fabian dacunha
2009-Mar-26 19:22 UTC
[CentOS] error when join my Centos machine to win2003 ADS server
Dear All,
I have succesfully managed to have my kerberos configured n working
without error when i say
kinit Administrator
and after entering password it works fine
my krb5.conf
--------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BALADIA.LOCAL
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
BALADIA.LOCAL = {
default_domain = baladia.local
kdc = 172.16.2.227:88
admin_server = 172.16.2.227:749
kdc = KMUN
}
[domain_realm]
baladia.local = BALADIA.LOCAL
--------------------------------
klist shows
icket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at BALADIA.LOCAL
Valid starting Expires Service principal
03/26/09 11:33:04 03/26/09 21:33:18 krbtgt/BALADIA.LOCAL at BALADIA.LOCAL
renew until 03/27/09 11:33:04
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
------------------------
now i configured /etc/samba/smb.conf but when i try to join the domain
net ads join -U Administrator
Administrator's password:
[2009/03/26 21:58:05, 0] utils/net_ads.c:ads_startup_int(286)
ads_connect: No logon servers
Failed to join domain: No logon servers
after googling and tryin various options in /etc/samba/smb.conf file here
is the latest smb.conf file
---------------------
[global]
#--authconfig--start-line--
# Generated by authconfig on 2009/03/26 12:50:28
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = BALADIA.LOCAL
; password server = kmun.baladia.local
password server = 172.16.2.227
realm = KMUN.BALADIA.LOCAL
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind separator = +
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
encrypt passwords = yes
log level = 3
#--authconfig--end-line--
encrypt passwords = yes
dns proxy = no
server string = Samba Server Version %v
os level = 20
client use spnego = no
server signing = auto
--------------------------------------
where i could be goin wrong
i would be thankful and really apprecite your advice for any setting in my
smb.conf file
Is there anything else to check
when i run testparam it gives no errors
thnks and Regards
Fabian
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Rob Townley
2009-Mar-26 20:07 UTC
[CentOS] error when join my Centos machine to win2003 ADS server
2009/3/26 fabian dacunha <fabian at baladia.gov.kw>:> > Dear All, > > I have succesfully managed to have my kerberos configured n working > without error when i say > > kinit Administrator > and after entering password it works fine > > my krb5.conf > -------------- > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > ?default_realm = BALADIA.LOCAL > ?dns_lookup_kdc = false > > ?dns_lookup_realm = false > [realms] > BALADIA.LOCAL = { > ? default_domain = baladia.local > ?kdc = 172.16.2.227:88 > ?admin_server = 172.16.2.227:749 > ?kdc = KMUN > } > > [domain_realm] > baladia.local = BALADIA.LOCAL > > -------------------------------- > > klist shows > > icket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator at BALADIA.LOCAL > > Valid starting ? ? Expires ? ? ? ? ? ?Service principal > 03/26/09 11:33:04 ?03/26/09 21:33:18 ?krbtgt/BALADIA.LOCAL at BALADIA.LOCAL > ? ? ? ?renew until 03/27/09 11:33:04 > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > ------------------------ > > now i configured /etc/samba/smb.conf but when i try to join the domain > > ?net ads join -U Administrator > Administrator's password: > [2009/03/26 21:58:05, 0] utils/net_ads.c:ads_startup_int(286) > ?ads_connect: No logon servers > Failed to join domain: No logon servers > > after googling and tryin various options in /etc/samba/smb.conf file here > is the latest smb.conf file > --------------------- > > [global] > #--authconfig--start-line-- > > # Generated by authconfig on 2009/03/26 12:50:28 > # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) > # Any modification may be deleted or altered by authconfig in future > > ? workgroup = BALADIA.LOCAL > ; ? password server = kmun.baladia.local > ? password server = 172.16.2.227 > ? realm = KMUN.BALADIA.LOCAL > ? security = ads > ? idmap uid = 16777216-33554431 > ? idmap gid = 16777216-33554431 > ? winbind