[Samba] 2003 KDC and Samba
John H Terpstra
jht at samba.org
Thu Jul 29 17:57:53 GMT 2004
On Thursday 29 July 2004 08:08, Tran Charles A Civ OC-ALC/ITMA wrote:
> We have serveral RHEL 3.0 Update 2 servers running Samba.
> These have been working flawlessly for several months..
>
> Recently, the base upgraded all the Windows 2000 servers
> to Windows 2003..
Only MIT Kerberos 1.3.1 or later will work with Windows 2003 Server ADS.
- John T.
> NOTE: we don't have admin rights to the Domain Controllers.. (wish we
> did..)
>
> Previous to the Domain (and kdc) controllers to 2003 we had
> no issues joining a new Samba Sever to the ADS..
>
> Using the same krb5.conf and kdc.conf and smb.conf file.. it
> is no longer possible to join a Samba 3.0 server to the domain..
>
> Any help direction is appreciated..
> VR
> Charles
>
> Samba packages
> -------------
> samba-common-3.0.4-6.3E
> samba-3.0.4-6.3E
> samba-client-3.0.4-6.3E
>
> Kerberos Packages..
> -----------------
> pam_krb5-1.73-1
> krb5-libs-1.2.7-24
> krb5-workstation-1.2.7-24
> krbafs-1.1.1-11
> krbafs-utils-1.1.1-11
> krb5-server-1.2.7-24
> krbafs-devel-1.1.1-11
> krb5-devel-1.2.7-24
>
>
> Things tried..(per the samba docs. this is the first step..)
>
> kinit USERNAME at REALM
> error..
> kinit(v5): KRB5 error code 52 while getting initial credentials
>
> net ads join "/IT/Computers/Servers-2" -U adminOFthisOU
> error..
> kerberos_kinit_password ADMINOFTHISOU at USAF.AFMC.DS.AF.MIL failed: KRB5
> error code 52
>
> Not much on google about this error..
>
> krb5.conf
> **************
> logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = USAF.AFMC.DS.AF.MIL
> # default_tgs_enctypes = rc4-hmac
> # default_tkt_enctypes = rc4-hmac
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> [realms]
> USAF.AFMC.DS.AF.MIL = {
> kdc = xxx.xxx.xxx.241:88
> admin_server = xxx.xxx.xxx.241:749
> default_domain = usaf.af.mil
> }
>
> [domain_realm]
> .usaf.af.mil = USAF.AFMC.DS.AF.MIL
> usaf.af.mil = USAF.AFMC.DS.AF.MIL
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> *****************************
> kdc.conf
> *********
> [kdcdefaults]
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> v4_mode = nopreauth
>
> [realms]
> USAF.AFMC.DS.AF.MIL = {
> master_key_type = des-cbc-crc
> supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm
> des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal
> des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3
> des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4
> des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm
> des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal
> des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
> }
> *********
> smb.conf
> *****[global]
> workgroup = USAF-2K
> realm = USAF.AFMC.DS.AF.MIL
> server string =
> security = ADS
> obey pam restrictions = Yes
> password server = xxx.xxx.xxx.241
> pam password change = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
> log file = /var/log/samba/%m.log
> max log size = 0
> announce version = 5.0
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> preferred master = No
> local master = No
> domain master = No
> wins server = 10.50.1.52
> ldap ssl = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
> # winbind separator = +
> # valid users = @oracle
> printing = cups
>
> [testshare]
> comment = System Share
> path = /home2/share
> force group = share
> writeable = yes
> case sensitive = Yes
> hide dot files = No
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.
More information about the samba
mailing list