Hi.
HELP!
I read:
:-)
http://www.samba.org/samba/docs/man/domain-member.html#domain-member-server
(Which notes, "This is a rough guide to setting up Samba-3 with Kerberos
authentication against a Windows 200x KDC. A familiarity with Kerberos is
assumed." Is there "A guide to familiarity with Kerberos as a primer
for
Samba configuration" somewhere?)
:-) This thread
http://lists.samba.org/archive/samba/2003-October/000180.html
:-) http://lists.samba.org/archive/samba/2003-February/062065.html
:-) http://lists.samba.org/archive/samba/2003-July/070275.html
:-) http://lists.samba.org/archive/samba/2003-October/075166.html
Running RedHat Fedora Core 1.
:-( Don't have kinit (below)
:-( Don't have klist (below)
:-( net ads join fails with Cannot find KDC for requested realm (below)
:-| /etc/samba/smb.conf (below)
:-| /etc/krb5.conf (below)
TNX
[root@ImediaArchive root]# kinit
-bash: kinit: command not found
[root@ImediaArchive root]#
[root@ImediaArchive root]# klist
-bash: klist: command not found
[root@ImediaArchive root]#
[root@ImediaArchive root]# net ads join -U administrator%XXXXXXXXX
[2004/02/18 16:46:40, 0] libads/kerberos.c:ads_kinit_password(133)
kerberos_kinit_password administrator@IMEDIA.EXAMPLE.COM failed: Cannot
find KDC for requested realm
[root@ImediaArchive root]#
[root@ImediaArchive root]# rpm -qa | egrep samba
samba-3.0.0-15
redhat-config-samba-1.1.4-1
samba-swat-3.0.0-15
samba-common-3.0.0-15
samba-client-3.0.0-15
[root@ImediaArchive root]#
[root@ImediaArchive root]# rpm -qa | egrep krb
krb5-libs-1.3.1-6
krbafs-1.2.2-1
pam_krb5-2.0.4-1
[root@ImediaArchive root]#
[root@ImediaArchive root]# cat /etc/samba/smb.conf
# Samba config file created using SWAT
# from 10.1.1.42 (10.1.1.42)
# Date: 2004/02/16 17:31:51
# Global parameters
[global]
workgroup = IMEDIA
realm = IMEDIAMSFT.IMEDIA.EXAMPLE.COM
server string = a work n progess
security = ADS
password server = imediamsft.imedia.example.com,
imediaexch02.imedia.example.com
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
dns proxy = No
wins server = 10.1.1.42, 10.1.1.53
ldap ssl = no
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[test]
comment = test
path = /mnt/hde1
valid users = test
read list = test
guest ok = Yes
hosts allow = *
[software]
comment = Software
path = /mnt/hde1/Software
[root@ImediaArchive root]#
[root@ImediaArchive root]#
[root@ImediaArchive root]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = IMEDIA.EXAMPLE.COM.
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
IMEDIA.EXAMPLE.COM. = {
kdc = IMEDIAMSFT.IMEDIA.EXAMPLE.COM.:88
admin_server = IMEDIAMSFT.IMEDIA.EXAMPLE.COM:749
default_domain = IMEDIA.EXAMPLE.COM
}
[domain_realm]
IMEDIAMSFT.IMEDIA.EXAMPLE.COM. = IMEDIA.EXAMPLE.COM.
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root@ImediaArchive root]#
--> From: Michael Brown [mailto:sambalist@mikro-net.com] --> Sent: Wednesday, February 18, 2004 7:50 PM ... --> On Wed, 18 Feb 2004 18:38:44 -0500 --> "kaze" <kaze@voicenet.com> wrote: --> > [root@ImediaArchive root]# kinit --> > -bash: kinit: command not found --> > [root@ImediaArchive root]# --> > [root@ImediaArchive root]# klist --> > -bash: klist: command not found --> --> You have to install kerberos first (either MIT or Heimdal); it --> seems you don't --> have it on your system. --> You can find the source tarball for MIT Kerberos here: --> --> http://web.mit.edu/kerberos/dist/index.html --> --> Hope this helps. --> --> Michael Brown Yeah! I feel farther along, but it still doesn't work. I installed the krb5-workstation-1.3.1-6.i386.rpm and after re-reading http://www.samba.org/samba/docs/man/domain-member.html#ads-member restored /etc/krb5.conf to its original state. [root@ImediaArchive root]# [root@ImediaArchive root]# rpm -qa | egrep krb5 krb5-libs-1.3.1-6 pam_krb5-2.0.4-1 krb5-workstation-1.3.1-6 [root@ImediaArchive root]# [root@ImediaArchive root]# kinit -bash: kinit: command not found [root@ImediaArchive root]# [root@ImediaArchive root]# ls -laF /usr/local/bin total 8 drwxr-xr-x 2 root root 4096 Oct 7 07:16 ./ drwxr-xr-x 11 root root 4096 Feb 11 11:33 ../ [root@ImediaArchive root]# /usr/local/bin is where the "Installing and Configuring UNIX Client Machines" section of http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1/doc/krb5-install.html says kinit and the rest will be. Is there some other package I need to install or some script to run? Of course "net ads join ..." still returns "failed: Cannot find KDC for requested realm" What to do? - kaze
--> From: Gary Hostetler [mailto:whostet@nccvt.k12.de.us] --> Sent: Thursday, February 19, 2004 6:06 AM --> To: kaze --> Subject: RE: [Samba] net ads join / kinit /.conf syntax --> --> --> I'd be happy if my net command worked. It tells me unknown --> command. Where do --> I find "net". --> thanks --> Gary Install samba-client-3.0.0-15
--> From: Michael Brown [mailto:sambalist@mikro-net.com] --> Sent: Thursday, February 19, 2004 2:50 AM ... --> Eliminate your krb5 rpm installation. --> Download the MIT krb5 source tarball from here: --> http://web.mit.edu/kerberos/dist/krb5/1.3/krb5-1.3.1.tar --> --> Extract the tarball/signature: --> $ tar xvf krb5-1.3.1.tar --> krb5-1.3.1.tar.gz.asc --> krb5-1.3.1.tar.gz --> --> Check the sig however you want (this assumes OpenSSL): --> $ openssl md5 krb5-1.3.1.tar.gz.asc --> MD5(krb5-1.3.1.tar.gz.asc)= 06905cdf473cd677e1eabc3bebe9c506 --> --> This better be the sig! Yup. --> $ tar xvfz krb5-1.3.1.tar.gz --> $ cd krb5-1.3.1 --> $ ./configure --prefix=/usr The path I got was /root/krb5-1.3.1/src/configure, but no mater. In order to getting that script working I installed: glibc-kernheaders-2.4-8.36.i386.rpm glibc-headers-2.3.2-101.i386.rpm glibc-devel-2.3.2-101.i386.rpm cpp-3.3.2-1.i386.rpm binutils-2.14.90.0.6-3.i386.rpm gcc-3.3.2-1.i386.rpm It appeared to run without errors. --> $ make && make install This got some errors and complained about missing some things. --> kinit & klist should now be found under /usr/ Still no kinit and "net ads join ..." returns "failed: Cannot find KDC for requested realm." Interestingly: [root@ImediaArchive root]# locate kinit /usr/share/doc/krb5-workstation-1.3.1/kinit.html /usr/share/man/man8/mkinitrd.8.gz /usr/share/ghostscript/7.07/vflib/kinit.ps /usr/kerberos/bin/kinit /usr/kerberos/man/man1/kinit.1.gz /sbin/mkinitrd [root@ImediaArchive root]# cd /usr/kerberos/bin -bash: cd: /usr/kerberos/bin: No such file or directory [root@ImediaArchive root]# kinit -bash: kinit: command not found [root@ImediaArchive root]# http://www.samba.org/samba/docs/man/domain-member.html#ads-member under "Possible Errors" details: ADS support not compiled in Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the Kerberos libraries and headers files are installed. "rpm -e"-ed all of Samba, then installed, and then configured via SWAT again. [root@ImediaArchive root]# net ads join -U Administrator Administrator password: [2004/02/20 00:52:01, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password Administrator@IMEDIA.EXAMPLE.COM failed: Cannot find KDC for requested realm [root@ImediaArchive root]# --> Good lucc! --> --> Michael Brown D'oh - kaze
