[Samba] authentification in ads2003

Christoph Scheeder christoph.scheeder at scheeder.de
Wed Jun 9 14:05:14 GMT 2004


Hi,

i got that working on woddy, but against a win2000 ADS.

How?
- fetched the latest soure of MIT-kerberos from mit-server
   and installed in /usr/local, as the version comming with woody
   is to old , it does not support the neede enc-types.
- fetched samba-3.0.5-pre2 from svn and compiled it against the kerberos
   in /usr/local, and installed it.
- deleted all old databases of samba
- delete the samba-server from the ADS and rejoin it.

i found for me that in nsswitch.conf the lines

passwd: compat winbind
group:  compat winbind

will not work, replace "compat" with "files"

this way you should be able to get it working, but no garanty.
Christoph

Benoit Moeremans schrieb:
> Hello,
> *This msg was already sent yesterday on this ml, but some i found some
> faults in the mail.*
> 
> **If anyone can help me... the only thing i'm thinking now is to throw away
> the servers**
> 
> 
> I installed Samba 3.0.4 + kerberos 5 + winbind to make the debian woody
> server joining
> the Active directory service.
> 
> Everything seems to be ok, except the authentification. If i try to go to
> the share of the linux server from a windows box, it asks me the password.
> And of course, no
> way to log in.
> 
> Here is the config:
> 
> *nsswitch.conf*
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> 
> 
> 
> *samba*
> 
> [global]
> 
> 
>    workgroup = TEST
>    realm = CAR.BE.TEST.COM.LOCAL
>    server string = %h server (Samba %v)
> ;  wins support = no
> ;  wins server = w.x.y.z
>    dns proxy = no
> ;  name resolve order = lmhosts host wins bcast
>    use spnego = yes
>    log file = /var/log/samba/log.%m
>    max log size = 1000
> ;  syslog only = no
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
> 
> # separate domain and username with '+', like DOMAIN+username
> winbind separator = +
> # use uids from 10000 to 20000 for domain users
> idmap uid = 10000-20000
> # use gids from 10000 to 20000 for domain groups
> idmap gid = 10000-20000
> # allow enumeration of winbind users and groups
> winbind enum users = yes
> winbind enum groups = yes
> 
>    security = ADS
>    encrypt passwords = yes
>    passdb backend = tdbsam guest
>    obey pam restrictions = yes
>    password server = car-pdc
>    netbios name = rantanplan
> ;  guest account = nobody
>    invalid users = root
> ;  unix password sync = no
> ;  passwd program = /usr/bin/passwd %u#   passwd chat =
> *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
> ;  pam password change = no
> ;  load printers = yes
> ;  preserve case = yes
> ;  short preserve case = yes
> ;  include = /home/samba/etc/smb.conf.%m
> #         SO_RCVBUF=8192 SO_SNDBUF=8192
>    socket options = TCP_NODELAY
> ;  message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
> 
> ;  domain master = auto
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
> ;   template shell = /bin/bash
> [admin]
>     comment = Administration Directory
>     path = /home/benoit
>     admin users =  TEST+bmo
>     browseable = yes
>     public = no
>     writable = yes
>     guest only = no
>     valid users = TEST+bmo
> 
> *kerberos*
> [libdefaults]
>         default_realm = CAR.BE.TEST.COM
> 
> [realms]
> CAR.BE.TEST.COM = {
> kdc = car-pdc.car.be.test.com
> default_domain = car.be.test.com
> }
> #[domain_realms]
> #.kerberos.server=CAR.BE.TEST.COM
> 
> # The following krb5.conf variables are only for MIT Kerberos.
>         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
>         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>         proxiable = true
> 
> 
> v4_instance_resolve = false
>         v4_name_convert = {
>                 host = {
>                         rcmd = host
>                         ftp = ftp
>                 }
>                 plain = {
>                         something = something-else
>                 }
>         }
> 
> 
> [login]
>         krb4_convert = true
>         krb4_get_tickets = true
> 
> 
> *winbind* (logs)
> 
> 2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
>   Added domain CAR CAR.BE.TEST.COM.LOCAL S-0-0
> [2004/06/07 13:38:57, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
>   krb5_cc_get_principal failed (No credentials cache found)
> [2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
>   Added domain BUILTIN  S-1-5-32
> [2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
>   Added domain RANTANPLAN  S-1-5-21-837388855-3362161430-1770541169
> 
> I found also some trace in the log.smbd
> 
>   smbd version 3.0.4 started.
>   Copyright Andrew Tridgell and the Samba Team 1992-2004
> [2004/06/09 10:29:16, 0] lib/util_sock.c:get_peer_addr(978)
>   getpeername failed. Error was Transport endpoint is not connected
> [2004/06/09 10:34:28, 0] smbd/server.c:main(757)
> 
> 
> All commands like kinit, net ads join, wbinfo -u (-g), getent etc works.
>>From the linux server, no problem to go to the shares of the domain
> controller (wich is a windows 2003 server).
> Do i have to make the keytab for kerberos by myself for each ssamba server,
> or does it create itself whith the "net ads join" cmd?
> 
> Any help would be welcome.
> Regards,
> 
> Benoit
> 
> 
> 
> 



More information about the samba mailing list