separator = + > ? template shell = /bin/bash > ? winbind use default domain = true > ? winbind offline logon = false > ? encrypt passwords = yes > ?log level = 3 > #--authconfig--end-line-- > ? ? ? ?encrypt passwords = yes > ? ? ? dns proxy = no > ? ? ? server string = Samba Server Version %v > ? ? ? os level = 20 > ? ? ?client use spnego = no > ? ? ? ?server signing = auto > > -------------------------------------- > > where i could be goin wrong > i would be thankful and really apprecite your advice for any setting in my > smb.conf file > > Is there anything else to check > > when i run testparam it gives no errors > > thnks and Regards > > Fabian > > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >Can you get to the ADS netlogon share? It is //domainname/netlogon which may be //baladia.local/netlogon/ on your network. //172.16.2.227/netlogon ? Further, even connecting WinVista to a domain will sometimes require raw editing of the hosts properties in LDAP. SysInternal's adexplorer.exe or jexplorer (don't use java 1.6) are good at this. Specifically, you will want to make sure dnsHostName and servicePrincipalName (SPN) are correct. If not, these tools with the domain admin privilege will let you edit these ldap entries directly. Use a known good ADS connected node as an example. There is a list of apps based on python-ldap at http://python-ldap.sourceforge.net/apps.shtml Some of those would provide adexplorer.exe type functionality, but i haven't tried them for editing. Hmmm, now i wonder if they work at all with Samba b/c python hooks were removed in Samba 3.2.0 due to lack of maintenance??? I would like a script that could be run on a Windows ADS server, a ADS domain connected windows client, and linux. The script would generate and verify everything needed to successfully connect. SASL required? Unsecured or Secured auth? kerberos and ldap identifiying info. ldapenum.pl was an attempt at this. You will want to read the announcement for Samba 3.2 which i am not sure if 3.2 is in the CentOS release repo or not. i ended up using fc9/fc10 for ads joins. EnterpriseSamba.com may still be your best bet for CentOS. http://lists.samba.org/archive/samba-announce/2008/000145.html
Kanwar Ranbir Sandhu
2009-Mar-30 03:22 UTC
[CentOS] error when join my Centos machine to win2003 ADS server
On Thu, 2009-03-26 at 22:22 +0300, fabian dacunha wrote:> # Generated by authconfig on 2009/03/26 12:50:28 > # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) > # Any modification may be deleted or altered by authconfig in future > > workgroup = BALADIA.LOCAL > ; password server = kmun.baladia.local > password server = 172.16.2.227 > realm = KMUN.BALADIA.LOCAL > security = ads > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > winbind separator = + > template shell = /bin/bash > winbind use default domain = true > winbind offline logon = false > encrypt passwords = yes > log level = 3 > #--authconfig--end-line-- > encrypt passwords = yes > dns proxy = no > server string = Samba Server Version %v > os level = 20 > client use spnego = no > server signing = auto > > -------------------------------------- > > where i could be goin wrong > i would be thankful and really apprecite your advice for any setting in my > smb.conf file1. It's usually better to set "password server" to "*". 2. Your realm is wrong; it should be just the domain, baladia.local. 3. Add "netbios name = [your server's hostname]" 4. Add "wins server = [your wins server(s)]" 5. "client use spnego" should likely be "yes" 6. Add "client ntlmv2 auth = yes". 7. Add "smb ports = 445" 8. Add "local master = no" 9. Add "domain master =no" 10. Add "preferred master = no" I don't know if that's going to solve your problems. "no logon servers" indicates either a deeper problem (e.g. network issue), or simply that you've specified the wrong server to use for checking passwords against. BTW, I still don't know why you have two "kdc" entries in your krb5.conf file. You only need one. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.19-170.2.35.fc10.x86_64 x86_64 GNU/Linux 23:09:16 up 4 days, 2:19, 2 users, load average: 0.17, 0.26, 0.21