samba - Mar 2004 - samba,ldap and kerberos

Hi Everybody,
                We are integrating samba,kerberos and ldap
samba-3.0.2a
sun kerberos
sun ldap
all the three servers are on three different solaris machines.
 
we were able to successfully integrate samba and ldap and works fine. When
trying to bring in kerberos support , we changed the samba configuration file as
follows
interfaces      = 131.183.20.96
        bind interfaces only    = true
        workgroup       = SAMBA_200X
        server string   = ECC Samba3.02a Secure Server
        #adding kerberos security ADS
        security =ADS
        realm   =ENG.UTOLEDO.EDU
        password server=kerbere.eng.utoledo.edu
        # ldap parameters
        ldap admin dn   ="cn=mgradmin"
        ldap ssl        = no
        passdb backend  = ldapsam:ldaps://sunldap.eng.utoledo.edu:389
        ldap suffix     = dc=eng,dc=utoledo,dc=edu
        ldap user suffix = ou=People
        ldap machine suffix= ou=machines
        ldap group suffix = ou=Group
        ldap filter             =
"(&(uid=%u)(objectclass=sambaSamAccount))"
        ldap delete dn  =no
        hosts allow     = 131.183.16. 131.183.17. 131.183.18. 131.183.19. \
                          131.183.20. 131.183.21. 131.183.22. 131.183.22. \
                          131.183.23.                                     \
                          131.183.117.  127.0.0.1
        deadtime        = 0                     # idle time out
        getwd cache     = yes
        create mode     = 0600

        log file        = /servers/sambatest/%v/var/logs/%m
        max log size    = 1000                  # KB
        utmp = true
        utmp directory  = /var/adm/
        wtmp directory  = /var/adm/
        lock directory  = /servers/sambatest/%v/var/locks/
        pid directory   = /servers/sambatest/%v/var/
        encrypt passwords       = yes
        # enforcing case sensitivity
        username        = 0

        # See speed.txt and the manual pages for details
        socket options  = TCP_NODELAY
........................................
 
 
I am able to obtain a kerberos ticket for a user who has administrative right in
the samba server.and when i use
net ads join -U administrator@REALM -d10
It tries to obtain ldap information. but it looks into the kerberos server on
port 389 and fails with no error.
The debug information is as follows.
 
[2004/03/18 17:15:46, 6] libads/ldap.c:ads_find_dc(147)
  ads_find_dc: looking for realm 'ENG.UTOLEDO.EDU'
[2004/03/18 17:15:46, 8] libsmb/namequery.c:get_sorted_dc_list(1240)
  get_sorted_dc_list: attempting lookup using [ads]
[2004/03/18 17:15:46, 10] libsmb/namequery.c:internal_resolve_name(1006)
  internal_resolve_name: looking up kerby.eng.utoledo.edu#20
[2004/03/18 17:15:46, 5] lib/gencache.c:gencache_init(59)
  Opening cache file at /servers/sambatest/3.0.2a/var/locks//gencache.tdb
[2004/03/18 17:15:46, 10] lib/gencache.c:gencache_get(264)
  Returning valid cache entry: key = NBT/KERBY.ENG.UTOLEDO.EDU#20, value =
131.183.18.105:0, timeout = Thu Mar 18 17:25:28 2004
[2004/03/18 17:15:46, 5] libsmb/namecache.c:namecache_fetch(201)
  name kerby.eng.utoledo.edu#20 found.
[2004/03/18 17:15:46, 10] libsmb/namequery.c:remove_duplicate_addrs2(312)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1389)
  get_dc_list: returning 1 ip addresses in an ordered list
[2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1390)
  get_dc_list: 131.183.18.105:389
[2004/03/18 17:15:46, 5] libads/ldap.c:ads_try_connect(56)
  ads_try_connect: trying ldap server '131.183.18.105' port 389
[2004/03/18 17:15:46, 10] libsmb/conncache.c:add_failed_connection_entry(132)
  add_failed_connection_entry: added domain ENG.UTOLEDO.EDU (131.183.18.105) to
failed conn cache
[2004/03/18 17:15:46, 1] utils/net_ads.c:ads_startup(181)
  ads_connect: Transport endpoint is not connected
[2004/03/18 17:15:46, 2] utils/net.c:main(767)
  return code = -1

can some one help me in proceeding the kerberos.
 
thanx in advance
eccsamba
 
 
 
 
 


Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam

Hi ,
  In the configuration file , which has been posted , the password server is
mentioned as kerbere.eng.utoledo.edu. It is an old configuration file.In the 
new one the server name is changed to kerby.eng.utoledo.edu , otherwise
everything remains the same.  we dont use ADS . but we need the samba and ldap
to be authenticated with kerberos. Any suggestions apprecited
Thanx in advance
aarumugam


aarumuga arumugam <eccsamba@yahoo.com> wrote:
Hi Everybody,
                We are integrating samba,kerberos and ldap
samba-3.0.2a
sun kerberos
sun ldap
all the three servers are on three different solaris machines.
 
