I am looking for some info on an issue I have authenticating Samba
3.0(Centos 5) to a W2k3 AD.
Server info:
Samba server: HP DL 365, Centos 5 linux:
samba-3.0.28-1.el5_2.1
samba-common-3.0.28-1.el5_2.1
pam_krb5-2.2.11-1
krb5-workstation-1.6.1-25.el5_2.1
krb5-libs-1.6.1-25.el5_2.1
pam_krb5-2.2.11-1
krb5-libs-1.6.1-25.el5_2.1
KRB libs were installed and then updated via YUM.
Windows server: Same hardware, Win2k3 R2 Ent.
I have followed the instructions that I found on samba.org and seem to have
the krb stuff working and I am pretty sure the first time that I tried
joining the domain I got no error, but it did not seem to complete.....And
when I try to join the domain again I get the following error:
[root@XXX ~]# net ads join -U Administrator
Administrator's password:
[2008/10/21 18:38:52, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: Invalid credentials
Although I have confirmed the creditials repeatedly...and KRB seems to be
working:
[root@XXX ~]# kinit Administrator@JPRINC.NET
Password for Administrator@JPRINC.NET:
[root@XXX ~]#
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm =JPRINC.NET
[realms]
JPRINC.NET = {
kdc = ad1.jprinc.net
}
[domain_realm]
.kerberos.server = JPRINC.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
And smb.conf:
#
# smb.conf - configuration to allow for all MPR file sharing requirements
#
[global]
large readwrite = no
workgroup = JPRINC.NET
realm = JPRINC.NET
netbios name = AD1
preferred master = no
server string = %h Linux File Server (Samba)
log file = /var/log/samba/log.%m
log level = 5
max log size = 1000
security = ADS
password server = ad1.jprinc.net
encrypt passwords = yes
winbind separator = -
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
[public]
comment = Marketplace Rewards Public Share
writable = yes
path = /fileshare/public
public = yes
guest account = nobody
map to guest = bad user
only guest = yes
browsable = yes
[homes]
comment = User Home Directories
valid users = %S
browseable = No
read only = No
writable = Yes
I seem to have some sort of connectivity to the domain because the info
below is correct:
[root@XXX ~]# net ads info
LDAP server: A.B.C.D
LDAP server name: ad1.jprinc.net
Realm: JPRINC.NET
Bind Path: dc=JPRINC,dc=NET
LDAP port: 389
Server time: Tue, 21 Oct 2008 18:39:58 UTC
KDC server: A.B.C.D
Server time offset: -108
--
Matthew Arguin
Production Support
Jackpotrewards, Inc.
275 Grove St
Newton, MA 02466
617-795-2850 x 2325
www.jackpotrewards.com
