I have been trying in vain to get ADS domain authentication working. I
can't figure out what is wrong and have read the docs and looked through
the mailing lists. I'm not sure why better documentation hasn't been
written on the web site for the ADS feature since it's pretty
spectacular to be able join a Samba server natively to an AD domain.
I have successfully joined the samba server to the win 2k3 domain with
this commands:
Kinit adminName@HQ.NAVIS.NET
Net ads join "HQ Servers"
This seems to work just fine but when I run "wbinfo -t" I get:
checking the trust secret via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
Could not check secret
I have set the winbind to debug level 10 and when starting winbind I get
this in the logs:
[2005/03/08 12:13:33, 5] libsmb/namecache.c:namecache_fetch(201)
name hqdc01.hq.navis.net#20 found.
[2005/03/08 12:13:33, 10] libsmb/namequery.c:name_status_find(188)
name_status_find: looking up HQ#1c at 192.168.192.60
[2005/03/08 12:13:33, 10] lib/gencache.c:gencache_get(285)
Cache entry with key = NBT/HQ#1C.20.192.168.192.60 couldn't be found
[2005/03/08 12:13:33, 5] libsmb/namecache.c:namecache_status_fetch(308)
namecache_status_fetch: no entry for NBT/HQ#1C.20.192.168.192.60
found.
[2005/03/08 12:13:33, 10] lib/gencache.c:gencache_del(214)
Deleting cache entry (key = NBT/HQ#1C.20.192.168.192.60)
[2005/03/08 12:13:33, 10] lib/util_sock.c:open_socket_in(717)
bind succeeded on port 0
[2005/03/08 12:13:33, 5] libsmb/nmblib.c:send_udp(776)
Sending a packet of len 50 to (192.168.192.60) on port 137
[2005/03/08 12:13:33, 10] lib/util_sock.c:read_udp_socket(230)
read_udp_socket: lastip 192.168.192.60 lastport 137 read: 211
[2005/03/08 12:13:33, 10] libsmb/nmblib.c:parse_nmb(503)
parse_nmb: packet id = 24973
[2005/03/08 12:13:33, 5] libsmb/nmblib.c:read_packet(754)
Also of interest when I run kinit username@realm I then type my password
and the command appears to have worked however running klist tickets
produces:
klist: No credentials cache found (ticket cache FILE:tickets)
Please help anyone that has any info on how I might begin diagnosing
this problem.
I have the following in my smb.conf file:
[global]
workgroup = HQ
server string = Samba 3.0.11 Test Server
security = ADS
encrypt passwords = yes
load printers = no
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
dns proxy = no
realm = HQ.NAVIS.NET
password server = hqdc01.hq.navis.net
winbind cache time = 10
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
client use spnego = yes
#============================ Share Definitions
=============================# This one is useful for people to share files
[share]
comment = this is a test share
path = /test/share
read only = no
public = yes
writable = yes
printable = no
browseable = yes
valid users = @"Domain Users"
This is the contents of my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = HQ.NAVIS.NET
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
HQ.NAVIS.NET = {
kdc = hqdc01.hq.navis.net:88
admin_server = hqdc01.hq.navis.net:749
default_domain = hq.navis.net
}
[domain_realm]
.hq.navis.net = HQ.NAVIS.NET
hq.navis.net = HQ.NAVIS.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Hello, Your domain is called "HQ Servers" with a space in it? Are you sure that the 'net ads' command isn't misinterpreting that name and/or the quotes in the command? Also, did you specify a username (maybe 'adminName' in your example) for the 'net ads' command? Are you able to see this computer in Active Directory's Computers or another container? Steve On Tue, Mar 08, 2005 at 12:34:04PM -0800, Theodore Jencks wrote:> I have been trying in vain to get ADS domain authentication working. I > can't figure out what is wrong and have read the docs and looked through > the mailing lists. I'm not sure why better documentation hasn't been > written on the web site for the ADS feature since it's pretty > spectacular to be able join a Samba server natively to an AD domain. > > I have successfully joined the samba server to the win 2k3 domain with > this commands: > > Kinit adminName@HQ.NAVIS.NET > Net ads join "HQ Servers" > > This seems to work just fine but when I run "wbinfo -t" I get: > checking the trust secret via RPC calls failed > error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) > Could not check secret > > I have set the winbind to debug level 10 and when starting winbind I get > this in the logs: > > [2005/03/08 12:13:33, 5] libsmb/namecache.c:namecache_fetch(201) > name hqdc01.hq.navis.net#20 found. > [2005/03/08 12:13:33, 10] libsmb/namequery.c:name_status_find(188) > name_status_find: looking up