samba - Apr 2006 - Managed to make some progress, stuck again.

Hi,

An update on my work to integrate my Linux server (CentOS 4.3) in AD
2003.

Sorry about the long post :)

Found this page
(http://www.enterprisenetworkingplanet.com/netos/article.php/3487081)
and followed the instructions on it.

First, I made sure that the Samba installation is supporting Kerberos,
LDAP, AD and Windbind. That was OK.

I made sure that /etc/hosts contain the name of the AD server
(castor-srvr1).

Then I edited /etc/krb5.conf to include the following:

[libdefaults]
 default_realm = CASTORTECH.COM

[realms]
CASTORTECH.COM = {
  kdc = castor-srvr1.castortech.com
 }

[domain_realm]
 .kerberos.server = CASTORTECH.COM

I got the default realm name when I ran ksetup on the AD server.

I then tried to connect using kinit administrator@CASTORTECH.COM. It
asks for a password and it return an error (krb_error 14 KDC has no
support for encryption type). If I use another user (simon, my account
with domain admin rights), it connects and create a new ticket. To be
sure, I tested with a user that don't exist and got a  "krb_error 24
Pre-authentication information was invalid". Any idea why administrator
won't connect?

I modified /etc/samba/smb.conf with the info in chapter 13 on the Samba
book.

The pre-Windows 2000 name of the domain is MONTREAL.

[global]
	  workgroup = MONTREAL
        realm = CASTORTECH.COM
        preferred master = no
        security = ADS
        template shell = /bin/bash
        idmap uid = 500-10000000
        idmap gid = 500-10000000
        winbind use default domain = yes
        winbind nested groups = yes
        encrypt passwords = yes
        log level = 3
	  server string = Linux
        wins server = 192.168.64.20
	  dns proxy = no
        password server = None
        username map = /etc/samba/smbusers

[homes]
        comment = Home Directories
        browseable = no
        writeable = yes

[root]
        path = /
        writeable = yes
        guest ok = yes

Password server was at none by default. Do I need to put the AD server
there?

Not sure if the workgroup needs to be the NetBIOS name of the domain
(MONTREAL) or the AD server name.

[root] is the share I created on my Linux box. Missing anything for
that?

If I run testparm with that config:

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[root]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

To join the domain, the site says to run net ads join -U Administrator.
Of course, that didn't work (ads_connect: No such file or directory). I
ran net ads join -U administrator --server=castor-srvr1. And got:

[2006/04/18 13:52:13, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for castor-srvr4 already exists -
modifying old account
Using short domain name -- MONTREAL
Joined 'CASTOR-SRVR4' to realm 'CASTORTECH.COM'

If I open ADUC I can see the server under Computers. So far so good. I
think.

Now I need to configure Winbind. I edited /etc/nsswitch.conf:

passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns wins

Then I restarted the services.

I ran a few wbinfo commands to test it.

Wbinfo -g

BUILTIN\System Operators
BUILTIN\Replicators
BUILTIN\Guests
BUILTIN\Power Users
BUILTIN\Print Operators
BUILTIN\Administrators
BUILTIN\Account Operators
BUILTIN\Backup Operators
BUILTIN\Users

Look like BUILTIN is on the Linux box instead of AD.

But wbinfo --domain=MONTREAL -g

Error looking up domain groups

Same thing with -u.

I tried net ads info --server=castor-srvr1

LDAP server: 192.168.64.20
LDAP server name: castor-srvr1
Realm: CASTORTECH.COM
Bind Path: dc=CASTORTECH,dc=COM
LDAP port: 389
Server time: Tue, 18 Apr 2006 14:35:24 GMT
KDC server: 192.168.64.20
Server time offset: 187

Net ads testjoin --server=castor-srvr1

Join is OK

So according to this, the Linux box is in the domain but there is a
problem with Windbind. Or something.

I can't access the Linux box from Windows.

This is where I'm stuck and would appreciate some help.

Thanks!
Simon

On Tue, Apr 18, 2006 at 03:14:02PM -0400, Simon Renshaw
wrote:
> Hi,
> 
> An update on my work to integrate my Linux server (CentOS 4.3) in AD
> 2003.
> 
> Sorry about the long post :)
> 
> Found this page
> (http://www.enterprisenetworkingplanet.com/netos/article.php/3487081)
> and followed the instructions on it.
> 
> First, I made sure that the Samba installation is supporting Kerberos,
> LDAP, AD and Windbind. That was OK.
> 
> I made sure that /etc/hosts contain the name of the AD server
> (castor-srvr1).
> 
> Then I edited /etc/krb5.conf to include the following:
> 
> [libdefaults]
>  default_realm = CASTORTECH.COM
> 
> [realms]
> CASTORTECH.COM = {
>   kdc = castor-srvr1.castortech.com
>  }
> 
> [domain_realm]
>  .kerberos.server = CASTORTECH.COM
> 
> I got the default realm name when I ran ksetup on the AD server.
> 
> I then tried to connect using kinit administrator@CASTORTECH.COM. It
> asks for a password and it return an error (krb_error 14 KDC has no
> support for encryption type). If I use another user (simon, my account
> with domain admin rights), it connects and create a new ticket. To be
> sure, I tested with a user that don't exist and got a  "krb_error
24
> Pre-authentication information was invalid". Any idea why
administrator
> won't connect?
It looks like the version of kerberos you're using doesn't have
support for the AD enctypes. Update it.

