Hi Sergey,
Sergey Pororegnik wrote:> Hello, friends.
> Before change Active Directory Server mode to "native mode" user
authentification dont' work. In native ADS mode i need use kerberos.
>
> OS: RHEL 4 (x86)
> Samba: 3.0.10-1.4E
> Kerberos: 1.3.4-9
> Domain controller: Win 2003 ADS in native mode
> # wbinfo -a Username@CORP.DOMAIN.COM
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user Username@CORP.DOMAIN.COM with plaintext
password
> challenge/response password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user Username@CORP.DOMAIN.COM with
challenge/response
You have set "winbind use default domain = yes", so what does
"wbinfo -a username" give you? And "wbinfo -a
DOMAIN+username"
(where you use your short Domain name not the realm name).
> # wbinfo -g
> and
> # wbinfo -u
> work correct.
So I assume, you have successfully done "net ads join"?
Cheers - Michael
PS: You could also consider upgrading. 3.0.10 is quite old.
AD-Support has evolved a lot since that release.
> # more /etc/samba/smb.conf
> [global]
> workgroup = DOMAIN
> server string = FTP Server
> netbios name = SRVFTP
> log file = /var/log/samba/%m.log
> log level = 3 auth:5 passdb:5
> max log size = 500
> security = ADS
> realm = CORP.DOMAIN.COM
> encrypt passwords = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> dns proxy = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> auth methods = winbind
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind separator = +
> winbind nested groups = yes
> password server = dc1.domain.local
> case sensitive = no
>
>
>
>
> # more /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = CORP.DOMAIN.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
> [realms]
> CORP.DOMAIN.COM = {
> kdc = dc1.domain.local:88
> admin_server = dc1.domain.local:749
> default_domain = CORP.DOMAIN.COM
> }
>
> [domain_realm]
> .domain.local = CORP.DOMAIN.COM
> domain.local = CORP.DOMAIN.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
>
>
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Username@CORP.DOMAIN.COM
>
> Valid starting Expires Service principal
> 10/02/08 10:20:43 10/02/08 20:20:50
krbtgt/CORP.DOMAIN.COM@CORP.DOMAIN.COM
> renew until 10/02/08 20:20:43
> 10/02/08 10:24:30 10/02/08 20:20:50 srvdc01$@CORP.DOMAIN.COM
> renew until 10/02/08 20:20:43
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
>
--
Michael Adam <ma@sernet.de> <obnox@samba.org>
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20081002/8a485401/attachment.bin