D G Teed wrote:
> I've been able to use security = ads in smb.conf, and connect OK,
> but it must be falling back to domain. When I run net ads join
> I get the error (debug trace below):
>
> ads_connect: No logon servers
>
> Here is my krb5.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = BEER
> [realms]
> BEER = {
> kdc = ADC1.AD.BEERU.CA
> }
> [domain_realm]
> beer.ca = BEER
> .beer.ca = BEER
This should be a mapping from DNS domain to Kerberos REALM.
Going by the kdc name, what you probably want is:
beer.ca = AD.BEERU.CA
.beer.ca = AD.BEERU.CA
www2.beer.ca = AD.BEERU.CA
>
> Here is my rpc join status:
> # net rpc testjoin
> Join to 'BEER' is OK
>
> Here is my attempt to graduate this to ADS levels, with debug:
>
> # net ads join -Ubeeruser%beeruserpw -d3
> [2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
> lp_load: refreshing parameters
> [2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
> Initialising global parameters
> [2008/01/30 11:06:08, 3] param/params.c:pm_process(572)
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> [2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
> Processing section "[global]"
> [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
> added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
> [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
> added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
> get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
> Failed to parse cldap reply
> [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
> ads_try_connect: CLDAP request 111.111.200.66 failed.
> [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
> Failed to parse cldap reply
> [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
> ads_try_connect: CLDAP request 111.111.200.67 failed.
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
> get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
> Could not look up dc's for domain BEER
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
> get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
> get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
> ads_connect: No logon servers
> [2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
> error on ads_startup: No logon servers
> Failed to join domain: No logon servers
> [2008/01/30 11:06:08, 2] utils/net.c:main(1032)
> return code = -1
>
> Can this user achieve such a goal?
>
> Here is beeruser's rights via rpc:
> net rpc rights list -Ubeeruser
> Password:
> SeMachineAccountPrivilege Add machines to domain
> SeTakeOwnershipPrivilege Take ownership of files or other objects
> SeBackupPrivilege Back up files and directories
> SeRestorePrivilege Restore files and directories
> SeRemoteShutdownPrivilege Force shutdown from a remote system
> SePrintOperatorPrivilege Manage printers
>SeAddUsersPrivilege Add users and groups to the domain
>SeDiskOperatorPrivilege Manage disk shares
>
> I've had various toggles done to my smb.conf, but here is what the
> global section
> of smb.conf looks like at the moment, following the hints of someone else who
> solved this on the list...
>
> [global]
> netbios name = www2
> workgroup = BEER
> unix charset = LOCALE
> realm = BEER
Same here.
realm = AD.BEERU.CA
> server string = Web Server
> security = ADS
> password server = 111.111.200.67
> idmap backend = rid:BEER=5000-1
> idmap uid = 1-1000
> idmap gid = 1-1000
> template shell = /bin/bash
> winbind use default domain = Yes
> winbind enum users = Yes
> winbind enum groups = Yes
> allow trusted domains = No
> log level = 3
> log file = /var/log/samba/%m.log
> max log size = 50
> dns proxy = No
> winbind use default domain = Yes
> hosts allow = 111.111.
> encrypt passwords = yes
>
> I had great results with the last question I put on the list. I hope
> someone can help us graduate to ads with kerberos level authentication.
>
> It feels like there is something missing on the AD end, but I know
> nothing about this
> other than that it is Windows Server 2003 and it has been in production for
> awhile with good performance.
>
There may be something