Hi Everybody, We are integrating samba,kerberos and ldap samba-3.0.2a sun kerberos sun ldap all the three servers are on three different solaris machines. we were able to successfully integrate samba and ldap and works fine. When trying to bring in kerberos support , we changed the samba configuration file as follows interfaces = 131.183.20.96 bind interfaces only = true workgroup = SAMBA_200X server string = ECC Samba3.02a Secure Server #adding kerberos security ADS security =ADS realm =ENG.UTOLEDO.EDU password server=kerbere.eng.utoledo.edu # ldap parameters ldap admin dn ="cn=mgradmin" ldap ssl = no passdb backend = ldapsam:ldaps://sunldap.eng.utoledo.edu:389 ldap suffix = dc=eng,dc=utoledo,dc=edu ldap user suffix = ou=People ldap machine suffix= ou=machines ldap group suffix = ou=Group ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))" ldap delete dn =no hosts allow = 131.183.16. 131.183.17. 131.183.18. 131.183.19. \ 131.183.20. 131.183.21. 131.183.22. 131.183.22. \ 131.183.23. \ 131.183.117. 127.0.0.1 deadtime = 0 # idle time out getwd cache = yes create mode = 0600 log file = /servers/sambatest/%v/var/logs/%m max log size = 1000 # KB utmp = true utmp directory = /var/adm/ wtmp directory = /var/adm/ lock directory = /servers/sambatest/%v/var/locks/ pid directory = /servers/sambatest/%v/var/ encrypt passwords = yes # enforcing case sensitivity username = 0 # See speed.txt and the manual pages for details socket options = TCP_NODELAY ........................................ I am able to obtain a kerberos ticket for a user who has administrative right in the samba server.and when i use net ads join -U administrator@REALM -d10 It tries to obtain ldap information. but it looks into the kerberos server on port 389 and fails with no error. The debug information is as follows. [2004/03/18 17:15:46, 6] libads/ldap.c:ads_find_dc(147) ads_find_dc: looking for realm 'ENG.UTOLEDO.EDU' [2004/03/18 17:15:46, 8] libsmb/namequery.c:get_sorted_dc_list(1240) get_sorted_dc_list: attempting lookup using [ads] [2004/03/18 17:15:46, 10] libsmb/namequery.c:internal_resolve_name(1006) internal_resolve_name: looking up kerby.eng.utoledo.edu#20 [2004/03/18 17:15:46, 5] lib/gencache.c:gencache_init(59) Opening cache file at /servers/sambatest/3.0.2a/var/locks//gencache.tdb [2004/03/18 17:15:46, 10] lib/gencache.c:gencache_get(264) Returning valid cache entry: key = NBT/KERBY.ENG.UTOLEDO.EDU#20, value = 131.183.18.105:0, timeout = Thu Mar 18 17:25:28 2004 [2004/03/18 17:15:46, 5] libsmb/namecache.c:namecache_fetch(201) name kerby.eng.utoledo.edu#20 found. [2004/03/18 17:15:46, 10] libsmb/namequery.c:remove_duplicate_addrs2(312) remove_duplicate_addrs2: looking for duplicate address/port pairs [2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1389) get_dc_list: returning 1 ip addresses in an ordered list [2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1390) get_dc_list: 131.183.18.105:389 [2004/03/18 17:15:46, 5] libads/ldap.c:ads_try_connect(56) ads_try_connect: trying ldap server '131.183.18.105' port 389 [2004/03/18 17:15:46, 10] libsmb/conncache.c:add_failed_connection_entry(132) add_failed_connection_entry: added domain ENG.UTOLEDO.EDU (131.183.18.105) to failed conn cache [2004/03/18 17:15:46, 1] utils/net_ads.c:ads_startup(181) ads_connect: Transport endpoint is not connected [2004/03/18 17:15:46, 2] utils/net.c:main(767) return code = -1 can some one help me in proceeding the kerberos. thanx in advance eccsamba Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam
