Andrew Bartlett wrote: > On Wed, 2005-02-16 at 10:09 -0500, Greg Folkert wrote: >> On Wed, 2005-02-16 at 11:49 +0100, Antón wrote: >> > Hi, >> > >> > I 've a gateway and I want to use squid authenticated with Windows >> > 2000 Active Directory users. >> > >> > I've a development platform with Debian/Sarge as gateway, and it >> > works. (samba 3.0.10-1 and Kerberos 1.3.6-1) >> > >> > On the other side the production platform uses RedHat Enterprise >> > AS3, initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not >> > able to use Active directory groups without get smb panic errors in >> > winbindd, so I update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 >> > (last available updates). >> >> You *ABSOLUTELY MUST USE* a version of MIT Kerberos5 v1.3.1 or newer. > > Yes and no. My understanding is that the issues regarding MIT < 1.3.1 > have been again resolved, in the latest Samba (including what has been > released for RHEL by RedHat). Linking to another kerberos > implementation is a real pain (you would need to statically link to > even start). > > (Of course, life is much easier with krb5 1.3.1 or later, but I know > what a pain it is for RHEL users) > > I think the issue here is that the machine must be rejoined to the > domain, after the upgrade. > > Andrew Bartlett >
First of all, sincerely, thanks a lot for both answers Upgrade to kerberos5 > 1.3.1 was a pain but now I've 1.3.4 installed. Now, If I start winbind without specify any encryption it works, but only parcially. kinit works. klist -e returns: |Ticket cache: FILE:/tmp/krb5cc_0 |Default principal: [EMAIL PROTECTED] | |Valid starting Expires Service principal |02/21/05 09:11:49 02/21/05 19:11:42 krbtgt/[EMAIL PROTECTED] | renew until 02/22/05 09:11:49, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 | | |Kerberos 4 ticket cache: /tmp/tkt0 |klist: You have no tickets cached wbinfo --sequence |PASARELA : 1 |BUILTIN : 1 |TEST : 2975164 wbinfo -u and -g works also, if I try a net join, it also works: net ads join -U user |users password: |[2005/02/21 09:14:14, 0] libads/ldap.c:ads_add_machine_acct(1368) | ads_add_machine_acct: Host account for pasarela already exists - modifying old account |Using short domain name -- TEST |Joined 'GATEWAY' to realm 'TEST.COM' but ... wbinfo -t |checking the trust secret via RPC calls failed |error code was NT_STATUS_ACCESS_DENIED (0xc0000022) |Could not check secret error in winbind log is |accepted socket 18 |client_read: read 1824 bytes. Need 0 more for a full request. |process_request: request fn INTERFACE_VERSION |[20287]: request interface version |client_write: wrote 1300 bytes. |client_read: read 1824 bytes. Need 0 more for a full request. |process_request: request fn WINBINDD_PRIV_PIPE_DIR |[20287]: request location of privileged pipe |client_write: wrote 1300 bytes. |client_write: need to write 37 extra data bytes. |client_write: wrote 37 bytes. |client_write: client_write: complete response written. |accepted socket 19 |client_read: read 0 bytes. Need 1824 more for a full request. |read failed on sock 18, pid 20287: EOF |client_read: read 1824 bytes. Need 0 more for a full request. |process_request: request fn CHECK_MACHACC |[20287]: check machine account |IPC$ connections done anonymously |connecting to PDC from GATEWAY with kerberos principal [EMAIL PROTECTED] |Doing kerberos session setup |failed tcon_X with NT_STATUS_ACCESS_DENIED |connecting to PDC from GATEWAY with kerberos principal [EMAIL PROTECTED] |Doing kerberos session setup |failed tcon_X with NT_STATUS_ACCESS_DENIED |connecting to PDC from GATEWAY with kerberos principal [EMAIL PROTECTED] |Doing kerberos session setup |failed tcon_X with NT_STATUS_ACCESS_DENIED |Could not open a connection to TEST for \PIPE\NETLOGON (NT_STATUS_ACCESS_DENIED) |could not open handle to NETLOGON pipe |Checking the trust account password returned NT_STATUS_ACCESS_DENIED |client_write: wrote 1300 bytes. |client_read: read 0 bytes. Need 1824 more for a full request. |read failed on sock 19, pid 20287: EOF Also I've checked permisions (750 root:squid) for winbindd_privileged directory I'm completely missed about what happens, why my debian install works but this not,... Anton -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba