Hi, I get exactly the same. 'kinit -U[username]%[password] works 100%; 'klist' shows my kerberos ticket(s); I set up my krb5.conf as per the examples in Samba 3 by Example-HOWTO; I joined the domain 100% with 'net ads join -U [username]%[password]', but:
wbinfo -u just gives me "Error looking up domain users." wbinfo -g gives me a listing of all the ADS groups <-- working 100%? 'getent passwd' gives me a listing of all local users, but no domain / ADS users 'getent group' gives me the local groups, but no ADS groups (just hangs a while after local groups and then probably times out) I only have a small office file & print server (about 12 users), so I got around this by using local accounts and manually mapping them to the corresponding domain users (/etc/samba/smbusers - local username = [DOMAIN]/[domain username]) and using 'username map = /etc/samba/smbusers' in smb.conf . Here is my config: [global] realm = COMPANY.COM security = ADS password server = kdc.company.com idmap uid = 10000-1000000 idmap gid = 10000-1000000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind separator = / unix password sync = yes workgroup = COMPANY-COM interfaces = eth0 lo bind interfaces only = yes netbios name = SERVER name resolve order = wins hosts bcast dns proxy = no domain logons = no preferred master = no domain master = no local master = yes os level = 33 max log size = 1024 log level = 2 log file = /var/log/samba/samba-new.log syslog = 1 guest account = smbguest username level = 50 username map = /etc/samba/smbusers encrypt passwords = yes password level = 20 client use spnego = yes wins server = x.x.x.x preserve case = yes short preserve case = yes case sensitive = no hide dot files = yes hide unreadable = yes hide special files = yes map to guest = never I also repeatedly get the following in /var/log/samba/log-wb.COMPANY-COM: [2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767) cli_rpc_open failed on pipe \lsarpc to machine [ADS_DC_NAME]. Error was Write error: Connection reset by peer [2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767) cli_rpc_open failed on pipe \NETLOGON to machine [ADS_DC_NAME]. Error was Write error: Connection reset by peer Service smb status gives: smbd (pid 21371 21233) is running... nmbd (pid 14018) is running... Service winbind status gives: winbindd (pid 8991 8370 8367 8366) is running... I'm running Samba 3.0.20 on Linux Fedora Core 4 Although we can work, any help to get the proper domain authentication working would be greatly appreciated. TIA Ernest > Dimitri Yioulos wrote: > >On Thursday 15 September 2005 3:32 pm, you wrote: > >></snip> > >> > >>Ok I think I have found my problem. I need to find a way to map > >>Samba to an active directory common name: > >> > >>%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com" > >>(example, I know the syntax is incorrect) > >> > >>As far as I can tell it is hard coded in the net ads join routine to > >>tack on the ou=users vs. cn=users, anyone shed some light on this? > > > >Uh, I must be missing something here. This is a pretty > >straightforward set-up, right? You want to join this Samba box to a > >Win2k3 server for > > file- or print-serving purposes? I've always felt that you get a > >basic set-up working first, then start to get fancy. > > > >AFAIK: > > > >1. kinit [EMAIL PROTECTED] > >(You'll be prompted for a password. My systems simply return me to a > >prompt if I'm successful.) 2. net ads join -U > >[EMAIL PROTECTED] (Again, you'll be prompted for a password. > >Info about the machine joining the AD is returned) > > > >Beyond this, someone else will have to help out. > > > >Best, > > > >Dimitri > > Yeah this works, I can get my krb creds: > > [EMAIL PROTECTED]:~> kinit [EMAIL PROTECTED] Password for > [EMAIL PROTECTED]: > [EMAIL PROTECTED]:~> klist > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 09/15/05 14:12:30 09/16/05 00:11:16 krbtgt/[EMAIL PROTECTED] > renew until 09/16/05 14:12:30 > > > Kerberos 4 ticket cache: /tmp/tkt1000 > klist: You have no tickets cached > > And this works as well: > > [EMAIL PROTECTED]'s password: > [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405) > ads_add_machine_acct: Host account for odin-newb already exists - > modifying old account Using short domain name -- DOMAIN.COM Joined > 'ODIN-NEWB' to realm 'DOMAIN.COM' > > But when testing, using wbinfo -u or getent I am getting only the > local passwd accounts. > > [EMAIL PROTECTED]:~> wbinfo -u > Error looking up domain users > > And here is where my accounts need to be authenticted from > > LDAP://server.domain.com/CN=Users,DC=server,DC=domain,DC=com > > Note the CN=Users, vs. OU=Users, I will go read the RFC to see if I > can get more info on this. So, you're not authenticating against ADS? If you are, are you sure the winbind daemon is running? Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba