[Samba] Trouble authenticating clients from ADS domain on
Samba 3.0.5 file server
Greg Folkert
greg at gregfolkert.net
Fri Jul 30 21:08:56 GMT 2004
On Fri, 2004-07-30 at 16:27, Chris Goff wrote:
[...]
Used MIT KRB5 v1.3.4, Samba 3.0.5, Also make sure that all the /lib and
/lib/security files related to each get replaced.
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
server string = BIG Storage
security = ADS
auth methods = winbind, sam
obey pam restrictions = Yes
password server = mydc1.mydomain.com
username level = 3
lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 0
syslog = 0
log file = /var/log/samba/%m.log
max log size = 10000
smb ports = 445
disable netbios = Yes
max xmit = 65535
name resolve order = wins hosts bcast
server signing = auto
deadtime = 10080
socket options = IPTOS_LOWDELAY TCP_NODELAY
logon path =
logon home =
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-40000
idmap gid = 10000-40000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind separator = +
winbind cache time = 20
winbind nested groups = Yes
ea support = Yes
use client driver = Yes
hide special files = Yes
map archive = No
[homes]
comment = Home Directories
read only = No
create mask = 0700
directory mask = 0700
browseable = No
My krb5.conf
=======================================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MYNETWORK.COM
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
kdc_timesync = 1
dns_lookup_realm = true
dns_lookup_kdc = true
forward = true
forwardable = true
proxiable = true
autologin = true
encrypt = true
[realms]
NETWORKMCS.COM = {
kdc = mydc1.mynetwork.com:88
admin_server = mydc1.mynetwork.com:749
default_domain = mynetwork.com
}
[domain_realm]
.mynetwork.com = MYNETWORK.COM
mynetwork.com = MYNETWORK.COM
[pam]
debug = false
ticket_lifetime = 24000
renew_lifetime = 24000
forward = true
forwardable = true
autologin = true
encrypt = true
krb4_convert = false
My /etc/pam.d/login
======================
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_stack.so service=system-auth
session optional pam_console.so
--
greg, greg at gregfolkert.net
The technology that is
Stronger, better, faster: Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040730/02e29472/attachment.bin
More information about the samba
mailing list