I also have made this configuration working with w2k, the problem is related
do enc-types used by w2k3.
I have seen a lot of people complaining about the same issue. Can the samba
gurus help the community ??? What are the right configuration to put a Samba
3.0.x working as a Active Directory 2003 member and be accessible through
\\<samba name>\<share name> ?!
Please Jerry Carter, Andrew Batlett e other, gave us some light...
-----Mensagem original-----
De: samba-bounces+ecarvalho=bmf.com.br@lists.samba.org
[mailto:samba-bounces+ecarvalho=bmf.com.br@lists.samba.org] Em nome de
Christoph Scheeder
Enviada em: quarta-feira, 9 de junho de 2004 11:05
Para: Benoit Moeremans
Cc: samba@lists.samba.org
Assunto: Re: [Samba] authentification in ads2003
Hi,
i got that working on woddy, but against a win2000 ADS.
How?
- fetched the latest soure of MIT-kerberos from mit-server
and installed in /usr/local, as the version comming with woody
is to old , it does not support the neede enc-types.
- fetched samba-3.0.5-pre2 from svn and compiled it against the kerberos
in /usr/local, and installed it.
- deleted all old databases of samba
- delete the samba-server from the ADS and rejoin it.
i found for me that in nsswitch.conf the lines
passwd: compat winbind
group: compat winbind
will not work, replace "compat" with "files"
this way you should be able to get it working, but no garanty.
Christoph
Benoit Moeremans schrieb:> Hello,
> *This msg was already sent yesterday on this ml, but some i found some
> faults in the mail.*
>
> **If anyone can help me... the only thing i'm thinking now is to throw
away> the servers**
>
>
> I installed Samba 3.0.4 + kerberos 5 + winbind to make the debian woody
> server joining
> the Active directory service.
>
> Everything seems to be ok, except the authentification. If i try to go to
> the share of the linux server from a windows box, it asks me the password.
> And of course, no
> way to log in.
>
> Here is the config:
>
> *nsswitch.conf*
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
>
>
> *samba*
>
> [global]
>
>
> workgroup = TEST
> realm = CAR.BE.TEST.COM.LOCAL
> server string = %h server (Samba %v)
> ; wins support = no
> ; wins server = w.x.y.z
> dns proxy = no
> ; name resolve order = lmhosts host wins bcast
> use spnego = yes
> log file = /var/log/samba/log.%m
> max log size = 1000
> ; syslog only = no
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
>
> # separate domain and username with '+', like DOMAIN+username
> winbind separator = +
> # use uids from 10000 to 20000 for domain users
> idmap uid = 10000-20000
> # use gids from 10000 to 20000 for domain groups
> idmap gid = 10000-20000
> # allow enumeration of winbind users and groups
> winbind enum users = yes
> winbind enum groups = yes
>
> security = ADS
> encrypt passwords = yes
> passdb backend = tdbsam guest
> obey pam restrictions = yes
> password server = car-pdc
> netbios name = rantanplan
> ; guest account = nobody
> invalid users = root
> ; unix password sync = no
> ; passwd program = /usr/bin/passwd %u# passwd chat >
*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
> ; pam password change = no
> ; load printers = yes
> ; preserve case = yes
> ; short preserve case = yes
> ; include = /home/samba/etc/smb.conf.%m
> # SO_RCVBUF=8192 SO_SNDBUF=8192
> socket options = TCP_NODELAY
> ; message command = /bin/sh -c '/usr/bin/linpopup "%f"
"%m" %s; rm %s' &
>
> ; domain master = auto
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> ; template shell = /bin/bash
> [admin]
> comment = Administration Directory
> path = /home/benoit
> admin users = TEST+bmo
> browseable = yes
> public = no
> writable = yes
> guest only = no
> valid users = TEST+bmo
>
> *kerberos*
> [libdefaults]
> default_realm = CAR.BE.TEST.COM
>
> [realms]
> CAR.BE.TEST.COM = {
> kdc = car-pdc.car.be.test.com
> default_domain = car.be.test.com
> }
> #[domain_realms]
> #.kerberos.server=CAR.BE.TEST.COM
>
> # The following krb5.conf variables are only for MIT Kerberos.
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
>
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
>
>
> [login]
> krb4_convert = true
> krb4_get_tickets = true
>
>
> *winbind* (logs)
>
> 2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> Added domain CAR CAR.BE.TEST.COM.LOCAL S-0-0
> [2004/06/07 13:38:57, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
> krb5_cc_get_principal failed (No credentials cache found)
> [2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> Added domain BUILTIN S-1-5-32
> [2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> Added domain RANTANPLAN S-1-5-21-837388855-3362161430-1770541169
>
> I found also some trace in the log.smbd
>
> smbd version 3.0.4 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2004
> [2004/06/09 10:29:16, 0] lib/util_sock.c:get_peer_addr(978)
> getpeername failed. Error was Transport endpoint is not connected
> [2004/06/09 10:34:28, 0] smbd/server.c:main(757)
>
>
> All commands like kinit, net ads join, wbinfo -u (-g), getent etc works.
>>From the linux server, no problem to go to the shares of the domain
> controller (wich is a windows 2003 server).
> Do i have to make the keytab for kerberos by myself for each ssamba
server,> or does it create itself whith the "net ads join" cmd?
>
> Any help would be welcome.
> Regards,
>
> Benoit
>
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
=========================================================
Esta mensagem pode conter informacao confidencial e/ou privilegiada. Se voce
nao for o destinatario ou a pessoa autorizada a receber esta mensagem, nao
devera utilizar, copiar, alterar, divulgar a informacao nela contida ou
tomar qualquer acao baseada nessas informacoes. Se voce recebeu esta
mensagem por engano, por favor avise imediatamente o remetente, respondendo
o e-mail e em seguida apague-o. Agradecemos sua cooperacao.
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, change, take any action based on this message
or any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this
message. Thank you for your cooperation.
=========================================================