David Shapiro wrote:
/etc/host, resolv.conf are fine. nsswitch.conf does not exist on aix
systems, but I did add the winbindd entry where aix expects it. I
guess we will see if people respond, but I noticed nobody answered this
type of question in the past...
Not that many people using AIX.
Dimitri Yioulos <[EMAIL PROTECTED]> 2/2/2006 10:18 AM >>>
On Thursday February 02 2006 8:49 am, David Shapiro wrote:
Is there no fix for thi? Nobody answers this for me or other people
asking this question.
I really need help with this. Is there anything I can be looking
at?
I would am not getting past doing a simple kinit
[EMAIL PROTECTED] It gives me the Cannot resolve network
address for KDC as well. Does ads not like krb5? Does it need
krb4?
Why doesn't kerberos provide any messages in the logs? Any
suggestions
on ways to figure out what is going on? I tried truss, but that
does
not show much other than I do see it looking in /etc/krb5.conf and
/usr/local/etc/krb5.conf. I can use tcpdump, but I am not sure what
AIX wants krb5.conf in /etc/krb5/krb5.conf.
Doesn't hurt to use a symbolic link:
cd /etc
mkdir krb5
cd /etc/krb5.conf
ln -s krb5.conf ../krb5.conf
to
be looking for?
Dimitri Yioulos <[EMAIL PROTECTED]> 2/1/2006 10:15:49 AM
On Wednesday February 01 2006 9:41 am, David Shapiro wrote:
Hello,
I am having a problem getting my server to join our realm as a
domain
member server. I have read through google, yahoo, and this list,
but I
cannot find the answer yet.
When I run: net join ads -Uadministrator and try to login it gives
the
following error:
kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot
resolve network address for KDC in requested realm
[2006/02/01 09:33:46, 0] ../utils/net_ads.c:ads_startup(191)
ads_connect: Cannot resolve network address for KDC in requested
realm
The details of my setup are:
aix 5.2.0.7
libiconv-1.9.1
autoconf-2.59
libiodbc-3.52.4
bison-2.0
m4-1.4.3
db-4.4.20
mysql-connector-odbc-3.51.12
krb
Not good enough. You need to specify what version Kerberos.
Also it looks like you may be using the linux affinity
toolkit. Did you compile your own Kerberos?
samba-3.0.21a
../configure --prefix=/usr/local/samba --with-ads --with-ldap
--with-winbind --with-acl-support --with-utmp --with-quotas
--with-sendfile-support
openldap-2.3.19
./configure --enable-crypt --without-cyrus-sasl
unixODBC-2.2.11
gcc 3.3.2
/etc/krb5.conf:
[libdefaults]
default_realm = MYREALM.COM
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
The way it works is this.
If you override the defaults
if your version of Kerberos doesn't support rc4-hmac (<1.3.4),
you must not specify it (doh).
else if your version of Kerberos supports rc4-hmac (>=1.3.4),
you must specify rc4-hmac as one of the allowable enctypes
else userAccountControl in ldap doesn't get set up in
agreement with your manual krb5 spec on net join.
My current 1.3.6 and previous versions of Kerberos use these parameters
default_tgs_enctypes
default_tkt_enctypes
permitted_enctypes
"enctypes" not "etypes"
ticket_lifetime = 24000
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYREALM.COM = {
kdc = myadsserver.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYREALM.COM
While it's not be impossible to have a different REALM
than domain name, MS doesn't do it and you're asking
for extra problems. MS sometimes makes assumptions that
have to be worked around. For a first time test, try
[libdefaults]
default_realm = MYDOMAIN.COM
...
{realms]
MYDOMAIN.COM = {
...
Probably already too late.
In krb5.conf, try this:
[realms]
YOURDOMAIN.COM = {
default_domain = yourdomain.com
kdc = xxx.xxx.xxx.xxx (my note - use ip address of AD
server)
admin_server = xxx.xxx.xxx.xxx (my note - use ip address of
AD
server)
}
HTH.
Dimitri
David,
Firstly, be mindful that the list is made up of volunteers who do their
best
to provide answers as quickly as possible. Sometimes you may have to
wait a
bit longer, but I've always found these folks to be most kind and
helpful.
Give 'em a chance.
I've come up on deadlines,
come to the end of my rope,
and not had the budget for paid assistance,
and asked the same question out of desperation.
Always punish myself afterwards.
Bad Doug Bad Dog.
Now, after that mild rebuke: I have little experience with AIX; my
responses
are based on my work with Samba on Linux. That said, I believe that
you
should have nsswitch.conf and resolv.conf files on the system. Are
these
configured correctly? Is pam.d/login configured correctly?
Dimitri
Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