HQ#1c at 192.168.192.60 > [2005/03/08 12:13:33, 10] lib/gencache.c:gencache_get(285) > Cache entry with key = NBT/HQ#1C.20.192.168.192.60 couldn't be found > [2005/03/08 12:13:33, 5] libsmb/namecache.c:namecache_status_fetch(308) > namecache_status_fetch: no entry for NBT/HQ#1C.20.192.168.192.60 > found. > [2005/03/08 12:13:33, 10] lib/gencache.c:gencache_del(214) > Deleting cache entry (key = NBT/HQ#1C.20.192.168.192.60) > [2005/03/08 12:13:33, 10] lib/util_sock.c:open_socket_in(717) > bind succeeded on port 0 > [2005/03/08 12:13:33, 5] libsmb/nmblib.c:send_udp(776) > Sending a packet of len 50 to (192.168.192.60) on port 137 > [2005/03/08 12:13:33, 10] lib/util_sock.c:read_udp_socket(230) > read_udp_socket: lastip 192.168.192.60 lastport 137 read: 211 > [2005/03/08 12:13:33, 10] libsmb/nmblib.c:parse_nmb(503) > parse_nmb: packet id = 24973 > [2005/03/08 12:13:33, 5] libsmb/nmblib.c:read_packet(754) > > Also of interest when I run kinit username@realm I then type my password > and the command appears to have worked however running klist tickets > produces: > klist: No credentials cache found (ticket cache FILE:tickets) > > > Please help anyone that has any info on how I might begin diagnosing > this problem. > > > I have the following in my smb.conf file: > > [global] > workgroup = HQ > server string = Samba 3.0.11 Test Server > security = ADS > encrypt passwords = yes > load printers = no > log file = /var/log/samba/%m.log > max log size = 50 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > local master = no > domain master = no > dns proxy = no > > realm = HQ.NAVIS.NET > password server = hqdc01.hq.navis.net > winbind cache time = 10 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > client use spnego = yes > > #============================ Share Definitions > =============================> # This one is useful for people to share files > [share] > comment = this is a test share > path = /test/share > read only = no > public = yes > writable = yes > printable = no > browseable = yes > valid users = @"Domain Users" > > > This is the contents of my krb5.conf: > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > ticket_lifetime = 24000 > default_realm = HQ.NAVIS.NET > default_tkt_enctypes = des-cbc-md5 des-cbc-crc > default_tgs_enctypes = des-cbc-md5 des-cbc-crc > dns_lookup_realm = true > dns_lookup_kdc = true > > [realms] > HQ.NAVIS.NET = { > kdc = hqdc01.hq.navis.net:88 > admin_server = hqdc01.hq.navis.net:749 > default_domain = hq.navis.net > } > > [domain_realm] > .hq.navis.net = HQ.NAVIS.NET > hq.navis.net = HQ.NAVIS.NET > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba
Hey Steve, Thanks for the response however I've gotten a little further along then I was last time. If you look in chapter 6 of the how to docs you will find that this syntax 'Net ads join "HQ Servers"' creates the machine account in a particular OU called "HQ Servers". I finally tracked down the problem I was having to a Kerberos issue. I was getting a funny error on my domain controller the text of which follows: While processing a TGS request for the target server host/smbtest.hq.navis.net, the account SMBTEST$@HQ.NAVIS.NET did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 16. The accounts available etypes were 3 1. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I found a post some place mentioning that the version of Kerberos that ships with Redhat Linux 9.0 doesn't select the correct etype. So to correct this I downloaded the source for version 1.4. I had to forcefully remove the old Kerberos packages because of dependencies. After compiling and installing I recompiled Samba3.0.11 only to have the compile choke about 3/4 of the way through. Subsequently I downloaded the very latest Samba3.0.12pre1 which compiled fine with the new Kerberos 1.4. Now things seem to be working much better. I no longer get the error on my domain controller when requesting a ticket with kinit and wbinfo -t and all other wbinfo commands run successfully. Now though I'm having another issue. I'm trying to login to the share I've created from a Windows XPSP2 workstation with all latest patches applied. Here is the config for my share in the smb.conf file: [share]> comment = this is a test share> path = /test/share> read only = no> public = yes> writable = yes> printable = no> browseable = yes> valid users = @"Domain Users"Now that the Samba server is properly added to the domain and has it's machine account working I'm not sure why I get a password prompt when I try and login to this share as I am a member of "Domain Users" can anyone provide me with