hello
i have been struggling for to long trying to setup the following
configuration:
debian samba 3 member server of a win 2000 AD
here is my configuration:
## smb.conf ##
[global]
log level = 4
interfaces = 192.168.10.11/255.255.255.0
workgroup = datom
realm = datom.dyndns.org
server string = samba membre
security = ads
netbios name = cafeine
log file = /var/log/samba/samba.log
max log size = 50
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = nicotine.datom.dyndns.org
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
preferred master = no
domain logons = no
dns proxy = no
obey pam restrictions = Yes
winbind separator = /
inherit acls = yes
inherit permissions = yes
admin users = DATOM.DYNDNS.ORG/administrateur
winbind enum users = yes
winbind enum groups = yes
[share]
comment = partage
path = /home/samba
browseable = yes
## krb5.conf ##
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
#ticket_lifetime = 24000
default_realm = DATOM.DYNDNS.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DATOM.DYNDNS.ORG = {
kdc = NICOTINE.DATOM.DYNDNS.ORG:88
admin_server = DATOM.DYNDNS.ORG:749
default_domain = DATOM.DYNDNS.ORG
}
[domain_realm]
.datom.dyndns.org = DATOM.DYNDNS.ORG
datom.dyndns.org = DATOM.DYNDNS.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
## nsswitch.conf ##
passwd: files winbind #ldap
group: files winbind #ldap
shadow: files #ldap
tests effectu?s:
# kinit administrateur + mdp -> ok
# net ads join
[2004/10/15 16:30:32, 0] libads/ldap.c:ads_add_machine_acct(1283)
ads_add_machine_acct: Host account for cafeine already exists -
modifying old account
Using short domain name -- DATOM
Joined 'CAFEINE' to realm 'DATOM.DYNDNS.ORG'
# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrateur@DATOM.DYNDNS.ORG
Valid starting Expires Service principal
10/15/04 13:50:20 10/15/04 23:50:20
krbtgt/DATOM.DYNDNS.ORG@DATOM.DYNDNS.ORG
10/15/04 13:50:54 10/15/04 23:50:20 nicotine$@DATOM.DYNDNS.ORG
10/15/04 13:50:55 10/15/04 23:50:20 kadmin/changepw@DATOM.DYNDNS.ORG
# wbinfo -D datom
Name : DATOM
Alt_Name : datom.dyndns.org
SID : S-1-5-21-1214440339-616249376-839522115
Active Directory : Yes
Native : No
Primary : Yes
Sequence : -1
# wbinfo -g
BUILTIN/System Operators
BUILTIN/Replicators
BUILTIN/Guests
BUILTIN/Power Users
BUILTIN/Print Operators
BUILTIN/Administrators
BUILTIN/Account Operators
BUILTIN/Backup Operators
BUILTIN/Users
BUT
# wbinfo -u
Error looking up domain users
i suspect a kerberos configuration issue because reverting to a security
= domain model, and everything works perfectly
can anybody shed a light on this ???
thanx in advance
--
thomas constans <thomas.constans@opendoor.fr>
openDoor.fr
Hi,
I had the exact same problem yesterday - which I managed to somehow
correct.
What I think happened was that after I had re-compiled kerberos support
into samba, I forgot to copy the new libnns_winbind.so to the /lib
directory.
Once I had copied the new library, I did a "killall -9 winbindd" and a
"service smb stop" and then restarted it all again. It just seemed to
work after that.
But I am just taking a huge guess about that being the cause - I could
have been something else that I changed by mistake.
I also found it necessary to build and install krb5-1.3.5 from MIT in
order to get everything to work correctly together. The older version of
kerberos that came with my distribution just wasn't happy talking to my
windows server. (Although I am using windows server 2003)
Thanks,
Mark
-----Original Message-----
From: samba-bounces+markl=bbd.co.za@lists.samba.org
[mailto:samba-bounces+markl=bbd.co.za@lists.samba.org] On Behalf Of
thomas constans
Sent: 15 October 2004 04:46 PM
To: samba@lists.samba.org
Subject: [Samba] member server and kerberos
hello
i have been struggling for to long trying to setup the following
configuration:
debian samba 3 member server of a win 2000 AD
here is my configuration:
## smb.conf ##
[global]
log level = 4
interfaces = 192.168.10.11/255.255.255.0
workgroup = datom
realm = datom.dyndns.org
server string = samba membre
security = ads
netbios name = cafeine
log file = /var/log/samba/samba.log
max log size = 50
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = nicotine.datom.dyndns.org
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master
= no domain master = no preferred master = no domain logons = no dns
proxy = no obey pam restrictions = Yes winbind separator = / inherit
acls = yes inherit permissions = yes admin users DATOM.DYNDNS.ORG/administrateur
winbind enum users = yes winbind enum
groups = yes
[share]
comment = partage
path = /home/samba
browseable = yes
## krb5.conf ##
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
#ticket_lifetime = 24000
