On Friday 18 February 2005 23:28, Andrew Bartlett wrote: AB> On Wed, 2005-02-16 at 10:09 -0500, Greg Folkert wrote: AB> > On Wed, 2005-02-16 at 11:49 +0100, Antón wrote: AB> > > Hi, AB> > > AB> > > I 've a gateway and I want to use squid authenticated with Windows 2000 AB> > > Active Directory users. AB> > > AB> > > I've a development platform with Debian/Sarge as gateway, and it works. AB> > > (samba 3.0.10-1 and Kerberos 1.3.6-1) AB> > > AB> > > On the other side the production platform uses RedHat Enterprise AS3, AB> > > initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not able to use AB> > > Active directory groups without get smb panic errors in winbindd, so I AB> > > update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 (last available AB> > > updates). AB> > AB> > You *ABSOLUTELY MUST USE* a version of MIT Kerberos5 v1.3.1 or newer. AB> AB> Yes and no. My understanding is that the issues regarding MIT < 1.3.1 AB> have been again resolved, in the latest Samba (including what has been AB> released for RHEL by RedHat). Linking to another kerberos AB> implementation is a real pain (you would need to statically link to even AB> start). AB> AB> (Of course, life is much easier with krb5 1.3.1 or later, but I know AB> what a pain it is for RHEL users) AB> AB> I think the issue here is that the machine must be rejoined to the AB> domain, after the upgrade. AB> AB> Andrew Bartlett AB>
First of all, sincerely, thanks a lot for both answers Upgrade to kerberos5 > 1.3.1 was a pain but now I've 1.3.4 installed. Now, If I start winbind without specify any encryption it works, but only parcially. kinit works. klist -e returns: |Ticket cache: FILE:/tmp/krb5cc_0 |Default principal: [EMAIL PROTECTED] | |Valid starting Expires Service principal |02/21/05 09:11:49 02/21/05 19:11:42 krbtgt/[EMAIL PROTECTED] | renew until 02/22/05 09:11:49, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 | | |Kerberos 4 ticket cache: /tmp/tkt0 |klist: You have no tickets cached wbinfo --sequence |PASARELA : 1 |BUILTIN : 1 |TEST : 2975164 wbinfo -u and -g works but ... wbinfo -t |checking the trust secret via RPC calls failed |error code was NT_STATUS_ACCESS_DENIED (0xc0000022) |Could not check secret error in winbind log is |accepted socket 18 |client_read: read 1824 bytes. Need 0 more for a full request. |process_request: request fn INTERFACE_VERSION |[20287]: request interface version |client_write: wrote 1300 bytes. |client_read: read 1824 bytes. Need 0 more for a full request. |process_request: request fn WINBINDD_PRIV_PIPE_DIR |[20287]: request location of privileged pipe |client_write: wrote 1300 bytes. |client_write: need to write 37 extra data bytes. |client_write: wrote 37 bytes. |client_write: client_write: complete response written. |accepted socket 19 |client_read: read 0 bytes. Need 1824 more for a full request. |read failed on sock 18, pid 20287: EOF |client_read: read 1824 bytes. Need 0 more for a full request. |process_request: request fn CHECK_MACHACC |[20287]: check machine account |IPC$ connections done anonymously |connecting to PDC from GATEWAY with kerberos principal [EMAIL PROTECTED] |Doing kerberos session setup |failed tcon_X with NT_STATUS_ACCESS_DENIED |connecting to PDC from GATEWAY with kerberos principal [EMAIL PROTECTED] |Doing kerberos session setup |failed tcon_X with NT_STATUS_ACCESS_DENIED |connecting to PDC from GATEWAY with kerberos principal [EMAIL PROTECTED] |Doing kerberos session setup |failed tcon_X with NT_STATUS_ACCESS_DENIED |Could not open a connection to TEST for \PIPE\NETLOGON (NT_STATUS_ACCESS_DENIED) |could not open handle to NETLOGON pipe |Checking the trust account password returned NT_STATUS_ACCESS_DENIED |client_write: wrote 1300 bytes. |client_read: read 0 bytes. Need 1824 more for a full request. |read failed on sock 19, pid 20287: EOF also, if I try a net join, it works: net ads join -U user |users password: |[2005/02/21 09:14:14, 0] libads/ldap.c:ads_add_machine_acct(1368) | ads_add_machine_acct: Host account for pasarela already exists - modifying old account |Using short domain name -- TEST |Joined 'GATEWAY' to realm 'TEST.COM' Also I've checked permisions (750 root:squid) for winbindd_privileged directory I'm completely missed about what happens Anton -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba