samba - Oct 2004 - Samba 3.0.7 domain membership with AD2003

hi guys,

I have problems with authentification in a 2003 domain membership 
configuration of samba 3.0.7. I'm a newbie in linux systems, then I will 
give you my configuration process of the program.

The samba server is installed on a Redhat 9.0 without any base install of 
samba, without kerberos and with the open LDAP RPM installed. I follow this 
procedure to build binarie from sources and install kerberos5 and samba

1] Network configuration :
     a)linux: 10.10.10.2   255.255.255.0
              DNS: 10.10.10.1
              no firewall configured
              NetBIOS name: MELKOR
     b)windows 2003: 10.10.10.1   255.255.255.0
                With DNS server and AD (testredhat.priv)
                NetBIOS name: UNGOLIANT

1]installation of kerberos:
     a)compilation: ./configure --enable-dns --enable-dns-for-kdc 
--enable-dns-for-realm
                         make
                         make install


     b) here my /etc/krb5.conf file
#####/etc/krb5.conf#####
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = TESTREDHAT.PRIV
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
TESTREDHAT.PRIV = {
  kdc = ungoliant.testredhat.priv:88
  admin_server = ungoliant.testredhat.priv:749
  default_domain = TESTREDHAT.PRIV
}

[domain_realm]
.testredhat.priv = TESTREDHAT.PRIV
testredhat.priv = TESTREDHAT.PRIV

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
#####End of file#####

       c) authentification test with kinit = no problem.
            kinit administrator@TESTREDHAT.PRIV


2]samba installation
       a) Source compilation (V3.0.7)
         ./configure --with-ldap --with-krb5=/usr/kerberos --with-ads 
--with-winbind
          make
          make install

        b) here my smb.conf file
#####smb.conf#####
[global]
workgroup = TESTREDHAT
netbios name = MELKOR
realm = TESTREDHAT.PRIV
security = ADS
password server = ungoliant.testredhat.priv
encrypt password = yes
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
winbind use default domain = Yes
use sendfile = Yes
printing = cups

#share#
[data]
comment = Data warehouse directory
path = /data
read only = No
#####end of file#####

         c) adding samba server to domain:
             net ads join -U administrator
             ==> no problem

          d) I start samba with a script:
#####begin of script#####
/usr/local/samba/sbin/nmbd -D --configfile=/usr/local/samba/lib/smb.conf
/usr/local/samba/sbin/smbd -D --configfile=/usr/local/samba/lib/smb.conf
/usr/local/samba/sbin/winbind -D --configfile=/usr/local/samba/lib/smb.conf
#####end of script#####

-------------------------------------------------
Communication test from the linux server:

ping 10.0.0.1 => ok
smbclient -L -U administrateur => list all the share on the windws server.

test from the windows server:
ping melkor       => ok
\\melkor\data => fail and re-ask me to enter password and username

_________________________________________________________________
MSN Messenger : dialoguez en temps r?el avec vos amis ! 
http://g.msn.fr/FR1001/866

hi guys,

I have problems with authentification in a 2003 domain membership 
configuration of samba 3.0.7. I'm a newbie in linux systems, then I will 
give you my configuration process of the program.

The samba server is installed on a Redhat 9.0 without any base install of 
samba, without kerberos and with the open LDAP RPM installed. I follow this 
procedure to build binarie from sources and install kerberos5 and samba

1] Network configuration :
     a)linux: 10.10.10.2   255.255.255.0
              DNS: 10.10.10.1
              no firewall configured
              NetBIOS name: MELKOR
     b)windows 2003: 10.10.10.1   255.255.255.0
                With DNS server and AD (testredhat.priv)
                NetBIOS name: UNGOLIANT

1]installation of kerberos:
     a)compilation: ./configure --enable-dns --enable-dns-for-kdc 
--enable-dns-for-realm
                         make
                         make install


     b) here my /etc/krb5.conf file
#####/etc/krb5.conf#####
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = TESTREDHAT.PRIV
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
TESTREDHAT.PRIV = {
  kdc = ungoliant.testredhat.priv:88
  admin_server = ungoliant.testredhat.priv:749
  default_domain = TESTREDHAT.PRIV
}

[domain_realm]
.testredhat.priv = TESTREDHAT.PRIV
testredhat.priv = TESTREDHAT.PRIV

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
#####End of file#####

       c) authentification test with kinit = no problem.
            kinit administrator@TESTREDHAT.PRIV


2]samba installation
       a) Source compilation (V3.0.7)
         ./configure --with-ldap --with-krb5=/usr/kerberos --with-ads 
--with-winbind
          make
          make install

        b) here my smb.conf file
#####smb.conf#####
[global]
workgroup = TESTREDHAT
netbios name = MELKOR
realm = TESTREDHAT.PRIV
security = ADS
password server = ungoliant.testredhat.priv
encrypt password = yes
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
winbind use default domain = Yes
use sendfile = Yes
printing = cups

#share#
[data]
comment = Data warehouse directory
path = /data
read only = No
#####end of file#####

         c) adding samba server to domain:
             net ads join -U administrator
             ==> no problem

          d) I start samba with a script:
#####begin of script#####
/usr/local/samba/sbin/nmbd -D --configfile=/usr/local/samba/lib/smb.conf
/usr/local/samba/sbin/smbd -D --configfile=/usr/local/samba/lib/smb.conf
/usr/local/samba/sbin/winbind -D --configfile=/usr/local/samba/lib/smb.conf
#####end of script#####

-------------------------------------------------
Communication test from the linux server:

ping 10.0.0.1 => ok
smbclient -L -U administrateur => list all the share on the windws server.

test from the windows server:
ping melkor       => ok
\\melkor\data => fail and re-ask me to enter password and username

_________________________________________________________________
MSN Hotmail : antivirus et antispam int?gr?s 
http://www.msn.fr/newhotmail/Default.asp?Ath=f

Baron Robert schrieb:
> hi guys,
> 
[....]
> -------------------------------------------------
> Communication test from the linux server:
> 
> ping 10.0.0.1 => ok
> smbclient -L -U administrateur => list all the share on the windws
server.
> 
> test from the windows server:
> ping melkor       => ok
> \\melkor\data => fail and re-ask me to enter password and username
> 
> _________________________________________________________________
> MSN Hotmail : antivirus et antispam int?gr?s 
> http://www.msn.fr/newhotmail/Default.asp?Ath=f
> 
Hi,
you have to give the -k switch to smb-client to use kerberos/ADS 
Authentification in an ADS-Environment.
without this switch it will ask you for a username and password.

"man smbclient" sometimes helps.... ;-)
Christoph