[Samba] authentification in ads2003
Christoph Scheeder
christoph.scheeder at scheeder.de
Wed Jun 9 14:05:14 GMT 2004
Hi,
i got that working on woddy, but against a win2000 ADS.
How?
- fetched the latest soure of MIT-kerberos from mit-server
and installed in /usr/local, as the version comming with woody
is to old , it does not support the neede enc-types.
- fetched samba-3.0.5-pre2 from svn and compiled it against the kerberos
in /usr/local, and installed it.
- deleted all old databases of samba
- delete the samba-server from the ADS and rejoin it.
i found for me that in nsswitch.conf the lines
passwd: compat winbind
group: compat winbind
will not work, replace "compat" with "files"
this way you should be able to get it working, but no garanty.
Christoph
Benoit Moeremans schrieb:
> Hello,
> *This msg was already sent yesterday on this ml, but some i found some
> faults in the mail.*
>
> **If anyone can help me... the only thing i'm thinking now is to throw away
> the servers**
>
>
> I installed Samba 3.0.4 + kerberos 5 + winbind to make the debian woody
> server joining
> the Active directory service.
>
> Everything seems to be ok, except the authentification. If i try to go to
> the share of the linux server from a windows box, it asks me the password.
> And of course, no
> way to log in.
>
> Here is the config:
>
> *nsswitch.conf*
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
>
>
> *samba*
>
> [global]
>
>
> workgroup = TEST
> realm = CAR.BE.TEST.COM.LOCAL
> server string = %h server (Samba %v)
> ; wins support = no
> ; wins server = w.x.y.z
> dns proxy = no
> ; name resolve order = lmhosts host wins bcast
> use spnego = yes
> log file = /var/log/samba/log.%m
> max log size = 1000
> ; syslog only = no
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
>
> # separate domain and username with '+', like DOMAIN+username
> winbind separator = +
> # use uids from 10000 to 20000 for domain users
> idmap uid = 10000-20000
> # use gids from 10000 to 20000 for domain groups
> idmap gid = 10000-20000
> # allow enumeration of winbind users and groups
> winbind enum users = yes
> winbind enum groups = yes
>
> security = ADS
> encrypt passwords = yes
> passdb backend = tdbsam guest
> obey pam restrictions = yes
> password server = car-pdc
> netbios name = rantanplan
> ; guest account = nobody
> invalid users = root
> ; unix password sync = no
> ; passwd program = /usr/bin/passwd %u# passwd chat =
> *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
> ; pam password change = no
> ; load printers = yes
> ; preserve case = yes
> ; short preserve case = yes
> ; include = /home/samba/etc/smb.conf.%m
> # SO_RCVBUF=8192 SO_SNDBUF=8192
> socket options = TCP_NODELAY
> ; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
>
> ; domain master = auto
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> ; template shell = /bin/bash
> [admin]
> comment = Administration Directory
> path = /home/benoit
> admin users = TEST+bmo
> browseable = yes
> public = no
> writable = yes
> guest only = no
> valid users = TEST+bmo
>
> *kerberos*
> [libdefaults]
> default_realm = CAR.BE.TEST.COM
>
> [realms]
> CAR.BE.TEST.COM = {
> kdc = car-pdc.car.be.test.com
> default_domain = car.be.test.com
> }
> #[domain_realms]
> #.kerberos.server=CAR.BE.TEST.COM
>
> # The following krb5.conf variables are only for MIT Kerberos.
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
>
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
>
>
> [login]
> krb4_convert = true
> krb4_get_tickets = true
>
>
> *winbind* (logs)
>
> 2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> Added domain CAR CAR.BE.TEST.COM.LOCAL S-0-0
> [2004/06/07 13:38:57, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
> krb5_cc_get_principal failed (No credentials cache found)
> [2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> Added domain BUILTIN S-1-5-32
> [2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> Added domain RANTANPLAN S-1-5-21-837388855-3362161430-1770541169
>
> I found also some trace in the log.smbd
>
> smbd version 3.0.4 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2004
> [2004/06/09 10:29:16, 0] lib/util_sock.c:get_peer_addr(978)
> getpeername failed. Error was Transport endpoint is not connected
> [2004/06/09 10:34:28, 0] smbd/server.c:main(757)
>
>
> All commands like kinit, net ads join, wbinfo -u (-g), getent etc works.
>>From the linux server, no problem to go to the shares of the domain
> controller (wich is a windows 2003 server).
> Do i have to make the keytab for kerberos by myself for each ssamba server,
> or does it create itself whith the "net ads join" cmd?
>
> Any help would be welcome.
> Regards,
>
> Benoit
>
>
>
>
More information about the samba
mailing list