Hi,
I was away from this problem for a few hours and I’m now more settled.
Thank you for the 2 steps. I have done both of those.
Let me review what I have configured.
First a little back ground about me. I have been working with windows networks and domains for almost 20 years. I am quite familiar with the idiosyncrasies of both windows domain and peer to peer networks. What is new to me is using a non-windows machine in a windows network.
This particular network has one domain controller running Active Directory and five member workstations and servers. This domain has been up for 5 years and runs smoothly now. Wins is also running on the domain controller. The domain controller is also running NTP and BIND.
In Yast under LDAP Client I have:
User Authentication
Use LDAP: checked
LDAP Client
Addresses of LDAP Servers: <the IP address of my domain controller>
LDAP Base DN: DC=gwsystems2,DC=com (The dns name of my domain. internal)
Advanced Configuration
Client Settings
User Map: DC=gwsystems2,DC=com
Password Map: DC=gwsystems2,DC=com
Group Map: DC=gwsystems2,DC=com
Pasword Change Protocol: exop (this was the default setting)
Group Member Attribute: member
Administration Settings
Configuration Base DN: DC=gwsystems2,DC=com
Administrator DN: <my user name> (I didn’t know what else to put>
<I didn’t know what to put for the following items so I left them blank>
Create Default Configuration Object
Home Directories on This Machine
Password Policy
One of the guides I looked at said to test LDAP by issuing the following command:
linux-hh3x:~ # ldapsearch -ZZ
ldap_start_tls: Decoding error (-4)
As you can see, it errors.
I’m not sure it’s worth going on since Kerberos depends on LDAP and SAMBA depends on Kerberos for authentication.
Sharing by Users
Allow Users to Share Their Directories: Checked
Permitted Group: users
Maximum Number of Shares: 100
Under Kerberos Client I have:
Use Kerberos
Default Domain: gwsystems2.com
Default Realm: gwsystems2
KDC Server Address: <the IP address of my domain controller>
Advanced Settings
I didn’t change anything in here since it has to do with PAM and one of the guides I looked at said messing with PAM was dangerous.
Under NTP Configuration
General Settings
Runtime Configuration Policy: Auto
Synchronization Type: Server
Address: <The server dns name of my domain controller>
Security Settings
Run NTP Deamin in CHRoot Jail
Firewall is disabled <I have a hardware firewall>
Under Samba Server
Start Up
During Boot
Firewall is disabled
Shares
Available Shares
I added a couple shares to the default shares
Sharing by Users
Allow Users to Share Their Directories: Checked
Permitted Group: users
Maximum Number of Shares: 100
Identity
Base Settings
Workgroup or Domain Name:
Domain Controller: Not a DC <The windows machine is my DC>
NetBIOS Hostname: Linux
WINS
Remote WINS Server: <the IP address of my domain controller>
Retrieve WINS via DHCP: no
Use WINS for Hostname Resolution: checked
Trusted Domain
<None>
Sharing by Users
Allow Users to Share Their Directories: Checked
Permitted Group: users
Maximum Number of Shares: 100
LDAP Settings
Passdb Back-End
Use LDAP Password Back-End: no
Use LDAP ldmap Back-ENd: no
<The rest of this tab is disabled>
Under Windows Domain Membership
Membership
Domain or Workgroup: gwsystems2
Also Use SMB information for Linus Authentication: checked
Under Expert Settings
UID Range
Minimum: 10000
Maximum: 20000
GID Range
Minimum: 10000
Maximum: 20000
Windows Internet Name Service
User WINS for Hostname Resolution: checked
Retrieve WINS server via DHCP: no
Mount Server Directories
<none>
Sharing by Users
Allow Users to Share Their Directories: Checked
Allow Guest Access: checked
Permitted Group: users
Maximum Number of Shares: 100
When I hit OK it asks about joining the domain, I click yes.
<I did this before but I unjoined the domain to restart everything for this report>
It asked me for a user name and password, just like with windows,
It’s taking a lot longer than it should.
Ok, it now says “Domain GWSYSTEMS2 joined successfully.”
