I've been trying to setup Samba to authenticate users against accounts
existing on a Windows 2003 Server without any backwards capability.
Ideally, this needs to be done without any changes to the Windows 2003
Server. Users will not be logging into the Samba shares at all. This
is merely for authentication.
I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
This is my smb.conf file:
[global]
realm = WIN2K3.DOMAIN.LOCAL
security = ads
auth methods = winbind
winbind separator = +
encrypt passwords = yes
workgroup = DOMAIN.LOCAL
netbios name = FREEBSD_Machine
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = WIN2K3.DOMAIN.LOCAL
So once winbindd is running, I type the following and get these results:
freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
administrator's password: *password*
[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
ads_connect: Permission denied
In the winbindd log I've also gotten the following error messages at
one point or another:
Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
get_trust_pw: could not fetch trust account password for my domain DOMAIN.LOCAL
The odd part is when I try to use wbinfo to verify connections. If I
type "wbinfo -g" it will display the correct group listing from the
win2k3 server. But nothing else seems to work:
freebsd_machine# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret
freebsd_machine# wbinfo -u
Error looking up domain users
freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
Name : WIN2K3.DOMAIN.LOCAL
Alt_Name : DOMAIN.LOCAL
SID : S-0-0
Active Directory : No
Native : No
Primary : Yes
Sequence : -1
I'm obviously missing something, but I am at a loss. Any help is
greatly appreciated!
Carissa Srugis
--
*********************************************************
Carissa Srugis
csrugis@gmail.com
Carissa Srugis wrote:>I've been trying to setup Samba to authenticate users against accounts >existing on a Windows 2003 Server without any backwards capability. >Ideally, this needs to be done without any changes to the Windows 2003 >Server. Users will not be logging into the Samba shares at all. This >is merely for authentication. > >OK, well, try getting a kerberos ticket first. kinit Administrator@YOURDOMAIN.COM... If you get a valid ticket, you can just do net ads join -U Administrator, no need for pw. If no kerberos ticket, then you've got a krb5.conf issue. Heimdal requires these lines: default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 You also might need to have the w2k3 generate a keytab for you. If so you need this line as well. default_keytab-name = FILE:/etc/krb5.keytab>I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8. > >This is my smb.conf file: >[global] > realm = WIN2K3.DOMAIN.LOCAL > security = ads > auth methods = winbind > winbind separator = + > encrypt passwords = yes > workgroup = DOMAIN.LOCAL > netbios name = FREEBSD_Machine > winbind uid = 10000-20000 > winbind gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > password server = WIN2K3.DOMAIN.LOCAL > >So once winbindd is running, I type the following and get these results: > >freebsd_machine# net ads join member -I 192.168.0.1 -U administrator >administrator's password: *password* >[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793) > Packet send failed to 127.255.255.255(137) ERRNO=Permission denied >[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793) > Packet send failed to 127.255.255.255(137) ERRNO=Permission denied >[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186) > ads_connect: Permission denied > >In the winbindd log I've also gotten the following error messages at >one point or another: > >Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL >Packet send failed to 127.255.255.255(137) ERRNO=Permission denied >ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied >get_trust_pw: could not fetch trust account password for my domain DOMAIN.LOCAL > >The odd part is when I try to use wbinfo to verify connections. If I >type "wbinfo -g" it will display the correct group listing from the >win2k3 server. But nothing else seems to work: > >freebsd_machine# wbinfo -t >checking the trust secret via RPC calls failed >error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5) >Could not check secret > >freebsd_machine# wbinfo -u >Error looking up domain users > >freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL >Name : WIN2K3.DOMAIN.LOCAL >Alt_Name : DOMAIN.LOCAL >SID : S-0-0 >Active Directory : No >Native : No >Primary : Yes >Sequence : -1 > >I'm obviously missing something, but I am at a loss. Any help is >greatly appreciated! > >Carissa Srugis > > > >
OK, I've tried to get a kerberos ticket, without success. I generated
the w2k3 keytab, then integrated into the freebsd machine via the
ktutil command.
I tried to use the kinit Administrator@YOURDOMAIN.COM. but got this error:
secureschool# kinit administrator@DOMAIN.LOCAL
FreeBSD Inc. (freebsd.newdomain.com)
Kerberos Initialization for "administrator@DOMAIN.LOCAL"
Password:
kinit: Can't send request (send_to_kdc)
Here's the krb5.conf file:
[libdefaults]
default_realm = DOMAIN.LOCAL
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_keytab-name = FILE:/usr/src/crypto/heimdal/freebsd_mchine.keytab
clockskew = 300
[realms]
ANDLESS.LOCAL = {
kdc= WIN2K3.DOMAIN.LOCAL
admin_server = WIN2K3.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL
The one thing I noticied is I do not have a krb5.conf in /etc or
anywhere else on my system. Should thisfile be there already, or do I
have to manually create it?
Thanks for the help!
Carissa Srugis
On Tue, 16 Nov 2004 13:29:20 -0800, Tom Skeren <tms3@fsklaw.net>
wrote:> Carissa Srugis wrote:
>
> >I've been trying to setup Samba to authenticate users against
accounts
> >existing on a Windows 2003 Server without any backwards capability.
