Re: [Samba] net ads join : ads_connect: No logon servers

2008-01-30 Thread Douglas VanLeuven 
D G Teed wrote:
> Thanks very much, Douglas.  That did the trick.
> I had not understood what realm represented in a dns
> style domain.
> 
> It is also confusing that one lists a realm section,
> defining it...
> 
> BEER = {
>kdc = ADC1.AD.BEERU.CA
> }

Sorry, missed that one too.  Should be
AD.BEERU.CA = {
kdc = ADC1.AD.BEERU.CA
}

It's just that Kerberos doesn't know anything about workgroups in
windows and so there shouldn't be any workgroup names in krb5.conf,
only DNS names and REALM names.  It worked because samba picked up the
Kerberos kdc from SRV records in DNS.  BEER defines the .BEER realm
which doesn't exist.


> 
> But then when providing the realm name in smb.conf, the
> handle isn't BEER, but rather the subdomain in
> which the AD controller lives.
> 
> Regards,
> 
> --Donald
> 
> On Jan 30, 2008 3:37 PM, Douglas VanLeuven <[EMAIL PROTECTED]> wrote:
>> Douglas VanLeuven wrote:
>>> D G Teed wrote:
 I've been able to use security = ads in smb.conf, and connect OK,
 but it must be falling back to domain.  When I run net ads join
 I get the error (debug trace below):

 ads_connect: No logon servers

 Here is my krb5.conf:

 [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
 [libdefaults]
  default_realm = BEER
 [realms]
  BEER = {
   kdc = ADC1.AD.BEERU.CA
  }
>> Missed this on the last post.
>>   default realm = AD.BEERU.CA
>>
>> Doug
>>

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] net ads join : ads_connect: No logon servers

2008-01-30 Thread D G Teed 
Thanks very much, Douglas.  That did the trick.
I had not understood what realm represented in a dns
style domain.

It is also confusing that one lists a realm section,
defining it...

BEER = {
   kdc = ADC1.AD.BEERU.CA
}

But then when providing the realm name in smb.conf, the
handle isn't BEER, but rather the subdomain in
which the AD controller lives.

Regards,

--Donald

On Jan 30, 2008 3:37 PM, Douglas VanLeuven <[EMAIL PROTECTED]> wrote:
> Douglas VanLeuven wrote:
> > D G Teed wrote:
> >> I've been able to use security = ads in smb.conf, and connect OK,
> >> but it must be falling back to domain.  When I run net ads join
> >> I get the error (debug trace below):
> >>
> >> ads_connect: No logon servers
> >>
> >> Here is my krb5.conf:
> >>
> >> [logging]
> >>  default = FILE:/var/log/krb5libs.log
> >>  kdc = FILE:/var/log/krb5kdc.log
> >>  admin_server = FILE:/var/log/kadmind.log
> >> [libdefaults]
> >>  default_realm = BEER
> >> [realms]
> >>  BEER = {
> >>   kdc = ADC1.AD.BEERU.CA
> >>  }
>
> Missed this on the last post.
>   default realm = AD.BEERU.CA
>
> Doug
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] net ads join : ads_connect: No logon servers

2008-01-30 Thread Douglas VanLeuven 
Douglas VanLeuven wrote:
> D G Teed wrote:
>> I've been able to use security = ads in smb.conf, and connect OK,
>> but it must be falling back to domain.  When I run net ads join
>> I get the error (debug trace below):
>>
>> ads_connect: No logon servers
>>
>> Here is my krb5.conf:
>>
>> [logging]
>>  default = FILE:/var/log/krb5libs.log
>>  kdc = FILE:/var/log/krb5kdc.log
>>  admin_server = FILE:/var/log/kadmind.log
>> [libdefaults]
>>  default_realm = BEER
>> [realms]
>>  BEER = {
>>   kdc = ADC1.AD.BEERU.CA
>>  }

Missed this on the last post.
  default realm = AD.BEERU.CA

Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] net ads join : ads_connect: No logon servers

2008-01-30 Thread Douglas VanLeuven 
D G Teed wrote:
> I've been able to use security = ads in smb.conf, and connect OK,
> but it must be falling back to domain.  When I run net ads join
> I get the error (debug trace below):
> 
> ads_connect: No logon servers
> 
> Here is my krb5.conf:
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
>  default_realm = BEER
> [realms]
>  BEER = {
>   kdc = ADC1.AD.BEERU.CA
>  }
> [domain_realm]
>  beer.ca = BEER
>  .beer.ca = BEER

This should be a mapping from DNS domain to Kerberos REALM.
Going by the kdc name, what you probably want is:
beer.ca = AD.BEERU.CA
.beer.ca = AD.BEERU.CA
www2.beer.ca = AD.BEERU.CA


> 
> Here is my rpc join status:
> # net rpc testjoin
> Join to 'BEER' is OK
> 
> Here is my attempt to graduate this to ADS levels, with debug:
> 
> # net ads join -Ubeeruser%beeruserpw -d3
> [2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
>   lp_load: refreshing parameters
> [2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
>   Initialising global parameters
> [2008/01/30 11:06:08, 3] param/params.c:pm_process(572)
>   params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> [2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
>   Processing section "[global]"
> [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
>   added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
> [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
>   added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
>   Failed to parse cldap reply
> [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
>   ads_try_connect: CLDAP request 111.111.200.66 failed.
> [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
>   Failed to parse cldap reply
> [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
>   ads_try_connect: CLDAP request 111.111.200.67 failed.
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
>   Could not look up dc's for domain BEER
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
>   ads_connect: No logon servers
> [2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
>   error on ads_startup: No logon servers
> Failed to join domain: No logon servers
> [2008/01/30 11:06:08, 2] utils/net.c:main(1032)
>   return code = -1
> 
> Can this user achieve such a goal?
> 
> Here is beeruser's rights via rpc:
> net rpc rights list -Ubeeruser
> Password:
>  SeMachineAccountPrivilege  Add machines to domain
>   SeTakeOwnershipPrivilege  Take ownership of files or other objects
>  SeBackupPrivilege  Back up files and directories
> SeRestorePrivilege  Restore files and directories
>  SeRemoteShutdownPrivilege  Force shutdown from a remote system
>   SePrintOperatorPrivilege  Manage printers
>SeAddUsersPrivilege  Add users and groups to the domain
>SeDiskOperatorPrivilege  Manage disk shares
> 
> I've had various toggles done to my smb.conf, but here is what the
> global section
> of smb.conf looks like at the moment, following the hints of someone else who
> solved this on the list...
> 
> [global]
> netbios name = www2
> workgroup = BEER
> unix charset = LOCALE
> realm = BEER

Same here.
   realm = AD.BEERU.CA

> server string = Web Server
> security = ADS
> password server = 111.111.200.67
> idmap backend = rid:BEER=5000-1
> idmap uid = 1-1000
> idmap gid = 1-1000
> template shell = /bin/bash
> winbind use default domain = Yes
> winbind enum users = Yes
> winbind enum groups = Yes
> allow trusted domains = No
> log level = 3
> log file = /var/log/samba/%m.log
> max log size = 50
> dns proxy = No
> winbind use default domain = Yes
> hosts allow = 111.111.
> encrypt passwords = yes
> 
> I had great results with the last question I put on the list.  I hope
> someone can help us graduate to ads with kerberos level authentication.
> 
> It feels like there is something missing on the AD end, but I know
> nothing about this
> other than that it is Windows Server 2003 and it has been in production for
> awhile with good performance.
> 

There may be something