Hi Steven,
Thanks for the feedback. I made some changes based on your config files and was
still able to add the client to the domain using a local domain admin account.
However, I am still unable to connect to the server from a windows machine and
authenticate using an account from either domain. Wbinfo -u does not seem to
list users from our authentication domain which may be the cause of the problem.
Just to update I am running Debian (Lenny) for the server.
Thanks
James
> -----Original Message-----
> From: Steven Schlegel [mailto:steven.schlegel1988 at googlemail.com]
> Sent: 14 June 2011 17:37
> To: James Osbourn
> Subject: Re: [Samba] Active Directory member server
>
> Hi James,
>
> maybe the following configuration (examples) helps you out.
>
> I have the following packages installed:
> rpm -qa | grep -e samba -e krb5* | sort
> =>
> output:
> krb5-auth-dialog-0.7-1
> krb5-devel-1.6.1-36.el5
> krb5-libs-1.6.1-36.el5
> krb5-libs-1.6.1-36.el5
> krb5-workstation-1.6.1-36.el5
> ldb-tools-3.4.9-42.el5
> libwbclient0-3.4.9-42.el5
> libwbclient-devel-3.4.9-42.el5
> libsmbclient0-3.4.9-42.el5
> libsmbclient-devel-3.4.9-42.el5
> pam_krb5-2.2.14-10
> pam_krb5-2.2.14-10
> samba3-3.4.9-42.el5
> samba-cifsmount-3.4.9-42.el5
> samba3-client-3.4.9-42.el5
> samba3-doc-3.4.9-42.el5
> samba3-utils-3.4.9-42.el5
> samba3-winbind-3.4.9-42.el5
>
>
> My krb5.conf looks like this:
>
> [logging]
> default = FILE:/var/log/kerberos/krb5libs.log
> kdc = FILE:/var/log/kerberos/krb5kdc.log
> admin_server = FILE:/var/log/kerberos/kadmind.log
>
> [libdefaults]
> default_realm = WIREDBRAIN.LCL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 600
> forwardable = true
> proxiable = true
> default_keytab_name = FILE:/etc/krb5.keytab
>
> [realms]
> WIREDBRAIN.LCL = {
> kdc = dchh01.wiredbrain.lcl
> master_kdc = dchh01.wiredbrain.lcl
> admin_server = dchh01.wiredbrain.lcl
> #default_domain = WIREDBRAIN.LCL
> }
> TRIPEDBRAIN.LCL = {
> kdc = rootdc01.tripedbrain.lcl
> }
>
> [domain_realm]
> .wiredbrain.lcl = WIREDBRAIN.LCL
> wiredbrain.lcl = WIREDBRAIN.LCL
> .tripedbrain.lcl = TRIPEDBRAIN.LCL
> tripedbrain.lcl = TRIPEDBRAIN.LCL
>
> [login]
> krb4_convert = true
> krb4_get_tickets = true
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = true
> }
>
> And my smb.conf looks like this:
>
> [global]
> workgroup = WIREDBRAIN
> realm = WIREDBRAIN.LCL
> password server = *
> preferred master = no
> server string = Linux AD Member-Server
> security = ads
> encrypt passwords = yes
> local master = no
> log level = 1
> log file = /var/log/samba/%m
> max log size = 50
> #printcap name = cups
> #printcap = cups
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nested groups = Yes
> winbind separator = "\""\"
> winbind refresh tickets = yes
> winbind offline logon = true
> winbind trusted domains only = no
> map untrusted to domain = Yes
> allow trusted domains = yes
> obey pam restrictions = no
> idmap backend = tdb
> idmap uid = 10000-600000
> idmap gid = 10000-600000
> passdb backend = tdbsam
> ;template primary group = "domain users"
> template shell = /bin/bash
> winbind nss info = rfc2307
> client use spnego = yes
> client ntlmv2 auth = yes
> restrict anonymous = 2
>
> As you can see I have two domains in my environment, named as
> WIREDBRAIN.LCL and TRIPEDBRAIN.LCL.
> Between those domains, an interdomain-trust has been created.
>
> After your configurations you need to initiate the net ads join command:
> net ads join -U Administrator
>
> and if this was successfull you need to create a kerberos keytab:
> net ads keytab create
>
> Now you can test your setup with the following commands:
> wbinfo -u -> should give you a list of all users in your domains wbinfo
-g ->
> same like wbinfo -u (for groups)
>
> ----
> For my environment, I also need to edit the nsswitch.conf:
> passwd: files winbind
> shadow: files winbind
> group: files winbind
> ----
>
> Try kinit and smbclient to see if kerberos works and of course with samba.
>
> Best regards,
>
> Steven
>
>
> 2011/6/14 James Osbourn <james.osbourn at citrix.com>:
> > I am trying to setup samba as a Windows front end to a CUPS print
> server. ?We seem to be having some problems getting the server registered
> in the domain and for users to be able to connect to the server. ?Our
> problems seems to stem from the fact that we add our machines to one
> domain which has a one way trust to a different domain which is where all
of
> the user account reside and authentication is handled. ?I was able to get
the
> net adc join command to work by using the primary domain administrator
> credentials.
> >
> > Any help on getting the correct runes into my smb.conf and krb5.conf
> > files greatly appreciated. ?My krb5.conf file is as follows
> >
> > [libdefaults]
> > ? ? ? ?default_realm = X.NET
> > ? ? ? ?dns_lookup_realm = false
> > ? ? ? ?dns_lookup_kdc = false
> > ? ? ? ?ticket_lifetime = 24h
> > ? ? ? ?forwardable = yes
> >
> > [realms]
> > A.X.NET = {
> > ? ? ? ?kdc = dc01.a.x.net
> > ? ? ? ?kdc = dc02.a.x.net
> > ? ? ? ?admin_server = dc02.a.x.net
> > }
> >
> > ?[domain_realm]
> > ? ? ? ?.a.x.net = A.X.NET
> >
> > My smb.conf file is as follows
> >
> > [global]
> > ? workgroup = A
> > ? realm = a.x.net
> > ? security = ADS
> > ? encrypt passwords = yes
> >
> > Many Thanks
> >
> > James
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: ?https://lists.samba.org/mailman/options/samba
> >