[Samba] Re: Trying to join a Solaris 8 box to Windows 2000 AD.

Andrew Bartlett abartlet at samba.org
Sun Nov 10 12:39:44 GMT 2002


On Sun, 2002-11-10 at 21:13, Clive.Elsum at csiro.au wrote:
> I am having major problems with SAMBA samba-3.0alpha20 in trying to connect
> to 
> Windows 2000 AD. I have attached info if that helps.  Any help you can give
> me
> would be greatly appreciated.
> 
> Thanks in advance
> 
> Clive Elsum
> 
> I can get samba-3.0alpha20 working if I include reference to our NT PDC
> in the smb.conf file and do a net rpc join command.
> This joins our NT PDC domain which has a trust relationship with the
> Windows 2000 ADS.
> The "joined domian XXX" message appears and a wbinfo -m shows the
> Windows 2000 AD domain "YYYYY" as a trusted-domain.
> I can then login using domain/userid and everything works correctly.
> The working smb.conf relvant bits are
> 	workgroup = xxx
> 	security = server
>         encrypt passwords = yes
>         stat cache = false
>         winbind separator = /
>         winbind uid = 10000-30000
>         winbind gid = 10000-30000
>         winbind use default domain = true
>         winbind enum groups = yes
>         winbind enum users = yes
> 	security = server
>         template shell = /bin/tcsh
> 
> 
> However with the imminent departure of the local NT PDC I will be forced
> to use the net ads join command which at present fails.

There isn't a 'forced' here - you should still be able to 'net rpc join'
a Win2k domain.  But that doesn't solve your real problem.

> The kinit command works correctly (password entered prompt returned)
> The klist command appears to do the right thing.
> Suggesting that kerberos is set up OK.
> 
> I have samba-3.0alpha20 version installed on Solaris 8. It was configured
> with
> ./configure  --with-ads --with-ldap --with-krb5=/usr/local/kerberos
> --with-pam --with-winbind
> 
> The include/config.h file shows
> #define HAVE_KRB5 1
> #define HAVE_GSSAPI 1
> #define WITH_ADS 1
> #define HAVE_LDAP_H 1
> 
> 
> I am using GCC Version 3.2;  Kerberos  krb5-1.2.6; LDAP openldap-2.1.8; on a
> Solaris 8 platform.
> 
> I have modified the Makefile so as to overcome errors in compiling e.g
> passdb/pdb_ldap.c

What were they, btw?

> I then do a make install and copy relevant files with relevant links:
> cp pam_winbind.so /lib/security
> cp libnss_winbind.so /lib/nss_winbind.so
> 
> 
> Relevant bits from smb.conf:
>         workgroup = OUR
>         realm = OUR.2000AD.DOMAIN
>         security =  ADS
>         encrypt passwords = yes
>         stat cache = false
>         winbind separator = /
>         winbind uid = 10000-30000
>         winbind gid = 10000-30000
>         winbind use default domain = true
>         winbind enum groups = yes
>         winbind enum users = yes
>         ads server = <IP ADDRESS of ads server>
>         template shell = /bin/tcsh
> 
> WINBINDD adds the AD DOMAIN and relevant machines in lookup sequence but
> then 
> aborts with:
> 
> convert_string: Required 1521, available 2048
> ===============================================================
> INTERNAL ERROR: Signal 11 in pid 25953 (3.0alpha20)
> Please read the file BUGS.txt in the distribution
> ===============================================================
> PANIC: internal error
> Abort (core dumped)

Any chance of recompiling --enable-krb5developer and getting us a gdb
backtrace?  See 'panic action' in the smb.conf

> Obviously the command net ads join also fails with:
> [2002/11/10 20:36:44, 0] libads/kerberos.c:ads_kinit_password(122)
>   kerberos_kinit_password user at OUR.2000AD.DOMAIN failed: Preauthentication
> failed
> [2002/11/10 20:36:44, 1] utils/net_ads.c:ads_startup(148)
>   ads_connect: Invalid credentials

Why is this 'obviously'?  Anyway, a backtrace of this would be good.

Anyway, if you can get that, and also try the lastest 3.0 CVS
(pserver.samba.org), that will help us to chase it down.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021110/26482355/attachment.bin


More information about the samba mailing list