Jeremy.

OK, I'll try to upgrade it.

I just downloaded MIT Kerberos 1.4.3.

I ran rpm -qa|grep krb and got:

krb5-server-1.3.4-27
krb5-auth-dialog-0.2-1
krb5-libs-1.3.4-27
krbafs-1.2.2-6
krb5-devel-1.3.4-27
krbafs-devel-1.2.2-6
krbafs-utils-1.2.2-6
krb5-workstation-1.3.4-27
pam_krb5-2.1.8-1

Should I uninstall everything krb related before compiling 1.4.3?

-----Original Message-----
From: Jeremy Allison [mailto:jra@samba.org] 
Sent: 18 avril, 2006 15:19
To: Simon Renshaw
Cc: samba@lists.samba.org
Subject: Re: [Samba] Managed to make some progress, stuck again.


It looks like the version of kerberos you're using doesn't have
support for the AD enctypes. Update it.

Jeremy.

What packages should I look for? All those I listed or a few specifics?

As long as they are for Redhat EL 4, I'll be ok.

I started to look for them but I'm not sure what I need.

(Sorry about that, I'm a Windows guy.)

Simon

-----Original Message-----
From: Jeremy Allison [mailto:jra@samba.org] 
Sent: 18 avril, 2006 19:38
To: Simon Renshaw
Cc: Jeremy Allison; samba@lists.samba.org
Subject: Re: [Samba] Managed to make some progress, stuck again.

On Tue, Apr 18, 2006 at 04:25:50PM -0400, Simon Renshaw
wrote:
> OK, I'll try to upgrade it.
> 
> I just downloaded MIT Kerberos 1.4.3.
> 
> I ran rpm -qa|grep krb and got:
> 
> krb5-server-1.3.4-27
> krb5-auth-dialog-0.2-1
> krb5-libs-1.3.4-27
> krbafs-1.2.2-6
> krb5-devel-1.3.4-27
> krbafs-devel-1.2.2-6
> krbafs-utils-1.2.2-6
> krb5-workstation-1.3.4-27
> pam_krb5-2.1.8-1
> 
> Should I uninstall everything krb related before compiling 1.4.3?
Look for updated kerberos rpms rather than compiling it
yourself.

Jeremy.

I am using those packages with Win2k3 so I guess they support all
necessary enctypes.

Bob G 
> -----Original Message-----
> From: samba-bounces+bob.gautier=rabobank.com@lists.samba.org 
> [mailto:samba-bounces+bob.gautier=rabobank.com@lists.samba.org
] On Behalf Of Simon Renshaw
> Sent: 19 April 2006 16:24
> To: Jeremy Allison
> Cc: samba@lists.samba.org
> Subject: RE: [Samba] Managed to make some progress, stuck again.
> 
> What packages should I look for? All those I listed or a few 
> specifics?
> 
> As long as they are for Redhat EL 4, I'll be ok.
> 
> I started to look for them but I'm not sure what I need.
> 
> (Sorry about that, I'm a Windows guy.)
> 
> Simon
> 
> -----Original Message-----
> From: Jeremy Allison [mailto:jra@samba.org]
> Sent: 18 avril, 2006 19:38
> To: Simon Renshaw
> Cc: Jeremy Allison; samba@lists.samba.org
> Subject: Re: [Samba] Managed to make some progress, stuck again.
> 
> On Tue, Apr 18, 2006 at 04:25:50PM -0400, Simon Renshaw wrote:
> > OK, I'll try to upgrade it.
> > 
> > I just downloaded MIT Kerberos 1.4.3.
> > 
> > I ran rpm -qa|grep krb and got:
> > 
> > krb5-server-1.3.4-27
> > krb5-auth-dialog-0.2-1
> > krb5-libs-1.3.4-27
> > krbafs-1.2.2-6
> > krb5-devel-1.3.4-27
> > krbafs-devel-1.2.2-6
> > krbafs-utils-1.2.2-6
> > krb5-workstation-1.3.4-27
> > pam_krb5-2.1.8-1
> > 
> > Should I uninstall everything krb related before compiling 1.4.3?
> 
> Look for updated kerberos rpms rather than compiling it yourself.
> 
> Jeremy.
> 
_____________________________________________________________

This email (including any attachments to it) is confidential, legally
privileged, subject to copyright and is sent for the personal attention of the
intended recipient only. If you have received this email in error, please advise
us immediately and delete it. You are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited. Although we have taken reasonable
precautions to ensure no viruses are present in this email, we cannot accept
responsibility for any loss or damage arising from the viruses in this email or
attachments. We exclude any liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided in
this email or its attachments, unless that information is subsequently confirmed
in writing. If this email contains an offer, that should be considered as an
invitation to treat.
_____________________________________________________________