Marcus Franke
2004-Jul-13 09:10 UTC
AW: [Samba] Domain logon against a Windows Server 2003 based AD
> hi, > did you joined your samba-server to the W2K Domain? >yes, more than once, do I need to do more cleanups than deleting the computer account in ads?> > Jul 12 16:56:22 linux winbindd[2410]: [2004/07/12 16:56:22, 0] > > nsswitch/winbindd_util.c:get_trust_pw(951) > > Jul 12 16:56:22 linux winbindd[2410]: get_trust_pw: could not fetch > > trust account password for my domain IDEALTEC.LOCAL > > Jul 12 16:56:22 linux pam_winbind[3610]: request failed: > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO, PAM error was 4, NT error was > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO > this doesn?t look like you did it...did it, and now I get other error codes, as there was a possible mistake in the row with the realm directive. I did remove the .nf in front of realm, as I found an error message about realm in the messages log. And now I get other error messages, that look better/other :)> > and i hope that > password server = * > means that you only removed the name for that posting...no, this was unchanged from the configuration drakauth did. I can change this to the server, as my test installation only has one, but I did understand the directive to support several servers when you insert the star. I guessed it would look inside the DNS service for the _msdcs zone, where all those services entries for the ads are being stored. The slightly new errors, after restarting the DC, changed the group membership of "Everyone" to "Pre-Windows 2000 Compatible Access", and restarting smbd, nmbd, and winbind is: Jul 13 11:06:56 linux winbindd[20394]: [2004/07/13 11:06:56, 0] libsmb/cliconnect.c:cli_session_setup_spnego(724) Jul 13 11:06:56 linux winbindd[20394]: Kinit failed: Cannot find KDC for requested realm Jul 13 11:06:56 linux pam_winbind[2634]: request failed: No trusted SAM account, PAM error was 4, NT error was NT_STATUS_NO_TRUST_SAM_ACCOUNT Jul 13 11:06:56 linux pam_winbind[2634]: internal module error (retval = 4, user = `franke' Jul 13 11:06:56 linux login(pam_unix)[2634]: check pass; user unknown Jul 13 11:06:56 linux login(pam_unix)[2634]: authentication failure; logname= uid=0 euid=0 tty=vc/6 ruser= rhost= Jul 13 11:06:56 linux login(pam_unix)[2634]: check pass; user unknown Jul 13 11:06:59 linux winbindd[20394]: [2004/07/13 11:06:59, 0] libsmb/cliconnect.c:cli_session_setup_spnego(724) Jul 13 11:06:59 linux winbindd[20394]: Kinit failed: Cannot find KDC for requested realm Jul 13 11:06:59 linux pam_winbind[2634]: request failed: No trusted SAM account, PAM error was 4, NT error was NT_STATUS_NO_TRUST_SAM_ACCOUNT Jul 13 11:06:59 linux pam_winbind[2634]: internal module error (retval = 4, user = `franke' Jul 13 11:07:01 linux login[2634]: FAILED LOGIN 1 FROM (null) FOR franke, Authentication failure Marcus -- pedo mellon a minno
Marcus Franke
2004-Jul-13 10:34 UTC
AW: [Samba] Domain logon against a Windows Server 2003 based AD
Hi,> Jul 13 11:06:56 linux winbindd[20394]: [2004/07/13 11:06:56, 0] > libsmb/cliconnect.c:cli_session_setup_spnego(724) > Jul 13 11:06:56 linux winbindd[20394]: Kinit failed: Cannot find KDCfor> requested realmI did some further investigations into this direction and found some possible misconfiguration in the krb5-workstation/server package config. my /etc/krb5.conf looks like this (looks good for my eyes): Interesting is, there are no logfiles in /var/log/kerberos Tought about touching them, but I don't know which rights and set of user.group for the files, so I did not do it. [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = IDEALTEC.LOCAL default_tgs_enctypes = des-cbc-md5 default_tkt_enctypes = des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] IDEALTEC.LOCAL = { kdc = dc-hh-001.idealtec.local:88 admin_server = dc-hh-001.idealtec.local:749 default_domain = idealtec.local } These parameters seem to be right, because in my dns zone there is a _kerberos._tcp.dc._msdcs.idealtec.local entry pointing to port 88. kdc is avail and working, as my two windows test clients can use the domain with no problem :( but, admin_server isnt quite clear to me, what does it mean? [domain_realm] .idealtec.local = IDEALTEC.LOCAL [kdc] profile = /etc/kerberos/krb5kdc/kdc.conf in this file, there was a small error, as there was still MANDRAKESOFT.COM as default domain, but I changed this to the correct value, but no change.. [pam] debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false [login] krb4_convert = false krb4_get_tickets = false Bye, Marcus -- pedo mellon a minno