SMB still broken in 10.5.8, broken kerberos seems to be the issue
When first installed my production Xserve and OS X 10.5.1 provided SMB sharing flawlessly, tat is until a 10.5.4 update after which it was broken. I've waited for new updates to see if it will be fixed but to no avail, so after applying 10.5.8 I decided to do some investigation. Fortunately I have a test server (in which SMB is OK) to compare and test with. These are my findings:-
Attempt to connect to production server with Go command, smb://10.0.0.100, no password dialogue box, Connection Failed box appears, accept, further message "cannot connect to the server because the name or password is not correct"
Attempt to connect to test server with Go command, smb://172.16.0.100, get password dialogue box, enter user name and password and a list of shares appears.
Now do the same with terminal just to see if authentication is the problem
Production server, > smbclient //10.0.0.100/ -U Administrator, message "connection refused"
Test server, > smbclient //172.16.0.100/ -U Administrator, prompt comes back for "password"
So now I take a look at the smb.conf file in /etc
both files are the same
Then I look at the smb.conf in /var/samba/db
A difference.
In the test sever (where smb works), global is defined as
[global]
security = USER
auth methods = guest odsam
netbios name = leopard
workgroup = workgroup
realm = LEOPARD.XXXXXX.XXXX.XXX
dos charset = 437
server string = leopard
ntlm auth = yes
lanman auth = no
max smbd processes = 100
log level = 1
use kerberos keytab = yes
realm = LEOPARD.XXXXXX.XXXX.XXX
map to guest = Bad User
wins server = 172.16.0.190
domain master = yes
preferred master = yes
os level = 65
enable disk services = yes
enable print services = yes
wins support = no
In the production server (where smb is broken), global is defined as:-
[global]
security = USER
auth methods = guest odsam
netbios name = OSX-Server
workgroup = WORKGROUP
dos charset = 437
server string = server
ntlm auth = yes
lanman auth = no
max smbd processes = 0
log level = 2
map to guest = Bad User
domain master = yes
preferred master = yes
os level = 65
enable disk services = yes
enable print services = yes
wins support = no
The differences between the two are in the good test server "realm = LEOPARD.XXXXXX.XXXX.XXX" appears in two places as does "use kerberos keytab = yes" Note XXXX's used to obscure domain
So where do I go from here in my fault diagnosis?
I can provide copies of files, conduct test, just ask.
Attempt to connect to production server with Go command, smb://10.0.0.100, no password dialogue box, Connection Failed box appears, accept, further message "cannot connect to the server because the name or password is not correct"
Attempt to connect to test server with Go command, smb://172.16.0.100, get password dialogue box, enter user name and password and a list of shares appears.
Now do the same with terminal just to see if authentication is the problem
Production server, > smbclient //10.0.0.100/ -U Administrator, message "connection refused"
Test server, > smbclient //172.16.0.100/ -U Administrator, prompt comes back for "password"
So now I take a look at the smb.conf file in /etc
both files are the same
Then I look at the smb.conf in /var/samba/db
A difference.
In the test sever (where smb works), global is defined as
[global]
security = USER
auth methods = guest odsam
netbios name = leopard
workgroup = workgroup
realm = LEOPARD.XXXXXX.XXXX.XXX
dos charset = 437
server string = leopard
ntlm auth = yes
lanman auth = no
max smbd processes = 100
log level = 1
use kerberos keytab = yes
realm = LEOPARD.XXXXXX.XXXX.XXX
map to guest = Bad User
wins server = 172.16.0.190
domain master = yes
preferred master = yes
os level = 65
enable disk services = yes
enable print services = yes
wins support = no
In the production server (where smb is broken), global is defined as:-
[global]
security = USER
auth methods = guest odsam
netbios name = OSX-Server
workgroup = WORKGROUP
dos charset = 437
server string = server
ntlm auth = yes
lanman auth = no
max smbd processes = 0
log level = 2
map to guest = Bad User
domain master = yes
preferred master = yes
os level = 65
enable disk services = yes
enable print services = yes
wins support = no
The differences between the two are in the good test server "realm = LEOPARD.XXXXXX.XXXX.XXX" appears in two places as does "use kerberos keytab = yes" Note XXXX's used to obscure domain
So where do I go from here in my fault diagnosis?
I can provide copies of files, conduct test, just ask.
Xserve,Leopard Server, Mac OS X (10.5.8)