Hi,
i got that working on woddy, but against a win2000 ADS.
How? - fetched the latest soure of MIT-kerberos from mit-server and installed in /usr/local, as the version comming with woody is to old , it does not support the neede enc-types. - fetched samba-3.0.5-pre2 from svn and compiled it against the kerberos in /usr/local, and installed it. - deleted all old databases of samba - delete the samba-server from the ADS and rejoin it.
i found for me that in nsswitch.conf the lines
passwd: compat winbind group: compat winbind
will not work, replace "compat" with "files"
this way you should be able to get it working, but no garanty. Christoph
Benoit Moeremans schrieb:
Hello, *This msg was already sent yesterday on this ml, but some i found some faults in the mail.*
**If anyone can help me... the only thing i'm thinking now is to throw away the servers**
I installed Samba 3.0.4 + kerberos 5 + winbind to make the debian woody server joining the Active directory service.
Everything seems to be ok, except the authentification. If i try to go to the share of the linux server from a windows box, it asks me the password. And of course, no way to log in.
Here is the config:
*nsswitch.conf*
passwd: compat winbind group: compat winbind shadow: compat
hosts: files dns networks: files
protocols: db files services: db files ethers: db files rpc: db files
netgroup: nis
*samba*
[global]
workgroup = TEST realm = CAR.BE.TEST.COM.LOCAL server string = %h server (Samba %v) ; wins support = no ; wins server = w.x.y.z dns proxy = no ; name resolve order = lmhosts host wins bcast use spnego = yes log file = /var/log/samba/log.%m max log size = 1000 ; syslog only = no syslog = 0 panic action = /usr/share/samba/panic-action %d
# separate domain and username with '+', like DOMAIN+username winbind separator = + # use uids from 10000 to 20000 for domain users idmap uid = 10000-20000 # use gids from 10000 to 20000 for domain groups idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes
security = ADS encrypt passwords = yes passdb backend = tdbsam guest obey pam restrictions = yes password server = car-pdc netbios name = rantanplan ; guest account = nobody invalid users = root ; unix password sync = no ; passwd program = /usr/bin/passwd %u# passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . ; pam password change = no ; load printers = yes ; preserve case = yes ; short preserve case = yes ; include = /home/samba/etc/smb.conf.%m # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY ; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
; domain master = auto idmap uid = 10000-20000 idmap gid = 10000-20000 ; template shell = /bin/bash [admin] comment = Administration Directory path = /home/benoit admin users = TEST+bmo browseable = yes public = no writable = yes guest only = no valid users = TEST+bmo
*kerberos* [libdefaults] default_realm = CAR.BE.TEST.COM
[realms] CAR.BE.TEST.COM = { kdc = car-pdc.car.be.test.com default_domain = car.be.test.com } #[domain_realms] #.kerberos.server=CAR.BE.TEST.COM
# The following krb5.conf variables are only for MIT Kerberos. default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true
v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } }
[login] krb4_convert = true krb4_get_tickets = true
*winbind* (logs)
2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain CAR CAR.BE.TEST.COM.LOCAL S-0-0 [2004/06/07 13:38:57, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306) krb5_cc_get_principal failed (No credentials cache found) [2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain BUILTIN S-1-5-32 [2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain RANTANPLAN S-1-5-21-837388855-3362161430-1770541169
I found also some trace in the log.smbd
smbd version 3.0.4 started. Copyright Andrew Tridgell and the Samba Team 1992-2004 [2004/06/09 10:29:16, 0] lib/util_sock.c:get_peer_addr(978) getpeername failed. Error was Transport endpoint is not connected [2004/06/09 10:34:28, 0] smbd/server.c:main(757)
All commands like kinit, net ads join, wbinfo -u (-g), getent etc works.From the linux server, no problem to go to the shares of the domaincontroller (wich is a windows 2003 server). Do i have to make the keytab for kerberos by myself for each ssamba server, or does it create itself whith the "net ads join" cmd?
Any help would be welcome. Regards,
Benoit
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
