Hi,
I 've a gateway and I want to use squid authenticated with Windows 2000
Active Directory users.
I've a development platform with Debian/Sarge as gateway, and it works.
(samba 3.0.10-1 and Kerberos 1.3.6-1)
On the other side the production platform uses RedHat Enterprise AS3,
initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not able to use
Active directory groups without get smb panic errors in winbindd, so I
update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 (last available
updates).
Now I've following troubles with kerberos-winbind.
If I not set encryption types in krb5.conf (As in debian working
platform), windbind fails with following errors:
|ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (No
credentials found with supported encryption types)
|spnego_gen_negTokenTarg failed: No credentials found with supported
encryption types
|failed kerberos session setup with No credentials found with supported
encryption types
but kinit and klist works, wbinfo -t also works, but wbinfo -u and
wbinfo -g gives an error.
getent passwd -s winbind and getent group -s winbind doesn't work
Also, net ads join gives an error (but computer was previously joined
ok)
wbinfo --sequence shows:
GATEWAY : 1
BUILTIN : 1
TEST : DISCONNECTED
Configuration files are:
-------------krb5.conf-------------------------------
[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_timesync = 1
forwardable = true
proxiable = true
[realms]
CIKAUTXO.ES ={
kdc = PDC
admin_server = PDC
default_domain = TEST
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
-------------krb5.conf-------------------------------
PDC address is included in /etc/hosts
-------------nsswitch.conf---------------------------
···
passwd: files winbind
shadow: files
group: files winbind
···
-------------nsswitch.conf---------------------------
-------------smb.conf--------------------------------
···
workgroup = TEST
netbios name = GATEWAY
realm = TEST.COM
security = ads
encrypt passwords = yes
password server = PDC
interfaces = 192.168.254.1/16
winbind separator = /
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = true
time server = Yes
######winbind nested groups = true
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes
obey pam restrictions = Yes
passdb backend = tdbsam, guest
log level = 2 winbind:10 ads:10 auth:10
···
-------------smb.conf--------------------------------
Last options was included to replicate testparm -v obtained
in debian development installation.
After some test, I was able to avoid encryption type error, using the
following configuration in krb5.conf
-------------krb5.conf-------------------------------
[libdefaults]
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_timesync = 1
forwardable = true
proxiable = true
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
[realms]
CIKAUTXO.ES ={
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc
kdc = PDC
admin_server = PDC
default_domain = TEST
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
-------------krb5.conf-------------------------------
Choosing other enctypes in some params (default_tkt_enctypes
default_tgs_enctypes ) give me the same error as above
But this configuration also doesn't work fine. I get the following error
with winbindd
|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED
kinit and klist works.
wbinfo -t returns following error:
|checking the trust secret via RPC calls failed
|error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
|Could not check secret
but wbinfo -u and wbinfo -t works fine
getent passwd -s winbind and getent group -s winbind also work
wbinfo --sequence shows:
GATEWAY : 1
BUILTIN : 1
TEST : 2951992
It seems that troubles with one configuration are solved with the other
one and reverse, but I cannot get ALL working simultaneously...
Anybody has some lights on this?
Thanks
Antón
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
