Hello all, I'm following the howto http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO to integrate FreeRadius with Microsoft's AD. However, I'm experiencing some troubles. My disto is Debian 4. I had to install some packages, like krb5-kdc, krb5-user and krb5-config, to have the file /etc/krb5.conf (It wasn't there in the first place). When I want to do a net join, I get a message saying that I have errors in my krb5.conf file. I removed the lines "dns_lookup_realm = false" and "dns_lookup_kdc = false" and then it worked. At least I think it did. I got the message: joined "PROJECT" to realm "PROJECT.LOCAL". When I then wanted to test this using wbinfo, I get the error code "NT_STATUS_NO_SUCH_USER" (should be normal according to the howto) and another one: "NT_STATUS_ACCESS_DENIED" Could not authenticate user myuser with challenge/response. A try with ntlm_auth is also negative "NT_STATUS_NO_SUCH_USER". Can somebody please help me with my problem? Am I overlooking something or what am I doing wrong? Thanks a million, Rutger Here are the 2 config files: smb.conf
[global] ## Browsing/Identification ### workgroup = project server string = %h server dns proxy = no #### Debugging/Accounting #### log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d ####### Authentication ####### # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html # in the samba-doc package for details. security = ads # You may wish to use password encryption. See the section on # 'encrypt passwords' in the smb.conf(5) manpage before enabling. encrypt passwords = true # If you are using encrypted passwords, Samba will need to know what # password database type you are using. passdb backend = tdbsam obey pam restrictions = yes ; guest account = nobody invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . # This boolean controls whether PAM will be used for password changes # when requested by an SMB client instead of the program listed in # 'passwd program'. The default is 'no'. ; pam password change = no ############ Misc ############ # Most people will find that this option gives better performance. # See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html # for details # You may want to add the following on a Linux system: # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY # Some defaults for winbind (make sure you're not using the ranges # for something else.) idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash winbind use default domain = no password server = project-ad.project.local realm = project.local #======================= Share Definitions ======================= [homes] comment = Home Directories browseable = no # By default, the home directories are exported read-only. Change next # parameter to 'yes' if you want to be able to write to them. writable = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. directory mask = 0700 # Restrict access to home directories # to the one of the authenticated user # This might need tweaking when using external authentication schemes valid users = %S # Un-comment the following and create the netlogon directory for Domain Logons # (you need to configure Samba to act as a domain controller too.) ;[netlogon] ; comment = Network Logon Service ; path = /home/samba/netlogon ; guest ok = yes ; writable = no ; share modes = no krb5.conf [logging] default = FILE:/war/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = PROJECT.LOCAL # dns_lookup realm = false # dns_lookup_kdc = false # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] PROJECT.LOCAL = { kdc = project-ad.project.local:88 admin_server = project-ad.project.local default_domain = project.local } [domain_realm] .project.local = PROJECT.LOCAL project.local = PROJECT.LOCAL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [login] krb4_convert = true krb4_get_tickets = false
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html