Sanjay Upadhyay
2005-Aug-04 13:52 UTC
[Samba] Trouble in Joining Suse 9.3 to Win2k3 Server
Hi, After installing Suse 9.3 Professional, I am unable to join it to AD.>From the Docs (http://www.samba.org/samba/docs/man/Samba3-HOWTO/domain-member.html#ads-member) its clear that we need to first get a kerberos ticket... via #>kinit Administrato@REALM in Suse9,3, I get this error susles93WSA:~ # kinit Administrator@HUNGERFORD.KOL Password for Administrator@HUNGERFORD.KOL:dingdong.com <http://dingdong.com> Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid KrbException: Pre-authentication information was invalid (24) at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67) at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315) at sun.security.krb5.KrbAsReq.getReply(DashoA12275:276) at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:271) at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.af.a(DashoA12275:134) at sun.security.krb5.internal.at.a(DashoA12275:63) at sun.security.krb5.internal.at.<init>(DashoA12275:58) at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53) This is kind of a strange error and the kinit program is located at /usr/lib/jvm/jre/bin/kinit and from a RPM querry it belongs to the package 'java-1_4_2-sun-1.4.2.06-4' when I querried 'rpm -qa | grep heimdal' there was none, meaning heimdal libraries were not installed. and neither is it in the ISO images. Hence I wonder if it is at all possible to join a Suse 9.3 to an AD. Any suggestion would be very helpfull.. regards -- Sanjay Upadhyay http://saneax.blogspot.com
Sanjay Upadhyay
2005-Aug-04 14:27 UTC
[Samba] Trouble in Joining Suse 9.3 to Win2k3 Server
Hi,>From the suggestion as you said, I will need to install kerberos packages,as on Suse, building is not what I can do, Can you give me some links... to the required RPMS I have done the time sync before the kinit process, and they are absolutely in sync... On 8/4/05, Karl.Kirchen@commerzbank.com <Karl.Kirchen@commerzbank.com> wrote:> > Hi, > You have not to use heimdahl, instead use mit kerberos. > > Next point is to check the clocks between systems. > > Then it should work > > karl > > -----Original Message----- > From: samba-bounces+karl.kirchen=commerzbank.com@lists.samba.org > [mailto:samba-bounces+karl.kirchen=commerzbank.com@lists.samba.org] On > Behalf Of Sanjay Upadhyay > Sent: Thursday, August 04, 2005 3:52 PM > To: samba@lists.samba.org > Subject: [Samba] Trouble in Joining Suse 9.3 to Win2k3 Server > > Hi, > After installing Suse 9.3 Professional, I am unable to join it to AD. > >From the Docs ( > > http://www.samba.org/samba/docs/man/Samba3-HOWTO/domain-member.html#ads-memb > er) > > its clear that we need to first get a kerberos ticket... via #>kinit > Administrato@REALM > > in Suse9,3, I get this error > > susles93WSA:~ # kinit Administrator@HUNGERFORD.KOL Password for > Administrator@HUNGERFORD.KOL:dingdong.com <http://dingdong.com> < > http://dingdong.com> > Exception: krb_error 24 Pre-authentication information was invalid (24) > Pre-authentication information was invalid > KrbException: Pre-authentication information was invalid (24) at > sun.security.krb5.KrbAsRep.<init>(DashoA12275:67) > at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315) > at sun.security.krb5.KrbAsReq.getReply(DashoA12275:276) > at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:271) > at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109) > Caused by: KrbException: Identifier doesn't match expected value (906) at > sun.security.krb5.internal.af.a(DashoA12275:134) > at sun.security.krb5.internal.at.a(DashoA12275:63) > at sun.security.krb5.internal.at.<init>(DashoA12275:58) > at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53) > > This is kind of a strange error and the kinit program is located at > /usr/lib/jvm/jre/bin/kinit and from a RPM querry it belongs to the package > 'java-1_4_2-sun-1.4.2.06-4' > > when I querried 'rpm -qa | grep heimdal' there was none, meaning heimdal > libraries were not installed. and neither is it in the ISO images. > > Hence I wonder if it is at all possible to join a Suse 9.3 to an AD. > > Any suggestion would be very helpfull.. > > regards > -- > Sanjay Upadhyay > http://saneax.blogspot.com > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >-- Sanjay Upadhyay http://saneax.blogspot.com
Sanjay Upadhyay
2005-Aug-08 08:39 UTC
[Samba] Trouble in Joining Suse 9.3 to Win2k3 Server
Hi karl, Thanks for your such a detailed reply, I did as you said, and my domain join worked. Thanks again. A little clarification, as I had done this in SLES9, and in there, I was required to install the heimdal-tools,heimdal-libraries etc... Here I am astonished no such packages are required, Neither I have any kerberos installed. The kinit program is located at /usr/lib/jvm/jre/bin/kinit and belongs to the package 'java-1_4_2-sun-1.4.2.06-4' (found that from RPM querry). Anyway, When it seems /usr/lib/jvm/jre/bin/kinit is $PATH, and I can call 'kinit' from command line... and astonishingly it worked this time. Just wondering, is that Suse people are packaging Heimdal libraries within the Samba Packages ? regards On 8/8/05, Karl.Kirchen@commerzbank.com <Karl.Kirchen@commerzbank.com> wrote:> > Hi, > when you take the "normal" SUSE 9.3 professional you should have all you > need. for the kerberos part. > In addition take from Samba.org <http://Samba.org> the release 3.0.14arelease of samba. > then do the following: > - as you have the clocks already in sync, > go on configure the kerberos client. > as standard domain