Hi , In the configuration file , which has been posted , the password server is mentioned as kerbere.eng.utoledo.edu. It is an old configuration file.In the new one the server name is changed to kerby.eng.utoledo.edu , otherwise everything remains the same. we dont use ADS . but we need the samba and ldap to be authenticated with kerberos. Any suggestions apprecited Thanx in advance aarumugam aarumuga arumugam <eccsamba@yahoo.com> wrote: Hi Everybody, We are integrating samba,kerberos and ldap samba-3.0.2a sun kerberos sun ldap all the three servers are on three different solaris machines. we were able to successfully integrate samba and ldap and works fine. When trying to bring in kerberos support , we changed the samba configuration file as follows interfaces = 131.183.20.96 bind interfaces only = true workgroup = SAMBA_200X server string = ECC Samba3.02a Secure Server #adding kerberos security ADS security =ADS realm =ENG.UTOLEDO.EDU password server=kerbere.eng.utoledo.edu # ldap parameters ldap admin dn ="cn=mgradmin" ldap ssl = no passdb backend = ldapsam:ldaps://sunldap.eng.utoledo.edu:389 ldap suffix = dc=eng,dc=utoledo,dc=edu ldap user suffix = ou=People ldap machine suffix= ou=machines ldap group suffix = ou=Group ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))" ldap delete dn =no hosts allow = 131.183.16. 131.183.17. 131.183.18. 131.183.19. \ 131.183.20. 131.183.21. 131.183.22. 131.183.22. \ 131.183.23. \ 131.183.117. 127.0.0.1 deadtime = 0 # idle time out getwd cache = yes create mode = 0600 log file = /servers/sambatest/%v/var/logs/%m max log size = 1000 # KB utmp = true utmp directory = /var/adm/ wtmp directory = /var/adm/ lock directory = /servers/sambatest/%v/var/locks/ pid directory = /servers/sambatest/%v/var/ encrypt passwords = yes # enforcing case sensitivity username = 0 # See speed.txt and the manual pages for details socket options = TCP_NODELAY ........................................ I am able to obtain a kerberos ticket for a user who has administrative right in the samba server.and when i use net ads join -U administrator@REALM -d10 It tries to obtain ldap information. but it looks into the kerberos server on port 389 and fails with no error. The debug information is as follows. [2004/03/18 17:15:46, 6] libads/ldap.c:ads_find_dc(147) ads_find_dc: looking for realm 'ENG.UTOLEDO.EDU' [2004/03/18 17:15:46, 8] libsmb/namequery.c:get_sorted_dc_list(1240) get_sorted_dc_list: attempting lookup using [ads] [2004/03/18 17:15:46, 10] libsmb/namequery.c:internal_resolve_name(1006) internal_resolve_name: looking up kerby.eng.utoledo.edu#20 [2004/03/18 17:15:46, 5] lib/gencache.c:gencache_init(59) Opening cache file at /servers/sambatest/3.0.2a/var/locks//gencache.tdb [2004/03/18 17:15:46, 10] lib/gencache.c:gencache_get(264) Returning valid cache entry: key = NBT/KERBY.ENG.UTOLEDO.EDU#20, value = 131.183.18.105:0, timeout = Thu Mar 18 17:25:28 2004 [2004/03/18 17:15:46, 5] libsmb/namecache.c:namecache_fetch(201) name kerby.eng.utoledo.edu#20 found. [2004/03/18 17:15:46, 10] libsmb/namequery.c:remove_duplicate_addrs2(312) remove_duplicate_addrs2: looking for duplicate address/port pairs [2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1389) get_dc_list: returning 1 ip addresses in an ordered list [2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1390) get_dc_list: 131.183.18.105:389 [2004/03/18 17:15:46, 5] libads/ldap.c:ads_try_connect(56) ads_try_connect: trying ldap server '131.183.18.105' port 389 [2004/03/18 17:15:46, 10] libsmb/conncache.c:add_failed_connection_entry(132) add_failed_connection_entry: added domain ENG.UTOLEDO.EDU (131.183.18.105) to failed conn cache [2004/03/18 17:15:46, 1] utils/net_ads.c:ads_startup(181) ads_connect: Transport endpoint is not connected [2004/03/18 17:15:46, 2] utils/net.c:main(767) return code = -1 can some one help me in proceeding the kerberos. thanx in advance eccsamba Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam
On Fri, 2004-03-19 at 09:19, aarumuga arumugam wrote:> Hi Everybody, > We are integrating samba,kerberos and ldap > samba-3.0.2a > sun kerberos > sun ldap > all the three servers are on three different solaris machines.In an unfortunate twist, Samba's kerberos support is *only* available against active directory. Even if you have somehow convinced your windows client to talk kerberos against a unix KDC, Samba will only join AD. There is work being done to remove this silly restriction, but my understanding is that it wasn't finished (I think other issues caught jra's attention). Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040321/854c95ff/attachment.bin