> >Ideally, this needs to be done without any changes to the Windows 2003
> >Server. Users will not be logging into the Samba shares at all. This
> >is merely for authentication.
> >
> >
> OK, well, try getting a kerberos ticket first.
>
> kinit Administrator@YOURDOMAIN.COM...
> If you get a valid ticket, you can just do net ads join -U
> Administrator, no need for pw.
>
> If no kerberos ticket, then you've got a krb5.conf issue.
>
> Heimdal requires these lines:
>
> default_etypes = des-cbc-crc des-cbc-md5
> default_etypes_des = des-cbc-crc des-cbc-md5
>
> You also might need to have the w2k3 generate a keytab for you. If so you
need this line as well.
>
> default_keytab-name = FILE:/etc/krb5.keytab
>
>
>
>
> >I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
> >
> >This is my smb.conf file:
> >[global]
> > realm = WIN2K3.DOMAIN.LOCAL
> > security = ads
> > auth methods = winbind
> > winbind separator = +
> > encrypt passwords = yes
> > workgroup = DOMAIN.LOCAL
> > netbios name = FREEBSD_Machine
> > winbind uid = 10000-20000
> > winbind gid = 10000-20000
> > winbind enum users = yes
> > winbind enum groups = yes
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > password server = WIN2K3.DOMAIN.LOCAL
> >
> >So once winbindd is running, I type the following and get these
results:
> >
> >freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
> >administrator's password: *password*
> >[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
> > Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
> > Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
> > ads_connect: Permission denied
> >
> >In the winbindd log I've also gotten the following error messages
at
> >one point or another:
> >
> >Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
> >Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
> >get_trust_pw: could not fetch trust account password for my domain
DOMAIN.LOCAL
> >
> >The odd part is when I try to use wbinfo to verify connections. If I
> >type "wbinfo -g" it will display the correct group listing
from the
> >win2k3 server. But nothing else seems to work:
> >
> >freebsd_machine# wbinfo -t
> >checking the trust secret via RPC calls failed
> >error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
> >Could not check secret
> >
> >freebsd_machine# wbinfo -u
> >Error looking up domain users
> >
> >freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
> >Name : WIN2K3.DOMAIN.LOCAL
> >Alt_Name : DOMAIN.LOCAL
> >SID : S-0-0
> >Active Directory : No
> >Native : No
> >Primary : Yes
> >Sequence : -1
> >
> >I'm obviously missing something, but I am at a loss. Any help is
> >greatly appreciated!
> >
> >Carissa Srugis
> >
> >
> >
> >
>
>
--
*********************************************************
Carissa Srugis
csrugis@gmail.com
Carissa Srugis wrote:> I've been trying to setup Samba to authenticate users against accounts > existing on a Windows 2003 Server without any backwards capability. > Ideally, this needs to be done without any changes to the Windows 2003 > Server. Users will not be logging into the Samba shares at all. This > is merely for authentication. > > I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8. > > This is my smb.conf file: > [global] > realm = WIN2K3.DOMAIN.LOCAL > security = ads > auth methods = winbind > winbind separator = + > encrypt passwords = yes > workgroup = DOMAIN.LOCAL > netbios name = FREEBSD_Machine > winbind uid = 10000-20000 > winbind gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > password server = WIN2K3.DOMAIN.LOCAL > > So once winbindd is running, I type the following and get these results: > > freebsd_machine# net ads join member -I 192.168.0.1 -U administrator > administrator's password: *password* > [2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793) > Packet send failed to 127.255.255.255(137) ERRNO=Permission denied > [2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793) > Packet send failed to 127.255.255.255(137) ERRNO=Permission denied > [2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186) > ads_connect: Permission denied > > In the winbindd log I've also gotten the following error messages at > one point or another: > > Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL > Packet send failed to 127.255.255.255(137) ERRNO=Permission denied > ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied > get_trust_pw: could not fetch trust account password for my domain DOMAIN.LOCAL > > The odd part is when I try to use wbinfo to verify connections. If I > type "wbinfo -g" it will display the correct group listing from the > win2k3 server. But nothing else seems to work: > > freebsd_machine# wbinfo -t > checking the trust secret via RPC calls failed > error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5) > Could not check secret > > freebsd_machine# wbinfo -u > Error looking up domain users > > freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL > Name : WIN2K3.DOMAIN.LOCAL > Alt_Name : DOMAIN.LOCAL > SID : S-0-0 > Active Directory : No > Native : No > Primary : Yes > Sequence : -1 > > I'm obviously missing something, but I am at a loss. Any help is > greatly appreciated! > > Carissa Srugis > >You might try looking at FreeBSD 5.3. I don't believe 4.10 has a working nsswitch which I think you will need if you want to login into FreeBSD without a local account, but just a AD account. I have done this on our Windows domain and FreeBSD 5.3 and it works OK. Join the machine to the domain, modify pam files, and nsswitch.conf, and it worked.