As I learned from former threads, "net ads join" should not only join the Samba server to ADS, but also create Kerberos 5 credentials on the Linux box running Samba 3.0.
Well, thanks Jerry joining the Samba 3.0 to ADS works now, but I won't get any Kerberos 5 credentials. winbindd throws errors because of missing Kerberos credentials. Kerberos 5 support is copiled into my samba binaries. I'm using following RPMs of MIT Kerberos 5: krb5-workstation-1.2.7-14 pam_krb5-1.60-1 krb5-devel-1.2.7-14 krb5-server-1.2.7-14 krb5-libs-1.2.7-14 Kerberos 5 is working like a charm with my Windows 2003 Server: *** SNIP *** [EMAIL PROTECTED] source]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED] source]# kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: [EMAIL PROTECTED] source]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 09/08/03 14:59:09 09/09/03 00:59:09 krbtgt/[EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED] source]# kdestroy [EMAIL PROTECTED] source]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED] source]# *** SNAP *** If I now join my Samba 30 Server to my Windows 2003 ADS, I won't get any credentials: *** SNIP *** [EMAIL PROTECTED] x]# net ads join -U Administrator -d3 [2003/09/08 15:15:16, 3] param/loadparm.c:lp_load(3914) lp_load: refreshing parameters [2003/09/08 15:15:16, 3] param/loadparm.c:init_globals(1300) Initialising global parameters [2003/09/08 15:15:17, 3] param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2003/09/08 15:15:17, 3] param/loadparm.c:do_section(3417) Processing section "[global]" [2003/09/08 15:15:17, 2] lib/interface.c:add_interface(79) added interface ip=192.168.0.201 bcast=192.168.0.255 nmask=255.255.255.0 Administrator password: [2003/09/08 15:15:27, 3] libads/ldap.c:ads_connect(218) Connected to LDAP server 192.168.0.200 [2003/09/08 15:15:27, 3] libads/ldap.c:ads_server_info(1877) got ldap server name [EMAIL PROTECTED], using bind path: dc=SAMBA30,dc=TEST [2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184) got OID=1 2 840 48018 1 2 2 [2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184) got OID=1 2 840 113554 1 2 2 [2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184) got OID=1 2 840 113554 1 2 2 3 [2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(184) got OID=1 3 6 1 4 1 311 2 2 10 [2003/09/08 15:15:27, 3] libads/sasl.c:ads_sasl_spnego_bind(191) got [EMAIL PROTECTED] [2003/09/08 15:15:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found) [2003/09/08 15:15:27, 3] libads/ldap.c:ads_workgroup_name(1969) Found alternate name 'SAMBA30' for realm 'SAMBA30.TEST' Using short domain name -- SAMBA30 Joined 'SAMBA30SRV' to realm 'SAMBA30.TEST' [2003/09/08 15:15:27, 2] utils/net.c:main(758) return code = 0 [EMAIL PROTECTED] source]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED] source]# *** SNAP *** Of course, winbindd throws errors without Kerberos 5 credentials: *** SNIP *** [2003/09/08 11:43:59, 1] nsswitch/winbindd_util.c:add_trusted_domain(149) Added domain SAMBA30 SAMBA30.TEST [2003/09/08 11:43:59, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found) *** SNAP *** Any suggestions? Cheers, Axel. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
