I'm attempting to get ubuntu to work with an AD 2008 server for
authentication and authorization.
DNS is on a separate unix host, with dns on the windows server as a
non-authoritative source.
It appears that I have a kerberos problem.
What works:
1. kinit user
Password for u...@ad.engr.wisc.edu
2. wbinfo -t, wbinfo -u, wbinfo -g all succeed.
What sort-of works:
1. net ads join -U user complains:
DNS update failed!
but net ads testjoin gives:
Join is OK
What fails:
1. wbinfo -K u...@ad.engr.wisc.edu
Enter u...@ad.engr.wisc.edu's password:
plaintext kerberos password authentication for [u...@ad.engr.wisc.edu]
failed (requesting cctype: FILE)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user [u...@ad.engr.wisc.edu] with Kerberos
(ccache: FILE)
2. wbinfo -i user
3. calls to nss, getent passwd, id user (yes I have compat winbind in
nsswitch for passwd and groups)
The nss calls create failed LDAP bind messages in the logs. My sense is
that the failure of the ldap bind is related to the apparent kerberos
problem.
Thanks is advance
Russ Poyner
[libdefaults]
default_domain = AD.ENGR.WISC.EDU
default_realm = AD.ENGR.WISC.EDU
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
AD.ENGR.WISC.EDU = {
kdc = engr-dc1.ad.engr.wisc.edu
kdc = engr-dc2.ad.engr.wisc.edu
kdc = engr-dc3.ad.engr.wisc.edu
}
# ENGR.WISC.EDU = {
# kdc = kdc1.cae.wisc.edu
# kdc = kdc2.cae.wisc.edu
# kdc = kdc-master.cae.wisc.edu
# admin_server = kdc-master.cae.wisc.edu
# default_domain = cae.wisc.edu
# }
# AD.ENGR.WISC.EDU = {
# auth_to_local =
RULE:[1:$0\$1](^AD\.ENGR\.WISC\.EDU\\.*)s/^AD\.ENGR\.WISC\.EDU/ENGR/
# auth_to_local = DEFAULT
# }
CS.WISC.EDU = {
kdc = kerberos-1.cs.wisc.edu
kdc = kerberos-2.cs.wisc.edu
kdc = kerberos.cs.wisc.edu
admin_server = kerberos.cs.wisc.edu
}
# Our ENGR.WISC.EDU realm that's used for AFS, NFS, etc.
# We aren't specifying any v4_ rules like default_domain since we shouldn't
# need to support that anymore.
# TODO: test to see if we need any mapping rules (auth_to_local*)
# An entry for the ActiveDirectory Kerberos realm at CAE, possibly useful for
# cross-site trust.
# Some more entries for CS's Kerberos so we can share AFS.
# These were defaults in the kdc.conf file upon installation. I see no
# immediate need to remove them, though the data should be available via DNS
# TXT and SRV records now.
# See Also:
# http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS
# 2009-08-18
# bpkroth
[domain_realm]
.engr.wisc.edu = ENGR.WISC.EDU
engr.wisc.edu = ENGR.WISC.EDU
.cae.wisc.edu = ENGR.WISC.EDU
cae.wisc.edu = ENGR.WISC.EDU
.ad.engr.wisc.edu = AD.ENGR.WISC.EDU
ad.engr.wisc.edu = AD.ENGR.WISC.EDU
.ece.wisc.edu = AD.ENGR.WISC.EDU
ece.wisc.edu = AD.ENGR.WISC.EDU
.cs.wisc.edu = CS.WISC.EDU
cs.wisc.edu = CS.WISC.EDU
# Locally added realms for CAE.
# 2009-08-18
# bpkroth
# These were defaults in the kdc.conf file upon installation. I see no
# immediate need to remove them, though the data should be available via DNS
# TXT and SRV records now.
# See Also:
# http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS
# 2009-08-18
# bpkroth
# Adding a section to setup logging.
# 2009-08-18
# bpkroth
[logging]
default=SYSLOG
# Setup capaths for cross-site authentication with ad.engr.wisc.edu.
[capaths]
ENGR.WISC.EDU = {
AD.ENGR.WISC.EDU = .
}
AD.ENGR.WISC.EDU = {
ENGR.WISC.EDU = .
}
[login]
krb4_convert = true
krb4_get_tickets = false
[appdefaults]
pam = {
mappings = ENGR\\(.*) $...@ad.engr.wisc.edu
forwardable = true
validate = true
}
httpd = {
mappings = ENGR\\(.*) $...@ad.engr.wisc.edu
reverse_mappings = (.*)@AD\.ENGR\.WISC\.EDU ENGR\$1
}
# krb5.conf
# 2009-08-17
# bpkroth
#
# The client/server config file for Kerberos v5 on Linux machines at CAE.
# This file is used both by KDCs, clients, and applications.
127.0.0.1 localhost.localdomain localhost
128.104.182.240 rp-ubunt10vm.ece.wisc.edu rp-ubuntu10vm
128.104.182.240 rp-ubuntu10vm.ad.engr.wisc.edu
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
[global]
workgroup = ENGR
realm = AD.ENGR.WISC.EDU
security = ADS
allow trusted domains = No
password server = 144.92.13.232
restrict anonymous = 2
kerberos method = system keytab
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
disable netbios = Yes
client use spnego = No
dns proxy = No
ldap admin dn = cn=rpoyner,ou=caeid,ou=cae,dc=ad,dc=engr,dc=wisc,dc=edu
ldap suffix = dc=ad,dc=engr,dc=wisc,dc=edu
ldap ssl = no
ldap connection timeout = 3
ldap debug level = 1
panic action = /usr/share/samba/panic-action %d
idmap backend = ldap:ldap://engr-dc2.ad.engr.wisc.edu
idmap uid = 1000-999999
idmap gid = 1000-999999
template shell = /bin/bash
winbind separator = @
winbind enum users = Yes
winbind enum groups = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind normalize names = Yes
idmap config ENGR:range = 1000-999999
idmap config ENGR:ldap_url = ldap://engr-dc1.ad.wisc.edu
idmap config ENGR:schema_mode = rfc2307
idmap config ENGR:backend = ldap
idmap config ENGR:default = yes
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
browsable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba