Hi Sergey, Sergey Pororegnik wrote: > Hello, friends. > Before change Active Directory Server mode to "native mode" user > authentification dont' work. In native ADS mode i need use kerberos. > > OS: RHEL 4 (x86) > Samba: 3.0.10-1.4E > Kerberos: 1.3.4-9 > Domain controller: Win 2003 ADS in native mode
> # wbinfo -a [EMAIL PROTECTED]
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user [EMAIL PROTECTED] with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user [EMAIL PROTECTED] with challenge/response
You have set "winbind use default domain = yes", so what does
"wbinfo -a username" give you? And "wbinfo -a DOMAIN+username"
(where you use your short Domain name not the realm name).
> # wbinfo -g
> and
> # wbinfo -u
> work correct.
So I assume, you have successfully done "net ads join"?
Cheers - Michael
PS: You could also consider upgrading. 3.0.10 is quite old.
AD-Support has evolved a lot since that release.
> # more /etc/samba/smb.conf
> [global]
> workgroup = DOMAIN
> server string = FTP Server
> netbios name = SRVFTP
> log file = /var/log/samba/%m.log
> log level = 3 auth:5 passdb:5
> max log size = 500
> security = ADS
> realm = CORP.DOMAIN.COM
> encrypt passwords = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> dns proxy = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> auth methods = winbind
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind separator = +
> winbind nested groups = yes
> password server = dc1.domain.local
> case sensitive = no
>
>
>
>
> # more /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = CORP.DOMAIN.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
> [realms]
> CORP.DOMAIN.COM = {
> kdc = dc1.domain.local:88
> admin_server = dc1.domain.local:749
> default_domain = CORP.DOMAIN.COM
> }
>
> [domain_realm]
> .domain.local = CORP.DOMAIN.COM
> domain.local = CORP.DOMAIN.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
>
>
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [EMAIL PROTECTED]
>
> Valid starting Expires Service principal
> 10/02/08 10:20:43 10/02/08 20:20:50 krbtgt/[EMAIL PROTECTED]
> renew until 10/02/08 20:20:43
> 10/02/08 10:24:30 10/02/08 20:20:50 [EMAIL PROTECTED]
> renew until 10/02/08 20:20:43
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
>
--
Michael Adam <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
pgpedrT580i0Q.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