some sample configs to get this working right. Thanks in advance, Theo -----Original Message----- From: Steve [mailto:samba@braingia.org] Sent: Tuesday, March 08, 2005 7:49 PM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] Trying to get ADS authentication working. Hello, Your domain is called "HQ Servers" with a space in it? Are you sure that the 'net ads' command isn't misinterpreting that name and/or the quotes in the command? Also, did you specify a username (maybe 'adminName' in your example) for the 'net ads' command? Are you able to see this computer in Active Directory's Computers or another container? Steve On Tue, Mar 08, 2005 at 12:34:04PM -0800, Theodore Jencks wrote:> I have been trying in vain to get ADS domain authentication working.> I can't figure out what is wrong and have read the docs and looked> through the mailing lists. I'm not sure why better documentation> hasn't been written on the web site for the ADS feature since it's> pretty spectacular to be able join a Samba server natively to an ADdomain.>> I have successfully joined the samba server to the win 2k3 domain with> this commands:>> Kinit adminName@HQ.NAVIS.NET> Net ads join "HQ Servers">> This seems to work just fine but when I run "wbinfo -t" I get:> checking the trust secret via RPC calls failed error code was> NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) Could not check> secret>> I have set the winbind to debug level 10 and when starting winbind I> get this in the logs:>> [2005/03/08 12:13:33, 5] libsmb/namecache.c:namecache_fetch(201)> name hqdc01.hq.navis.net#20 found.> [2005/03/08 12:13:33, 10] libsmb/namequery.c:name_status_find(188)> name_status_find: looking up HQ#1c at 192.168.192.60> [2005/03/08 12:13:33, 10] lib/gencache.c:gencache_get(285)> Cache entry with key = NBT/HQ#1C.20.192.168.192.60 couldn't be found> [2005/03/08 12:13:33, 5]libsmb/namecache.c:namecache_status_fetch(308)> namecache_status_fetch: no entry for NBT/HQ#1C.20.192.168.192.60> found.> [2005/03/08 12:13:33, 10] lib/gencache.c:gencache_del(214)> Deleting cache entry (key = NBT/HQ#1C.20.192.168.192.60)> [2005/03/08 12:13:33, 10] lib/util_sock.c:open_socket_in(717)> bind succeeded on port 0> [2005/03/08 12:13:33, 5] libsmb/nmblib.c:send_udp(776)> Sending a packet of len 50 to (192.168.192.60) on port 137> [2005/03/08 12:13:33, 10] lib/util_sock.c:read_udp_socket(230)> read_udp_socket: lastip 192.168.192.60 lastport 137 read: 211> [2005/03/08 12:13:33, 10] libsmb/nmblib.c:parse_nmb(503)> parse_nmb: packet id = 24973> [2005/03/08 12:13:33, 5] libsmb/nmblib.c:read_packet(754)>> Also of interest when I run kinit username@realm I then type my> password and the command appears to have worked however running klist> tickets> produces:> klist: No credentials cache found (ticket cache FILE:tickets)>>> Please help anyone that has any info on how I might begin diagnosing> this problem.>>> I have the following in my smb.conf file:>> [global]> workgroup = HQ> server string = Samba 3.0.11 Test Server security = ADS encrypt> passwords = yes load printers = no log file = /var/log/samba/%m.log> max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192> SO_SNDBUF=8192 local master = no domain master = no dns proxy = no>> realm = HQ.NAVIS.NET> password server = hqdc01.hq.navis.net> winbind cache time = 10> idmap uid = 10000-20000> idmap gid = 10000-20000> winbind enum users = yes> winbind enum groups = yes> winbind use default domain = yes> client use spnego = yes>> #============================ Share Definitions> ============================== # This one is useful for people to> share files [share]> comment = this is a test share> path = /test/share> read only = no> public = yes> writable = yes> printable = no> browseable = yes> valid users = @"Domain Users">>> This is the contents of my krb5.conf:> [logging]> default = FILE:/var/log/krb5libs.log> kdc = FILE:/var/log/krb5kdc.log> admin_server = FILE:/var/log/kadmind.log>> [libdefaults]> ticket_lifetime = 24000> default_realm = HQ.NAVIS.NET> default_tkt_enctypes = des-cbc-md5 des-cbc-crc default_tgs_enctypes> = des-cbc-md5 des-cbc-crc dns_lookup_realm = true dns_lookup_kdc => true>> [realms]> HQ.NAVIS.NET = {> kdc = hqdc01.hq.navis.net:88> admin_server = hqdc01.hq.navis.net:749> default_domain = hq.navis.net> }>> [domain_realm]> .hq.navis.net = HQ.NAVIS.NET> hq.navis.net = HQ.NAVIS.NET>> [kdc]> profile = /var/kerberos/krb5kdc/kdc.conf>> [appdefaults]> pam = {> debug = false> ticket_lifetime = 36000> renew_lifetime = 36000> forwardable = true> krb4_convert = false> }> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/listinfo/samba