Any more thoughts on this? It looks like the failure to preauthenticate is
going to be a problem as I now cannot carry on with the next stage in the admin
guide, which is starting the winbind service and testing the authentication.
Winbind is an unrecognised service, so looks like it hasn't been installed for
some reason.
Cheers,
Andi
From: Morris, Andi [mailto:[email protected]]
Sent: 07 December 2011 14:41
To: [email protected]
Subject: Re: [Packetfence-users] Configuring radius with active directory
Interestingly testparm reported that it couldn't find smb.conf, so I don't know
whether I saved it incorrectly when I reconfigured it as below, as I definitely
had one there beforehand (I can still see it renamed to smb.conf.old).
After recreating smb.conf with the content inside the admin guide 'net ads join
-U %username' reported that my workgroup declaration was indeed wrong and it
even told me what it should be - gotta love helpful error messages! After
correcting this I ran the join command again and got:
[root@pfence01 samba]# net ads join -U %username
Enter username's password:
Using short domain name -- DOMAIN
Joined 'PFENCE01' to realm 'internal.domain.co.uk'
[2011/12/07 14:30:55.671886, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password
[email protected]<mailto:[email protected]> failed:
Preauthentication failed
So it looks like it joined the domain, but then failed at pre-authentication.
From: Francois Gaudreault [mailto:[email protected]]
Sent: 07 December 2011 13:10
To: [email protected]
Subject: Re: [Packetfence-users] Configuring radius with active directory
Yes the workgroup has an impact. If you do a testparm, what it tells you?
On 11-12-07 4:02 AM, Morris, Andi wrote:
I see, well in our case I have the two set the same, should this affect
anything? Samba is not telling me that the workgroup is wrong.
Cheers,
Andi
From: Francois Gaudreault [mailto:[email protected]]
Sent: 06 December 2011 16:57
To:
[email protected]<mailto:[email protected]>
Subject: Re: [Packetfence-users] Configuring radius with active directory
The realm is not the same as the workgoup. The realm refers to the one
configured in krb5.conf, and the workgroup is the netbios name of the domain.
Samba should tell you if the workgroup is wrong in the error message.
On 11-12-06 11:40 AM, Morris, Andi wrote:
No difference after editing the smb.conf as suggested.
Out of interest, should the realm and the workgroup be the same?
From: Francois Gaudreault [mailto:[email protected]]
Sent: 06 December 2011 16:14
To:
[email protected]<mailto:[email protected]>
Subject: Re: [Packetfence-users] Configuring radius with active directory
Ok two things:
1. Do a kinit first. (ie. kinit myuser), that should work. Is it?
2. Use only the smb.conf from the guide, remove every other configs from the
smb.conf. Basically, copy and paste the configuration from the guide, and
change your workgroup, ip and realm attributes.
Let me know if it works better.
On 11-12-06 10:50 AM, Morris, Andi wrote:
Ok cheers, here they are with domain names and IP addresses edited.
Krb5.conf:
[logging]
default =
FILE:/var/log/krb5libs.log<FILE:///\\%5C%5C%5C%5Cvar%5Clog%5Ckrb5libs.log>
kdc = FILE:/var/log/krb5kdc.log<FILE:///\\%5C%5C%5C%5Cvar%5Clog%5Ckrb5kdc.log>
admin_server =
FILE:/var/log/kadmind.log<FILE:///\\%5C%5C%5C%5Cvar%5Clog%5Ckadmind.log>
[libdefaults]
default_realm = MYDOMAIN.CO.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYDOMAIN.CO.UK = {
kdc = activedirectoryservername:88
admin_server = activedirectoryservername:749
default_domain = mydomain.co.uk
}
[domain_realm]
mydomain.co.uk = MYDOMAIN.CO.UK
mydomain.co.uk = MYDOMAIN.CO.UK
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Smb.conf (leaving out any commented lines, I added the global config as per the
admin guide, the others are there by default):
[global]
workgroup = MYDOMAIN.CO.UK
server string = pfence01
interfaces = 1.2.3.4/24 (Packetfence management IP address)
security = ADS
passdb backend = tdbsam
realm = MYDOMAIN.CO.UK
encrypt passwords = yes
winbind use default domain = yes
client NTLMv2 auth = yes
preferred master = no
load printers = no
cups options = raw
idmap uid = 10000-45000
idmap gid = 10000-45000
log level = 1 winbind:5 auth:3
log file = /var/log/samba/log.%m
max log size = 50
security = user
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
From: Francois Gaudreault [mailto:[email protected]]
Sent: 06 December 2011 15:33
To:
[email protected]<mailto:[email protected]>
Subject: Re: [Packetfence-users] Configuring radius with active directory
Hi,
Can you post your krb5.conf and your smb.conf? Otherwise we are blind...
On 11-12-06 6:52 AM, Morris, Andi wrote:
I'm trying to setup radius to authenticate clients with my active directory
database so that I can utilise the 802.1x on the switches. However I've got to
the section where I need to add my server to the domain after configuring samba
and it is failing. I don't know whether it's related or not, but since doing
this I can also no longer use the web interface for the server.
The failure message I get when trying to add the server to the domain is:
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.
Can anyone shed some light on this please?
Cheers,
Andi
________________________________
>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan
>University. From the 6th December, as part of this change, all email addresses
>which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent
>from Cardiff Metropolitan University will now be sent from the new
>@cardiffmet.ac.uk address. Please could you ensure that all of your contact
>records and databases are updated to reflect this change. Further information
>can be found on the website
>here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