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 20 Feb 2004 01:04:24 -0500 "kaze" <kaze@voicenet.com> wrote:> The path I got was /root/krb5-1.3.1/src/configure, but no mater. In order toSorry, I should have said -> # cd krb5-1.3.1/src # configure --prefix=/usr # make & make install # ls /usr/bin/kinit kinit It would be prudent to then install a recent version of cyrus-sasl to insure an gss-api layer for auth when trying against ms-ad. Hope this helps. Michael Brown -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFANasKyEfMczxaHdsRAq83AJ0Zb/kIyT6qtBFZ3paj0ye0dFlVcQCfQtJO GTlwevAYeBgvsxKa7qIIyxk=W8qg -----END PGP SIGNATURE-----
--> Behalf Of Michael Brown --> Sent: Friday, February 20, 2004 1:37 AM --> > The path I got was /root/krb5-1.3.1/src/configure, but no --> > mater. In order to --> --> Sorry, I should have said -> --> # cd krb5-1.3.1/src --> # configure --prefix=/usr --> # make & make install --> # ls /usr/bin/kinit --> kinit Ran the "configure --prefix=/usr" again (as I'd removed and reinstalled all the Samba packages) just to make sure and it worked fine. The "make & make install" worked much better with this syntax. Still no kinit though! And the "net ads join" still fails the same way, although I tried many variations on it. At one point a new domain showed up in the Windows Network Neighborhood, but with no computers in it, a tweak/correction of "/etc/smb.conf" fixed that. "testparm" doesn't seem to find any errors with "/etc/smb.conf". I tried with the default 'example' "/etc/krb5.conf" and also with one with my specific settings. Based on the error message it would seem that my Kerberos client is not working, right? [root@ImediaArchive root]# ls /usr/bin/kinit ls: /usr/bin/kinit: No such file or directory [root@ImediaArchive root]# cd /usr/bin [root@ImediaArchive bin]# ls k* kban kbdrate kermit kill killall krb524init ktest [root@ImediaArchive bin]# locate kinit /root/krb5-1.3.1/doc/kinit.html /root/krb5-1.3.1/src/clients/kinit /root/krb5-1.3.1/src/clients/kinit/Makefile.in /root/krb5-1.3.1/src/clients/kinit/ChangeLog /root/krb5-1.3.1/src/clients/kinit/kinit.M /root/krb5-1.3.1/src/clients/kinit/kinit.c /root/krb5-1.3.1/src/clients/kinit/Makefile /root/krb5-1.3.1/src/clients/kinit/TV /usr/share/man/man8/mkinitrd.8.gz /usr/share/ghostscript/7.07/vflib/kinit.ps /sbin/mkinitrd [root@ImediaArchive bin]# cd [root@ImediaArchive root]# net ads join -U adminzas adminzas password: [2004/02/21 11:21:45, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password adminzas@IMEDIA.EXAMPLE.COM failed: Cannot find KDC for requested realm [root@ImediaArchive root]# [root@ImediaArchive root]# ping imediamsft PING imediamsft.imedia.example.com (10.1.1.42) 56(84) bytes of data. 64 bytes from imediamsft.imedia.example.com (10.1.1.42): icmp_seq=0 ttl=128 time=0.162 ms 64 bytes from imediamsft.imedia.example.com (10.1.1.42): icmp_seq=1 ttl=128 time=0.200 ms 64 bytes from imediamsft.imedia.example.com (10.1.1.42): icmp_seq=2 ttl=128 time=0.199 ms --- imediamsft.imedia.example.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 0.162/0.187/0.200/0.017 ms, pipe 2 [root@ImediaArchive root]# "/etc/krb5.conf" specifies imediamsft.imedia.example.com as the KDC, and this machine can see it, and actually has for it's DNS1 and DNS2 the two AD integrated LAN DNS servers. The machine ImediaArchive shows up in the Windows Network Neighborhood as a domain/workgroup member (due to the "/etc/smb.conf" file?) but when clicked on gets an error I guess is due to it not having a machine account in AD. Why doesn't the kerberos-workstation rpm work? Do I need a "/etc/krb5.conf" if using the MIT Kerberos client? I do have valid looking DNS records for the Microsoft Kerberos servers. Do I need to compile of 'make' something in the "/root/krb5-1.3.1/src/clients/kinit" directory to get the "kinit" command? --> It would be prudent to then install a recent version of --> cyrus-sasl to insure an --> gss-api layer for auth when trying against ms-ad. Hopefully I will move forward enough to get to this stuff later... --> Hope this helps. --> --> Michael Brown