[Samba] 2003 KDC and Samba
We have serveral RHEL 3.0 Update 2 servers running Samba. These have been working flawlessly for several months.. Recently, the base upgraded all the Windows 2000 servers to Windows 2003.. NOTE: we don't have admin rights to the Domain Controllers.. (wish we did..) Previous to the Domain (and kdc) controllers to 2003 we had no issues joining a new Samba Sever to the ADS.. Using the same krb5.conf and kdc.conf and smb.conf file.. it is no longer possible to join a Samba 3.0 server to the domain.. Any help direction is appreciated.. VR Charles Samba packages - samba-common-3.0.4-6.3E samba-3.0.4-6.3E samba-client-3.0.4-6.3E Kerberos Packages.. - pam_krb5-1.73-1 krb5-libs-1.2.7-24 krb5-workstation-1.2.7-24 krbafs-1.1.1-11 krbafs-utils-1.1.1-11 krb5-server-1.2.7-24 krbafs-devel-1.1.1-11 krb5-devel-1.2.7-24 Things tried..(per the samba docs. this is the first step..) kinit [EMAIL PROTECTED] error.. kinit(v5): KRB5 error code 52 while getting initial credentials net ads join /IT/Computers/Servers-2 -U adminOFthisOU error.. kerberos_kinit_password [EMAIL PROTECTED] failed: KRB5 error code 52 Not much on google about this error.. krb5.conf ** logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = USAF.AFMC.DS.AF.MIL # default_tgs_enctypes = rc4-hmac # default_tkt_enctypes = rc4-hmac dns_lookup_realm = false dns_lookup_kdc = false [realms] USAF.AFMC.DS.AF.MIL = { kdc = xxx.xxx.xxx.241:88 admin_server = xxx.xxx.xxx.241:749 default_domain = usaf.af.mil } [domain_realm] .usaf.af.mil = USAF.AFMC.DS.AF.MIL usaf.af.mil = USAF.AFMC.DS.AF.MIL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false * kdc.conf * [kdcdefaults] acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = nopreauth [realms] USAF.AFMC.DS.AF.MIL = { master_key_type = des-cbc-crc supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal des-cbc-sha1:norealm des-cbc-sha1:onlyrealm } * smb.conf *[global] workgroup = USAF-2K realm = USAF.AFMC.DS.AF.MIL server string = security = ADS obey pam restrictions = Yes password server = xxx.xxx.xxx.241 pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* log file = /var/log/samba/%m.log max log size = 0 announce version = 5.0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = No local master = No domain master = No wins server = 10.50.1.52 ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash # winbind separator = + # valid users = @oracle printing = cups [testshare] comment = System Share path = /home2/share force group = share writeable = yes case sensitive = Yes hide dot files = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 2003 KDC and Samba
On Thu, 2004-07-29 at 10:08, Tran Charles A Civ OC-ALC/ITMA wrote: We have serveral RHEL 3.0 Update 2 servers running Samba. These have been working flawlessly for several months.. Recently, the base upgraded all the Windows 2000 servers to Windows 2003.. NOTE: we don't have admin rights to the Domain Controllers.. (wish we did..) Previous to the Domain (and kdc) controllers to 2003 we had no issues joining a new Samba Sever to the ADS.. Using the same krb5.conf and kdc.conf and smb.conf file.. it is no longer possible to join a Samba 3.0 server to the domain.. Any help direction is appreciated.. VR Charles Samba packages - samba-common-3.0.4-6.3E samba-3.0.4-6.3E samba-client-3.0.4-6.3E Kerberos Packages.. - pam_krb5-1.73-1 krb5-libs-1.2.7-24 krb5-workstation-1.2.7-24 krbafs-1.1.1-11 krbafs-utils-1.1.1-11 krb5-server-1.2.7-24 krbafs-devel-1.1.1-11 krb5-devel-1.2.7-24 First off, you need to use MIT kerberos v1.3.x, install it (I had to use source to do this. v1.3.4 works nice. I just left the RHES krb5 stuff inplace. as then it feels just like it was compiled for it. I used a fugly configure line, for kerberos. You will prolly have to do the same for krbafs. I also updated the pam_smb and pam_krb5 packages from Fedora Core (got the src rpm and did a rpmbuild --rebuild on it) Your samba should be okay, but given that 3.0.5 was just release last week Wednesday as a security release... dunno. I had many little problems at MIT krb5 v1.2.7. Why I went to v1.3.4. You might also try the currently broken option called: spnego = Yes It may or may not work. If you want to know the configure options I used... let me know. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 2003 KDC and Samba
On Thursday 29 July 2004 08:08, Tran Charles A Civ OC-ALC/ITMA wrote: We have serveral RHEL 3.0 Update 2 servers running Samba. These have been working flawlessly for several months.. Recently, the base upgraded all the Windows 2000 servers to Windows 2003.. Only MIT Kerberos 1.3.1 or later will work with Windows 2003 Server ADS. - John T. NOTE: we don't have admin rights to the Domain Controllers.. (wish we did..) Previous to the Domain (and kdc) controllers to 2003 we had no issues joining a new Samba Sever to the ADS.. Using the same krb5.conf and kdc.conf and smb.conf file.. it is no longer possible to join a Samba 3.0 server to the domain.. Any help direction is appreciated.. VR Charles Samba packages - samba-common-3.0.4-6.3E samba-3.0.4-6.3E samba-client-3.0.4-6.3E Kerberos Packages.. - pam_krb5-1.73-1 krb5-libs-1.2.7-24 krb5-workstation-1.2.7-24 krbafs-1.1.1-11 krbafs-utils-1.1.1-11 krb5-server-1.2.7-24 krbafs-devel-1.1.1-11 krb5-devel-1.2.7-24 Things tried..(per the samba docs. this is the first step..) kinit [EMAIL PROTECTED] error.. kinit(v5): KRB5 error code 52 while getting initial credentials net ads join /IT/Computers/Servers-2 -U adminOFthisOU error.. kerberos_kinit_password [EMAIL PROTECTED] failed: KRB5 error code 52 Not much on google about this error.. krb5.conf ** logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = USAF.AFMC.DS.AF.MIL # default_tgs_enctypes = rc4-hmac # default_tkt_enctypes = rc4-hmac dns_lookup_realm = false dns_lookup_kdc = false [realms] USAF.AFMC.DS.AF.MIL = { kdc = xxx.xxx.xxx.241:88 admin_server = xxx.xxx.xxx.241:749 default_domain = usaf.af.mil } [domain_realm] .usaf.af.mil = USAF.AFMC.DS.AF.MIL usaf.af.mil = USAF.AFMC.DS.AF.MIL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false * kdc.conf * [kdcdefaults] acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = nopreauth [realms] USAF.AFMC.DS.AF.MIL = { master_key_type = des-cbc-crc supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal des-cbc-sha1:norealm des-cbc-sha1:onlyrealm } * smb.conf *[global] workgroup = USAF-2K realm = USAF.AFMC.DS.AF.MIL server string = security = ADS obey pam restrictions = Yes password server = xxx.xxx.xxx.241 pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* log file = /var/log/samba/%m.log max log size = 0 announce version = 5.0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = No local master = No domain master = No wins server = 10.50.1.52 ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash # winbind separator = + # valid users = @oracle printing = cups [testshare] comment = System Share path = /home2/share force group = share writeable = yes case sensitive = Yes hide dot files = No -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba