[Samba] re: Samba + Winbind + SuSE Linux AD auth not working
Dave
aixenv at yahoo.com
Fri Mar 23 20:59:53 GMT 2007
ok here's the situation; i've done this on 7 servers
same either SLES 9 or 10, and all those work. i have a
problem server though which is SLES v9 (same versions
of all daemons/services that would be used) and this
one just wont allow AD auth to work
i can restart all smb, nmb, winbind, and ssh servers
with no errors
*Note: all the needed configuratoin file snippets are
at the end of this message:
Ok when i try and join my domain/workgroup i get the
following output
SERVER1:/etc/ssh # net join -w WORKGROUP -U USERNAME
-S ADserver.mydomain.net
USERNAME's password:
[2007/03/22 13:18:41, 0]
libads/ldap.c:ads_add_machine_acct(1400)
ads_add_machine_acct: Host account for server1
already exists -
modifying old account
ads_set_machine_password: Message stream modified
ADS join did not work, falling back to RPC...
Joined domain WORKGROUP.
looks to me like it worked , then do the following:
# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_MORE_PROCESSING_REQUIRED
(0xc0000016)
Could not check secret
try just doing
SERVER1:/etc/ssh # net join -U username
[2007/03/22 13:20:39, 0]
libads/ldap.c:ads_add_machine_acct(1400)
ads_add_machine_acct: Host account for server1
already exists -
modifying old account
ads_set_machine_password: Message stream modified
ADS join did not work, falling back to RPC...
Unable to find a suitable server
then i try again and get
SERVER1:/etc/ssh # net join -U username -S
myserver.domain.net
username's password:
[2007/03/22 13:24:08, 0]
libads/ldap.c:ads_add_machine_acct(1400)
ads_add_machine_acct: Host account for server1
already exists -
modifying old account
ads_set_machine_password: Message stream modified
ADS join did not work, falling back to RPC...
Joined domain MYDOMAIN.
SERVER1:/etc/ssh # wbinfo -t
checking the trust secret via RPC calls succeeded
SERVER1:/etc/ssh # wbinfo -m
server1
BUILTIN
EXCHREC
SERVER1:/etc/ssh # wbinfo -u|grep username
username
SERVER1:/etc/ssh # wbinfo -g|grep AppDev
AppDev
SQLAppDev
SERVER1:/etc/ssh #
then a few minutes later do a wbinfo -t and get:
checking the trust secret via RPC calls failed
error code was NT_STATUS_MORE_PROCESSING_REQUIRED
(0xc0000016)
Could not check secret
ANY IDEAS?, i setup a completely new server to test my
way of setting
up ADauth/linux and it worked first time off, problem
is this is a
production server so i cant just restart it, any
ideas/thoughts are
appreciated thanks
=================================================
my smb.conf thats relevant looks like this:
[global]
workgroup = MYWORKGROUP
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
printer admin = @ntadmin, root, administrator
username map = /etc/samba/smbusers
map to guest = Bad User
template shell = /bin/bash
template homedir = /home/%D/%U
encrypt passwords = yes
domain logons = no
idmap gid = 10000-200000
idmap uid = 10000-200000
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
local master = yes
domain master = false
preferred master = auto
ldap suffix = dc=mydomain,dc=net
wins server = 1.2.3.4
wins support = no
netbios name = server1
realm = MYDOMAIN.NET
security = ADS
winbind enum users = yes
winbind enum groups = yes
password server = my.server.net
winbind use default domain = Yes
log level = 10
log file = /var/log/samba/log.%m
obey pam restrictions = Yes
the krb5.conf, looks like so
[libdefaults]
clockskew = 300
default_realm = MYDOMAIN.NET
[realms]
MYDOMAIN.NET = {
kdc = server.mydomain.net
default_domain = mydomain.net
kpasswd_server = server.mydomain.net
admin_server = server.mydomain.net
}
[domain_realm]
.MYDOMAIN.NET = MYDOMAIN.NET
.mydomain.net = MYDOMAIN.NET
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
try_first_pass = true
____________________________________________________________________________________
Get your own web address.
Have a HUGE year through Yahoo! Small Business.
http://smallbusiness.yahoo.com/domains/?p=BESTDEAL
More information about the samba
mailing list