[Samba] Can RH AS3 be a ADS member with winbind+nss+krb5?
John Stile
john at stilen.com
Fri Dec 3 00:57:53 GMT 2004
On Thu, 2004-12-02 at 13:26 -0800, John Stile wrote:
> Samba is trying to be a member server in an AD in native mode, using
> winbind, nss, and kerberose. There are 3 kdc's (2 are Win2003, 1 is
> Win2000), samba server is RH-AS3 + Samba version 3.0.9 (from samba.org)
> + krb5 1.3.1-6 (from Fedora Core). I thought I had things working (join
> succeeded, could access shares, modify files), and then it stopped
> working. After clearing out the host account from AD, when I try to add
> sever back to the domain, the host is added to AD but the join fails.
>
> When it broke the following changes had occurred:
> I had restarted samba.
> I changed some pam files (which have been reverted).
> Windows administrators had turned on 'smb signing' around that time,
> but I don't know how samba 3.0.9 will handle this.
>
> Questions:
> Is this possible to setup samba as a member server in this
> configuration with this network and software versions or should i try
> another method?
> What is the next best setup method?
>
> I am left wondering what the best options are available at this point,
> as things seem hopeless.
> I have followed steps outline in Samba-3 By Example, by John H.
> Terpstra, chapter 9.3.3
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
I'm still trying to find a solution. Any ideas or feedback would really
help. It seems like I'm seeing a lot of 'segmentation faults' and
'Cannot find kdc' from net commands but name resolution does work, so I
don't know what to make of it.
More testing:
kinit stile
New ticket is stored in cachefile /tmp/krb5cc_0
cat /etc/nsswitch.conf |egrep host
hosts: files dns winbind
getent passwd |grep 'ad-'
hcs-ad-c$:x:12439:10002:HCS-AD-C:/home/REALM/hcs-ad-c_:/bin/false
hcs-ad-a$:x:12440:10002:HCS-AD-A:/home/REALM/hcs-ad-a_:/bin/false
hcs-ad-b$:x:12441:10002:HCS-AD-B:/home/REALM/hcs-ad-b_:/bin/false
net ads info
LDAP server: 128.32.67.118
LDAP server name: hcs-ad-b
Realm: REALM.MY.DOMAIN.COM
Bind Path: dc=REALM,dc=MY,dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Thu, 02 Dec 2004 16:35:41 GMT
KDC server: 128.32.67.118
Server time offset: 1
net ads testjoin -U admin
Join is OK
net ads leave -U admin
Removed 'MYHOST' from realm 'REALM.MY.DOMAIN.COM'
net time
correct time displayed
net ads info
dumps correct info about the windows 2000 ADS.
When I did not have a machine account in AD
net ads keytab create -U admin
libads/kerberose.c:get_service_ticket(335)
get_service_ticket: kerberose_kinit_password MYHOST2
$@REALM.MY.DOMAIN.COMM at REALM.MY.DOMAIN.COM failed: Client not found in
Kerberose database
Segmentation fault
net ads join -U admin
libads/kerberose.c:get_service_ticket(335)
get_service_tiket: kerberose_kinit_password MYHOST2
$@REALM.MY.DOMAIN.COMM at REALM.MY.DOMAIN.COM failed: Client not found in
Kerberose database
Segmentation fault
Though the join command failed, the host does appear in AD.
Now I rerun the keytab creation:
net ads keytab create -U admin
Warning: "use kerberose keytab" must be set to "true" in order to
use keytab functions.
After starting winbind with 'winbindd -S -i -F -d 8 -Y' and running
'getent passwd' the query ends with the following lines:
ads_krb5_mk_req: krb5_get_credentials failed for actdir05
$@ROOTREALM.DOMAIN.COM' (Cannot find KDC for requested realm)
ads_krb5_mk_req: krb5_get_credentials failed for actdir05
$@ROOTREALM.DOMAIN.COM' (Cannot find KDC for requested realm)
ads_connect for domain ROOTREALM failed: Cannot find KDC for
requested realm
[ 3123]: getpwent
[ 3123]: endpwent
read failed on sock 18, pid 3123: EOF
net ads lookup myhostname
Information for Domain Controller: foo-ad-b
Response Type: SAMLOGON
GUID: 5d58ee7c-0e3d-4743-adfb-3f6289593630
Flags:
Is a PDC: no
Is a GC of the forest: no
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: no
Is a non-domain NC serviced by LDAP server: no
Forest: foo.domain.com
Domain: realm.my.domain.com
Domain Controller: hcs-ad-b.realm.my.domain.com
Pre-Win2k Domain: REALM
Pre-Win2k Hostname: HCS-AD-B
Site Name: MyOrgName
Site Name (2): MyOrgName
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
kinit username at MY.DOMAIN.COM
Password for username at MY.DOMAIN.COM:
Exception: krb_error 0 Cannot get kdc for realm HAAS No error
KrbException: Cannot get kdc for realm HAAS
at sun.security.krb5.KrbKdcReq.send(DashoA12275:133)
at sun.security.krb5.KrbKdcReq.send(DashoA12275:106)
at
sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:241)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:106)
--
._____________________.
| \0/ John Stile |
| UniX Administration |
| / \ 510-305-3800 |
| john at stilen.com |
.---------------------.
More information about the samba
mailing list