Now, checking things.
ldapsearch still fails.
linux-hh3x:~ # net ads testjoin
[2010/02/20 00:17:52, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
[2010/02/20 00:17:52, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
Join to domain is not valid: NT code 0xfffffffc
linux-hh3x:~ #
linux-hh3x:~ # net ads info
[2010/02/20 00:19:32, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
[2010/02/20 00:19:32, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
Failed to get server’s current time!
LDAP server: 70.184.246.18
LDAP server name: ntserver2.gwsystems2.com
Realm: GWSYSTEMS2.COM
Bind Path: dc=GWSYSTEMS2,dc=COM
LDAP port: 389
Server time: Wed, 31 Dec 1969 19:00:00 EST
KDC server: 70.184.246.18
Server time offset: 0
linux-hh3x:~ #
linux-hh3x:~ # net ads status
[2010/02/20 00:20:12, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
Enter root’s password:
[2010/02/20 00:20:23, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
[2010/02/20 00:20:23, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
[2010/02/20 00:20:23, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
linux-hh3x:~ #
and in the messages log I see this which I think if from when I reconfigured SAMBA:
Feb 20 00:01:28 linux-hh3x su: (to nobody) root on none
Feb 20 00:02:50 linux-hh3x su: (to nobody) root on none
Feb 20 00:03:32 linux-hh3x nmbd[4385]: [2010/02/20 00:03:32, 0] nmbd/nmbd.c:terminate(68)
Feb 20 00:03:32 linux-hh3x nmbd[4385]: Got SIGTERM: going down…
Feb 20 00:03:32 linux-hh3x su: (to nobody) root on none
Feb 20 00:03:41 linux-hh3x net: [2010/02/20 00:03:41, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:03:41 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:03:41 linux-hh3x net: [2010/02/20 00:03:41, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:03:41 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:03:56 linux-hh3x net: [2010/02/20 00:03:56, 0] libads/kerberos.c:ads_kinit_password(356)
Feb 20 00:03:56 linux-hh3x net: kerberos_kinit_password LINUX-HH3X$@GWSYSTEMS2.COM failed: Client not found in Kerberos database
Feb 20 00:03:57 linux-hh3x net: [2010/02/20 00:03:57, 0] libads/kerberos.c:ads_kinit_password(356)
Feb 20 00:03:57 linux-hh3x net: kerberos_kinit_password LINUX-HH3X$@GWSYSTEMS2.COM failed: Client not found in Kerberos database
Feb 20 00:04:37 linux-hh3x net: [2010/02/20 00:04:37, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:04:37 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:04:37 linux-hh3x net: [2010/02/20 00:04:37, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:04:37 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:13:07 linux-hh3x nmbd[4668]: [2010/02/20 00:13:07, 0] nmbd/nmbd.c:terminate(68)
Feb 20 00:13:07 linux-hh3x nmbd[4668]: Got SIGTERM: going down…
Feb 20 00:13:08 linux-hh3x smbd[4878]: [2010/02/20 00:13:08, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:13:08 linux-hh3x smbd[4878]: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:13:08 linux-hh3x smbd[4878]: [2010/02/20 00:13:08, 0] printing/nt_printing.c:nt_printing_init(664)
Feb 20 00:13:08 linux-hh3x smbd[4878]: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
Feb 20 00:17:52 linux-hh3x net: [2010/02/20 00:17:52, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:17:52 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:17:52 linux-hh3x net: [2010/02/20 00:17:52, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:17:52 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:19:32 linux-hh3x net: [2010/02/20 00:19:32, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:19:32 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:19:32 linux-hh3x net: [2010/02/20 00:19:32, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:19:32 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
However, despite all of this I see the Linux machine in the AD Users and Computers MMC
And in the Windows Server Manager it shows the Net Logon service for Linux-HH3X as Disabled.
And it shows in the Network Neighborhood with the shares and I can browse the shares and copy files out an in.
BUT, browsing the server and manipulating files on the shares is much slower that it should be. To me it’s obvious that it’s having problems, probably due to the errors listed above.
I’m not sure why it seems to work better now than before, but like I said it’s slow and the erorrs, I think, are problematic.
What I want to eventually achieve is the ability to browse shares on the Linux box from the windows network. And, browse share on the windows network from the Linux box. And to be able to print to a shared windows printer from the Linux box. Authentication of Linux logons by Active Directory would be nice, but not necessary, but it’s probably needed to copy files to Linux shares.