default_realm = DATOM.DYNDNS.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DATOM.DYNDNS.ORG = {
kdc = NICOTINE.DATOM.DYNDNS.ORG:88
admin_server = DATOM.DYNDNS.ORG:749
default_domain = DATOM.DYNDNS.ORG
}
[domain_realm]
.datom.dyndns.org = DATOM.DYNDNS.ORG
datom.dyndns.org = DATOM.DYNDNS.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
## nsswitch.conf ##
passwd: files winbind #ldap
group: files winbind #ldap
shadow: files #ldap
tests effectu?s:
# kinit administrateur + mdp -> ok
# net ads join
[2004/10/15 16:30:32, 0] libads/ldap.c:ads_add_machine_acct(1283)
ads_add_machine_acct: Host account for cafeine already exists -
modifying old account Using short domain name -- DATOM Joined 'CAFEINE'
to realm 'DATOM.DYNDNS.ORG'
# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrateur@DATOM.DYNDNS.ORG
Valid starting Expires Service principal
10/15/04 13:50:20 10/15/04 23:50:20
krbtgt/DATOM.DYNDNS.ORG@DATOM.DYNDNS.ORG
10/15/04 13:50:54 10/15/04 23:50:20 nicotine$@DATOM.DYNDNS.ORG
10/15/04 13:50:55 10/15/04 23:50:20 kadmin/changepw@DATOM.DYNDNS.ORG
# wbinfo -D datom
Name : DATOM
Alt_Name : datom.dyndns.org
SID : S-1-5-21-1214440339-616249376-839522115
Active Directory : Yes
Native : No
Primary : Yes
Sequence : -1
# wbinfo -g
BUILTIN/System Operators
BUILTIN/Replicators
BUILTIN/Guests
BUILTIN/Power Users
BUILTIN/Print Operators
BUILTIN/Administrators
BUILTIN/Account Operators
BUILTIN/Backup Operators
BUILTIN/Users
BUT
# wbinfo -u
Error looking up domain users
i suspect a kerberos configuration issue because reverting to a security
= domain model, and everything works perfectly
can anybody shed a light on this ???
thanx in advance
--
thomas constans <thomas.constans@opendoor.fr>
openDoor.fr
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
hello well i compiled kerberos 1.3.5 from sources, and i got the same results as before. what procedure did you follow ? i understand that you also compiled samba from sources. can you give me a quick porcedure : in what order have you compiled samba kerberos ? with what options passed to configure ? thanx for answering -- thomas constans <thomas.constans@opendoor.fr> openDoor.fr
hello
i have finally set up the following configuration:
debian testing / samba-3.07 member of a w2k Active Directory, security
=ads
now i am able to:
- list users and group with wbinfo -u | -g
- authenticate domain users via pam_winbind
- list and connect to share on AD server with kerberos ( smbclient -k )
- list and connect to share on SAMBA server _from_samba_server_ (
smbclient -k //SAMBA_SERVER/
_BUT_ trying to connect to samba share from AD server (net use *
\\SAMBA_SERVER\share ) prompt me for a password and log gives me the
famous "failed to verify incoming ticket" :
[2004/10/20 09:24:42, 3] smbd/server.c:exit_server(614)
Server exit (process_smb: send_smb failed.)
[2004/10/20 09:24:42, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2004/10/20 09:24:42, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2004/10/20 09:24:42, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/10/20 09:24:42, 3] smbd/error.c:error_packet(129)
error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
i have try to play with enc-type in krb5.conf to no avail.
here is my krb5.conf:
[libdefaults]
default_realm = OPENDOOR.NET
[realms]
OPENDOOR.NET = {
kdc = nicotine.opendoor.net:88
}
output of klist -5e :
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrateur@OPENDOOR.NET
Valid starting Expires Service principal
10/20/04 11:40:14 10/20/04 21:40:14 krbtgt/OPENDOOR.NET@OPENDOOR.NET
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
10/20/04 11:40:33 10/20/04 21:40:14 melatonine$@OPENDOOR.NET (
samba server )
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
10/20/04 11:40:49 10/20/04 21:40:14 nicotine$@OPENDOOR.NET
( AD server )
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
installed package:
debian testing
samba 3.0.7-1
samba-common 3.0.7-1
libkrb53 1.3.4-4
krb5-user 1.3.4-4
any idea ?
--
-- Thomas Constans --
http://www.opendoor.fr
thomas.constans@opendoor.fr
04 78 68 17 34
Sorry for bothering you afet upgrading the AD server to SP4, i am finally able to browse and connect to samba-member shares sorry for wasting your time Le sam 16/10/2004 ? 14:05, thomas constans a ?crit :> hello > > well i compiled kerberos 1.3.5 from sources, and i got the same results > as before. > > what procedure did you follow ? > > i understand that you also compiled samba from sources. > > can you give me a quick porcedure : > in what order have you compiled samba kerberos ? > with what options passed to configure ? > > thanx for answering > > -- > thomas constans <thomas.constans@opendoor.fr> > openDoor.fr-- -- Thomas Constans -- http://www.opendoor.fr thomas.constans@opendoor.fr 04 78 68 17 34