name and standard realm enter your fully qualified > windows domain name in capital letter > e.g XX.YYY.COMPANY.COM <http://XX.YYY.COMPANY.COM> > as KDC server adress enter the IP adress of the maschine holding the ADS > don't tag the AFS settings > in the enhanced property setting, set lifetime of ticket to 1d as well as > renewal time > tag tickets are forwardabkle and proxiale, set clock skew to 300 > that all for kerberos > the NTP Setting should be set to a valid system delivering correct time. > now things should work. > you smb.conf should look like this > [global] > workgroup = <ads domain name> > netbios name = <your local maschine name> > server string = Karls linux desktop > printcap name = cups > printcap cache time = 750 > printer admin = @ntadmin,root,administrator > map to guest = Bad User > cups options = raw > load printers = yes > log file = /var/log/samba/%m.log > max log size = 50 > security = ADS > password server = <full qualified name of your ADS maschine> > encrypt passwords = yes > smb passwd file = /etc/samba/smbpasswd > unix password sync = no > passwd program = /etc/bin/passwd %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > pam password change = yes > obey pam restrictions = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > case sensitive = no > dns proxy = no > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > > winbind use default domain = yes > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > > wins server = <your wins server in the domain> > > template shell = /bin/bash > template homedir = /home/%D/%U %D = domain name , %U=username > realm = <realm as entered in Kerberos client window all in capital > letters> > username map = /etc/samba/smbusers > unix extensions = yes > [homes] > after this restart the processes are the whiole machine. > now you should be able to issue a kinit command. > for testing purposes create a local unix user with exactly the same > username as in the ads without the precedding domain > name and a different password as used in the ADS > try kinit with this user - you should get a prompt asking for the > password - enter the one from the windows domain. > should be successfull. you can cotrol this by the command klist. > after this you can setup the pam to be used for login and so on. > to automatically mount shares during the login phase look in the net for > pam_script. > regards > karl > > ------------------------------ > *From:* Sanjay Upadhyay [mailto:glowfriend@gmail.com] > *Sent:* Thursday, August 04, 2005 4:27 PM > *To:* Karl.Kirchen@commerzbank.com; samba@lists.samba.org > *Subject:* Re: [Samba] Trouble in Joining Suse 9.3 to Win2k3 Server > > Hi, > From the suggestion as you said, I will need to install kerberos packages, > as on Suse, building is not what I can do, Can you give me some links... to > the required RPMS > I have done the time sync before the kinit process, and they are > absolutely in sync... > > On 8/4/05, Karl.Kirchen@commerzbank.com <Karl.Kirchen@commerzbank.com> > wrote: > > > > Hi, > > You have not to use heimdahl, instead use mit kerberos. > > > > Next point is to check the clocks between systems. > > > > Then it should work > > > > karl > > > > -----Original Message----- > > From: samba-bounces+karl.kirchen= commerzbank.com@lists.samba.org > > [mailto:samba-bounces+karl.kirchen=commerzbank.com@lists.samba.org ] On > > Behalf Of Sanjay Upadhyay > > Sent: Thursday, August 04, 2005 3:52 PM > > To: samba@lists.samba.org > > Subject: [Samba] Trouble in Joining Suse 9.3 to Win2k3 Server > > > > Hi, > > After installing Suse 9.3 Professional, I am unable to join it to AD. > > >From the Docs ( > > http://www.samba.org/samba/docs/man/Samba3-HOWTO/domain-member.html#ads-memb > > > > er) > > > > its clear that we need to first get a kerberos ticket... via #>kinit > > Administrato@REALM > > > > in Suse9,3, I get this error > > > > susles93WSA:~ # kinit Administrator@HUNGERFORD.KOL Password for > > Administrator@HUNGERFORD.KOL:dingdong.com <http://dingdong.com> < > > http://dingdong.com> > > Exception: krb_error 24 Pre-authentication information was invalid (24) > > Pre-authentication information was invalid > > KrbException: Pre-authentication information was invalid (24) at > > sun.security.krb5.KrbAsRep.<init>(DashoA12275:67) > > at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315) > > at sun.security.krb5.KrbAsReq.getReply(DashoA12275:276) > > at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:271) > > at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109) > > Caused by: KrbException: Identifier doesn't match expected value (906) > > at > > sun.security.krb5.internal.af.a(DashoA12275:134) > > at sun.security.krb5.internal.at.a(DashoA12275:63) > > at sun.security.krb5.internal.at.<init>(DashoA12275:58) > > at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53) > > > > This is kind of a strange error and the kinit program is located at > > /usr/lib/jvm/jre/bin/kinit and from a RPM querry it belongs to the > > package > > 'java-1_4_2-sun-1.4.2.06-4' > > > > when I querried 'rpm -qa | grep heimdal' there was none, meaning heimdal > > > > libraries were not installed. and neither is it in the ISO images. > > > > Hence I wonder if it is at all possible to join a Suse 9.3 to an AD. > > > > Any suggestion would be very helpfull.. > > > > regards > > -- > > Sanjay Upadhyay > > http://saneax.blogspot.com > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > > -- > Sanjay Upadhyay > http://saneax.blogspot.com > >-- Sanjay Upadhyay http://saneax.blogspot.com