Hello.
I'm installing new FreeBSD 6.2-RELEASE, based on intel machine. Firewall
type is OPEN.
I have Windows Server 2000 with Active Directory on it, working in Native
mode.
I've installed samba-3.0.23c_2,1 from /usr/ports/net/samba3
prefix=/usr/local
without krb-1.5.1 being installed.
Added:
nmbd_enable="NO"
smbd_enable="NO"
winbindd_enable="YES"
to /etc/rc.conf
filled /etc/nsswitch.conf with:
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
filled /usr/local/etc/smb.conf with:
#
#======================= Global Settings
====================================[global]
workgroup = DEP2
realm = DEP2.CITY-XXI.INT <http://dep2.city-xxi.int/>
netbios name = SZRouter
server string = Secondary Router
security = ADS
hosts allow = 10.1.9., 127.
log file = /var/log/samba/log.%m
max log size = 5000
password server = City2.dep2.city-xxi.int
<http://city2.dep2.city-xxi.int/>
dns proxy = no
preferred master = no
local master = no
domain master = no
os level = 0
# My Properties
auth methods = winbind
winbind use default domain = yes
allow trusted domains = no
client NTLMv2 auth = yes
winbind separator = +
winbind cache time = 10
idmap uid = 10000-20000
idmap gid = 10000-20000
and checked syntax with:
testparm -s
I've modified /etc/krb5.conf
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
ticket_lifetime = 2400
default_realm = DEP2.CITY-XXI.INT <http://dep2.city-xxi.int/>
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
default_etypes = des-cbc-crc des-cbc-md5 rc4-hmac
default_etypes_des = des-cbc-crc des-cbc-md5 rc4-hmac
[realms]
DEP2.CITY-XXI.INT <http://dep2.city-xxi.int/> = {
kdc = 10.1.9.200:88
admin_server = 10.1.9.200:749
}
[domain_realm]
.dep2.city-xxi.int = DEP2.CITY-XXI.INT <http://dep2.city-xxi.int/>
and checked it with verify_krb5_conf
I've created new computer account in AD with "Allow pre-Windows 2000
computers to use this account" checked box.
Then I've successfuly authenticated with login mitroko (member of Domain
Admins) and entered joined domain with
net ads join -U mitroko
Computer account in AD achieved proper DNS-name field, but didn't achieve
any of OS type fileds.
I've restarted winbindd (with /usr/local/etc/rc.d/samba restart) - OK
I've pinged winbindd with
wbinfo -p - Success
wbinfo -t returns "checking the trust secret via RPC calls succeeded"
wbinfo -a testme%testme returns
plaintext password authentication succeeded
challenge/response password authentication succeeded
wbinfo -s successfuly converts SIDs to object-names.
however, wbinfo -u and wbinfo -g returns lists only after 20-30 seconds.
wbinfo -r testme doesn't work, hanging up, so squid's wbinfo_group.pl
script
doesn't work also.
I have in my /var/log/samba/log.winbindd error's:
nsswitch/winbindd_ads.c:query_user_list(218)
Not a user account? atype=0x30000000
and
rpc_api_pipe: Remote machine CITY2 pipe \NETLOGON fnum 0x8returned critical
error. Error was Call timed out: server did not respond after 10000
milliseconds
libads/dns.c:ads_dns_lookup_srv(260)
I've read samba mail-list
In advice http://lists.samba.org/archive/samba/2006-July/122912.html, I've
installed krb-1.5.1 from /usr/ports/security/krb5
with prefix /usr/local, moved old vesions to *.old filenames and added
simlinks to /usr/local/* kerberos files
but it doesn't help me.
Unfortunately I can?t send verbose output of
winbindd -i -d 50 >output.txt command
because of 64K limit.
Therefore, I?ve placed it here - http://mitroko.com/output.txt
Any suggestions will be appreciated.
Thank you.