[Samba] 2003 KDC and Samba
We have serveral RHEL 3.0 Update 2 servers running Samba.
These have been working flawlessly for several months..
Recently, the base upgraded all the Windows 2000 servers
to Windows 2003..
NOTE: we don't have admin rights to the Domain Controllers.. (wish we did..)
Previous to the Domain (and kdc) controllers to 2003 we had
no issues joining a new Samba Sever to the ADS..
Using the same krb5.conf and kdc.conf and smb.conf file.. it
is no longer possible to join a Samba 3.0 server to the domain..
Any help direction is appreciated..
VR
Charles
Samba packages
-
samba-common-3.0.4-6.3E
samba-3.0.4-6.3E
samba-client-3.0.4-6.3E
Kerberos Packages..
-
pam_krb5-1.73-1
krb5-libs-1.2.7-24
krb5-workstation-1.2.7-24
krbafs-1.1.1-11
krbafs-utils-1.1.1-11
krb5-server-1.2.7-24
krbafs-devel-1.1.1-11
krb5-devel-1.2.7-24
Things tried..(per the samba docs. this is the first step..)
kinit [EMAIL PROTECTED]
error..
kinit(v5): KRB5 error code 52 while getting initial credentials
net ads join /IT/Computers/Servers-2 -U adminOFthisOU
error..
kerberos_kinit_password [EMAIL PROTECTED] failed: KRB5 error
code 52
Not much on google about this error..
krb5.conf
**
logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = USAF.AFMC.DS.AF.MIL
# default_tgs_enctypes = rc4-hmac
# default_tkt_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
USAF.AFMC.DS.AF.MIL = {
kdc = xxx.xxx.xxx.241:88
admin_server = xxx.xxx.xxx.241:749
default_domain = usaf.af.mil
}
[domain_realm]
.usaf.af.mil = USAF.AFMC.DS.AF.MIL
usaf.af.mil = USAF.AFMC.DS.AF.MIL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
*
kdc.conf
*
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
USAF.AFMC.DS.AF.MIL = {
master_key_type = des-cbc-crc
supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal
des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3
des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4
des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm
des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
}
*
smb.conf
*[global]
workgroup = USAF-2K
realm = USAF.AFMC.DS.AF.MIL
server string =
security = ADS
obey pam restrictions = Yes
password server = xxx.xxx.xxx.241
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
log file = /var/log/samba/%m.log
max log size = 0
announce version = 5.0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
domain master = No
wins server = 10.50.1.52
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
# winbind separator = +
# valid users = @oracle
printing = cups
[testshare]
comment = System Share
path = /home2/share
force group = share
writeable = yes
case sensitive = Yes
hide dot files = No
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 2003 KDC and Samba
On Thu, 2004-07-29 at 10:08, Tran Charles A Civ OC-ALC/ITMA wrote: We have serveral RHEL 3.0 Update 2 servers running Samba. These have been working flawlessly for several months.. Recently, the base upgraded all the Windows 2000 servers to Windows 2003.. NOTE: we don't have admin rights to the Domain Controllers.. (wish we did..) Previous to the Domain (and kdc) controllers to 2003 we had no issues joining a new Samba Sever to the ADS.. Using the same krb5.conf and kdc.conf and smb.conf file.. it is no longer possible to join a Samba 3.0 server to the domain.. Any help direction is appreciated.. VR Charles Samba packages - samba-common-3.0.4-6.3E samba-3.0.4-6.3E samba-client-3.0.4-6.3E Kerberos Packages.. - pam_krb5-1.73-1 krb5-libs-1.2.7-24 krb5-workstation-1.2.7-24 krbafs-1.1.1-11 krbafs-utils-1.1.1-11 krb5-server-1.2.7-24 krbafs-devel-1.1.1-11 krb5-devel-1.2.7-24 First off, you need to use MIT kerberos v1.3.x, install it (I had to use source to do this. v1.3.4 works nice. I just left the RHES krb5 stuff inplace. as then it feels just like it was compiled for it. I used a fugly configure line, for kerberos. You will prolly have to do the same for krbafs. I also updated the pam_smb and pam_krb5 packages from Fedora Core (got the src rpm and did a rpmbuild --rebuild on it) Your samba should be okay, but given that 3.0.5 was just release last week Wednesday as a security release... dunno. I had many little problems at MIT krb5 v1.2.7. Why I went to v1.3.4. You might also try the currently broken option called: spnego = Yes It may or may not work. If you want to know the configure options I used... let me know. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 2003 KDC and Samba
On Thursday 29 July 2004 08:08, Tran Charles A Civ OC-ALC/ITMA wrote:
We have serveral RHEL 3.0 Update 2 servers running Samba.
These have been working flawlessly for several months..
Recently, the base upgraded all the Windows 2000 servers
to Windows 2003..
Only MIT Kerberos 1.3.1 or later will work with Windows 2003 Server ADS.
- John T.
NOTE: we don't have admin rights to the Domain Controllers.. (wish we
did..)
Previous to the Domain (and kdc) controllers to 2003 we had
no issues joining a new Samba Sever to the ADS..
Using the same krb5.conf and kdc.conf and smb.conf file.. it
is no longer possible to join a Samba 3.0 server to the domain..
Any help direction is appreciated..
VR
Charles
Samba packages
-
samba-common-3.0.4-6.3E
samba-3.0.4-6.3E
samba-client-3.0.4-6.3E
Kerberos Packages..
-
pam_krb5-1.73-1
krb5-libs-1.2.7-24
krb5-workstation-1.2.7-24
krbafs-1.1.1-11
krbafs-utils-1.1.1-11
krb5-server-1.2.7-24
krbafs-devel-1.1.1-11
krb5-devel-1.2.7-24
Things tried..(per the samba docs. this is the first step..)
kinit [EMAIL PROTECTED]
error..
kinit(v5): KRB5 error code 52 while getting initial credentials
net ads join /IT/Computers/Servers-2 -U adminOFthisOU
error..
kerberos_kinit_password [EMAIL PROTECTED] failed: KRB5
error code 52
Not much on google about this error..
krb5.conf
**
logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = USAF.AFMC.DS.AF.MIL
# default_tgs_enctypes = rc4-hmac
# default_tkt_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
USAF.AFMC.DS.AF.MIL = {
kdc = xxx.xxx.xxx.241:88
admin_server = xxx.xxx.xxx.241:749
default_domain = usaf.af.mil
}
[domain_realm]
.usaf.af.mil = USAF.AFMC.DS.AF.MIL
usaf.af.mil = USAF.AFMC.DS.AF.MIL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
*
kdc.conf
*
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
USAF.AFMC.DS.AF.MIL = {
master_key_type = des-cbc-crc
supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal
des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3
des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4
des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm
des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
}
*
smb.conf
*[global]
workgroup = USAF-2K
realm = USAF.AFMC.DS.AF.MIL
server string =
security = ADS
obey pam restrictions = Yes
password server = xxx.xxx.xxx.241
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
log file = /var/log/samba/%m.log
max log size = 0
announce version = 5.0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
domain master = No
wins server = 10.50.1.52
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
# winbind separator = +
# valid users = @oracle
printing = cups
[testshare]
comment = System Share
path = /home2/share
force group = share
writeable = yes
case sensitive = Yes
hide dot files = No
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
