Even if I do not have users logging into this samba box locally, i still need to edit /etc/pam.d/login?
---------- Original Message ---------------------------------- From: "Thomas M. Skeren III" <[EMAIL PROTECTED]> Date: Mon, 20 Dec 2004 18:31:53 -0800 Brian Kesting wrote: >When I made those changes to krb5.conf I got the following in my smb log >and I could not access my samba share... > >[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! >[2004/12/20 20:13:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! >[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! >[2004/12/20 20:14:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) > Failed to verify incoming ticket! > >Not sure what I am missing, I may just start this whole project over from >scratch and see if I have better luck. > > As I stated in my guide, Note: If you have a server and it isn't a production server, has nothing of value on it, and you have been stuffing programs on it to get Samba to work with ADS , but failed, put that 5.3 Release install cd into the cdrom drive, and reinstall FBSD 5.3 formatting the drives along the way. Don't bug me if you didn't start with a nice clean install. Make sure you have the pam.d/login stuff done. Without it pam can't authenticate non local users. > >---------- Original Message ---------------------------------- >From: "Thomas M. Skeren III" <[EMAIL PROTECTED]> >Date: Mon, 20 Dec 2004 17:50:47 -0800 > >Brian Kesting wrote: > > > >>I am using Suse 9.2 and heimdal 0.6.2 >> >> >> >> > >In that case you need: > > default_etypes = des-cbc-crc des-cbc-md5 > default_etypes_des = des-cbc-crc des-cbc-md5 > >In libdefaults. Read my whole response as I made changes throughout >your krb5.conf file. You may also need a keytab file, but I doubt it. > > > >>---------- Original Message ---------------------------------- >>From: "Thomas M. Skeren III" <[EMAIL PROTECTED]> >>Date: Mon, 20 Dec 2004 17:43:07 -0800 >> >>Brian Kesting wrote: >> >> > > > > >> >> >> >> >>>My setup looks about identical to the setup you have listed in the link you >>>provided. >>> >>>Since this line: >>>libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>krb5_cc_get_principal failed (No such file or directory) >>> >>>keeps appearing in my winbind log file, I am thinking it is a kerberos >>>problem too. Do you see anything wrong with my /etc/krb5.conf file? >>> >>>[libdefaults] >>> default_realm = WAYNE.LOCAL >>> clockskew = 300 >>> >>> >>> >>> >>> >>> >>Try adding : >> >>dns_lookup_realm = false >>dns_lookup_kdc = false >> >>Also which OS are you using? What Kerberos? The default etypes lines >>are necessary for Heimdal, but I don't think they are necessary for MIT. >> >> >> >> >> >>>[realms] >>>WAYNE.LOCAL = { >>> kdc = police.wayne.local >>> default_domain = WAYNE.LOCAL >>> kpasswd_server = police.wayne.local >>>} >>> >>> >>> >>> >>> >>> >>Try: >> >>kdc = KERBEROS.WAYNE.LOCAL >>admin_server = police.wayne.local >>default_domain = wayne.local >> >> >> >> >> >>>[domain_realm] >>> .WAYNE.LOCAL = WAYNE.LOCAL >>> >>> >>> >>> >>> >>> >>Probably not enough info here. Try: (Remember caps must be in caps). >> >>.wayne.local = WAYNE.LOCAL >>wayne.local = WAYNE.LOCAL >>.WAYNE.LOCAL = WAYNE.LOCAL >>kerberos.server = KERBEROS.WAYNE.LOCAL >> >> >> >> >> >>>[appdefaults] >>>pam = { >>> ticket_lifetime = 365d >>> renew_lifetime = 365d >>> forwardable = true >>> proxiable = false >>> retain_after_close = true >>> minimum_uid = 0 >>> >>> >>> >>> >>> >>> >>Pam stuff is more OS dependent, so I have no suggestions here. MAKE >>SURE THAT YOU SAMBA SERVER IS USING THE W2K ADS SERVER AS DNS----THIS IS >>ABSOLUTELY CRITICAL. >> >> >> >> >> >>>---------- Original Message ---------------------------------- >>>From: "Thomas M. Skeren III" <[EMAIL PROTECTED]> >>>Date: Mon, 20 Dec 2004 17:16:38 -0800 >>> >>>Brian Kesting wrote: >>> >>> >>> >>> >>> >>> >>> >>>>Someone told me once to try to remove the Samba server from the domain, >>>>rename it, and rejoin the domain......would that solve any problems in your >>>>opinion? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>That is an odd solution, unless AD is mangled with respect to the samba >>>server name. Methinks you have a kerberos problem. My servers are >>>FreeBSD, but I do have a bare bones guide for setting up samba as an AD >>>member server in FreeBSD. If you use Linux it can only be a reference, >>>but it's an easy read. >>> >>><http://www.fsklaw.com/fbsdconfig.html> >>> >>> >>> >>> >>> >>> >>> >>>>---------- Original Message ---------------------------------- >>>>From: "Brian Kesting" <[EMAIL PROTECTED]> >>>>Reply-To: [EMAIL PROTECTED] >>>>Date: Mon, 20 Dec 2004 18:05:47 -0600 >>>> >>>>I read something about nscd causing problems before I even installed the >>>>system, so I never even installed that service. >>>> >>>>Here is an updated /var/log/samba/log.winbindd file.....btw, thanks for the >>>>quick help and tips so far, I appreciate it. >>>> >>>>[2004/12/20 17:33:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>>krb5_cc_get_principal failed (No such file or directory) >>>>[2004/12/20 17:38:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:43:44, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:45:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>user 'root' does not exist >>>>[2004/12/20 17:49:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:52:26, 1] libads/ldap_utils.c:ads_do_search_retry(77) >>>>ads_search_retry: failed to reconnect (Invalid credentials) >>>> >>>> >>>>---------- Original Message ---------------------------------- >>>>From: Brett Stevens <[EMAIL PROTECTED]> >>>>Date: Tue, 21 Dec 2004 10:33:30 +1100 >>>> >>>>One thing I moticed when having simmilar problems is that for some reason >>>>nscd seems to be a problem stop this service and restart all samba services >>>>including smbd nmbd and winbind >>>> >>>>Let us know how it goes. >>>> >>>>Brett Stevens >>>> >>>>-----Original Message----- >>>>From: Brian Kesting [mailto:[EMAIL PROTECTED] >>>>Sent: Tuesday, December 21, 2004 10:29 AM >>>>To: [EMAIL PROTECTED] >>>>Subject: [Samba] winbind problems >>>> >>>> >>>>Hello, >>>> >>>>I am running a Samba server (3.0.7) on a Suse 9.2 box. I have connected >>>>this server successfully to a Windows 2000 Active Directory (mixed mode). I >>>>have nsswitch.conf, krb5.conf configured and winbind seems to be running >>>>properly for the most part. With wbinfo I can get all of my user and group >>>>information. Problem is, it seems that at random times, the samba server >>>>just stops authenticating the windows user names and accounts. If I restart >>>>the winbind or smb service, then all seems to be well again for a while. >>>>Right now the only way I can keep this running is to run a cron job that >>>>restartes the samba and winbind services every hour. This is really bugging >>>>me as I cannot figure out what is going on. Can anyone help me? I have >>>>included some of my configuration and log files below. Thanks in advance. >>>> >>>>---------/etc/samba/smb.conf---------- >>>># Samba Configuration File >>>> >>>>[global] >>>> workgroup = WAYNE >>>> realm = WAYNE.LOCAL >>>> server string = Samba Server >>>> security = ADS >>>> password server = adserver.wayne.local >>>> encrypt passwords = yes >>>> idmap uid = 10000-20000 >>>> idmap gid = 10000-20000 >>>> template shell = /bin/bash >>>> winbind use default domain = no >>>> winbind separator = / >>>> >>>>[users] >>>> comment = Users on Linux >>>> path = /home/WAYNE >>>> read only = No >>>> browseable = Yes >>>> >>>>---------/etc/nsswitch.conf------- >>>>passwd: files winbind >>>>group: files winbind >>>>hosts: files dns wins winbind >>>>networks: files dns >>>> >>>>---------/etc/krb5.conf----------- >>>>[libdefaults] >>>> default_realm = WAYNE.LOCAL >>>> clockskew = 300 >>>> >>>>[realms] >>>>WAYNE.LOCAL = { >>>> kdc = police.wayne.local >>>> default_domain = WAYNE.LOCAL >>>> kpasswd_server = adserver.wayne.local >>>>} >>>>[domain_realm] >>>> .WAYNE.LOCAL = WAYNE.LOCAL >>>>[appdefaults] >>>>pam = { >>>> ticket_lifetime = 365d >>>> renew_lifetime = 365d >>>> forwardable = true >>>> proxiable = false >>>> retain_after_close = true >>>> minimum_uid = 0 >>>>} >>>> >>>>----------/var/log/samba/log.smbd-------- >>>>[2004/12/20 15:25:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>>15:25:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>>15:25:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/LIEUTENANT1$ is invalid on this system [2004/12/20 >>>> >>>> >>>> >>>> >> >> >> >> >>>>15:25:56, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/LIEUTENANT1$ is invalid on this system >>>>. >>>>. >>>>. >>>>[2004/12/20 16:04:34, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20 >>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system [2004/12/20 >>>>16:05:13, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) >>>>Username WAYNE/DISPATCH_GW1$ is invalid on this system >>>> >>>>----------/var/log/samba/log.winbindd------------------- >>>>[2004/12/20 16:51:07, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 16:54:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) >>>>krb5_cc_get_principal failed (No such file or directory) [2004/12/20 >>>>16:56:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 16:59:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>user 'root' does not exist >>>>[2004/12/20 17:00:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>>user 'root' does not exist >>>>[2004/12/20 17:01:18, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:06:24, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:11:40, 1] libsmb/ntlmssp.c:ntlmssp_update(245) >>>>Failed to parse NTLMSSP packet, could not extract NTLMSSP command >>>>[2004/12/20 17:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) >>>> >>>>???? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >> >> >> >> >> > > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba