wonderful person. 
> ...

 

you wanna know what it tells us?

it tells us that I forgot to capitalize the realm.  shoulda been:

```

root@opiate ~ # kinit administrator@OMGHELP.LOCAL

Password for administrator@OMGHELP.LOCAL:

```

No error.

----------

## beandog

LOL, that's awesome. 

So did that get you any farther?

----------

## jmahler

 *beandog wrote:*   

> LOL, that's awesome. 
> 
> So did that get you any farther?

 

unfortunately nope.

upgrading to the newest versions of ldap and samba (ldap sucked to deal with - had to manually move some stuff out of var and such, but it's moving along now).

i'll get back once done upgrading.

----------

## beandog

Well, I just happened to see this on samba.org, in the release notes for 3.0.20a which came out three days ago:

 *Quote:*   

> Recent security updates for Windows 2000 and Windows 2003 have 
> 
> changed the fashion in which user and group lists can be obtained 
> 
> from domain controllers.  In short, the RPC mechanisms used by 
> ...

 

More info at http://us2.samba.org/samba/history/samba-3.0.20a.html

So, that might be your problem there.

Looks like I should be using security = ads after all.

Edit: Oh wait, after reading that again, that probably doesn't apply to you.  D'oh.

----------

## jmahler

interesting stuff-  

upgrading to 3.2 might have helped - emerge synced then emerge -uv samba - though crashing on openldap sucked, once i got through it we might be golden.  

i'll know for sure tomorrow - out of the office today.

i'll check back in then.  thank you for all your help - i really was able to rethink the issue all the way through.

----------

## jmahler

Okay, update:

it's working perfectly now apparently.  Why?  I don't know.  Upgrading it to the latest openldap and samba seems to have helped (though along the way it ALSO broke openssh  :Smile: ).  

I'm happy.

Thank you again for your assistance - really helped me to think through my issue.

----------

## beandog

Well, glad you got it working.

Did you ever do your revdep-rebuild after emering openldap?  The recent upgrade requires it.  You can't run just revdep-rebuild though, you need to pass --soname=some library.  I can't remember the exact library name now, but if you grep the ebuild I'm sure you'll find it.  And if you emerged openssh with +ldap, that would be why it's suddenly broken.

----------