we were able to successfully integrate samba and ldap and works fine. When
trying to bring in kerberos support , we changed the samba configuration file as
follows
interfaces      = 131.183.20.96
        bind interfaces only    = true
        workgroup       = SAMBA_200X
        server string   = ECC Samba3.02a Secure Server
        #adding kerberos security ADS
        security =ADS
        realm   =ENG.UTOLEDO.EDU
        password server=kerbere.eng.utoledo.edu
        # ldap parameters
        ldap admin dn   ="cn=mgradmin"
        ldap ssl        = no
        passdb backend  = ldapsam:ldaps://sunldap.eng.utoledo.edu:389
        ldap suffix     = dc=eng,dc=utoledo,dc=edu
        ldap user suffix = ou=People
        ldap machine suffix= ou=machines
        ldap group suffix = ou=Group
        ldap filter             =
"(&(uid=%u)(objectclass=sambaSamAccount))"
        ldap delete dn  =no
        hosts allow     = 131.183.16. 131.183.17. 131.183.18. 131.183.19. \
                          131.183.20. 131.183.21. 131.183.22. 131.183.22. \
                          131.183.23.                                     \
                          131.183.117.  127.0.0.1
        deadtime        = 0                     # idle time out
        getwd cache     = yes
        create mode     = 0600

        log file        = /servers/sambatest/%v/var/logs/%m
        max log size    = 1000                  # KB
        utmp = true
        utmp directory  = /var/adm/
        wtmp directory  = /var/adm/
        lock directory  = /servers/sambatest/%v/var/locks/
        pid directory   = /servers/sambatest/%v/var/
        encrypt passwords       = yes
        # enforcing case sensitivity
        username        = 0

        # See speed.txt and the manual pages for details
        socket options  = TCP_NODELAY
........................................
 
 
I am able to obtain a kerberos ticket for a user who has administrative right in
the samba server.and when i use
net ads join -U administrator@REALM -d10
It tries to obtain ldap information. but it looks into the kerberos server on
port 389 and fails with no error.
The debug information is as follows.
 
[2004/03/18 17:15:46, 6] libads/ldap.c:ads_find_dc(147)
  ads_find_dc: looking for realm 'ENG.UTOLEDO.EDU'
[2004/03/18 17:15:46, 8] libsmb/namequery.c:get_sorted_dc_list(1240)
  get_sorted_dc_list: attempting lookup using [ads]
[2004/03/18 17:15:46, 10] libsmb/namequery.c:internal_resolve_name(1006)
  internal_resolve_name: looking up kerby.eng.utoledo.edu#20
[2004/03/18 17:15:46, 5] lib/gencache.c:gencache_init(59)
  Opening cache file at /servers/sambatest/3.0.2a/var/locks//gencache.tdb
[2004/03/18 17:15:46, 10] lib/gencache.c:gencache_get(264)
  Returning valid cache entry: key = NBT/KERBY.ENG.UTOLEDO.EDU#20, value =
131.183.18.105:0, timeout = Thu Mar 18 17:25:28 2004
[2004/03/18 17:15:46, 5] libsmb/namecache.c:namecache_fetch(201)
  name kerby.eng.utoledo.edu#20 found.
[2004/03/18 17:15:46, 10] libsmb/namequery.c:remove_duplicate_addrs2(312)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1389)
  get_dc_list: returning 1 ip addresses in an ordered list
[2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1390)
  get_dc_list: 131.183.18.105:389
[2004/03/18 17:15:46, 5] libads/ldap.c:ads_try_connect(56)
  ads_try_connect: trying ldap server '131.183.18.105' port 389
[2004/03/18 17:15:46, 10] libsmb/conncache.c:add_failed_connection_entry(132)
  add_failed_connection_entry: added domain ENG.UTOLEDO.EDU (131.183.18.105) to
failed conn cache
[2004/03/18 17:15:46, 1] utils/net_ads.c:ads_startup(181)
  ads_connect: Transport endpoint is not connected
[2004/03/18 17:15:46, 2] utils/net.c:main(767)
  return code = -1

can some one help me in proceeding the kerberos.
 
thanx in advance
eccsamba
 
 
 
 
 


Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam

Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam

On Fri, 2004-03-19 at 09:19, aarumuga arumugam wrote:
> Hi Everybody,
>                 We are integrating samba,kerberos and ldap
> samba-3.0.2a
> sun kerberos
> sun ldap
> all the three servers are on three different solaris machines.
In an unfortunate twist, Samba's kerberos support is *only* available
against active directory.  Even if you have somehow convinced your
windows client to talk kerberos against a unix KDC, Samba will only join
AD.

There is work being done to remove this silly restriction, but my
understanding is that it wasn't finished (I think other issues caught
jra's attention).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040321/854c95ff/attachment.bin