FWD: Re: [Samba] "net ads join" hangs
Errol Neal
eneal at bnbtv.com
Sat Nov 30 01:15:13 GMT 2002
---------- Original Message ----------------------------------
From: "Errol Neal" <eneal at bnbtv.com>
Reply-To: <eneal at bnbtv.com>
Date: Fri, 29 Nov 2002 17:13:39 -0800
Hello,
In my further investigation, it seems that winbindd cannot locate my kerberos ticket. Or, at least this is what this log output from winbindd
>[2002/11/29 07:04:17, 1] nsswitch/winbindd_util.c:init_domain_list(220)
> Retrying startup domain sid fetch for JCNTV
>[2002/11/29 07:04:17, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
> krb5_cc_get_principal failed (No credentials cache found)
>[2002/11/29 07:04:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
> ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
Am I correct? But I do have a kerberos ticket...
isaiah:/usr# /usr/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at JCNTV.PRIVATE
Valid starting Expires Service principal
11/29/02 17:11:59 11/30/02 03:11:45 krbtgt/JCNTV.PRIVATE at JCNTV.PRIVATE
Help would be appreciated...
Best Regards,
Errol U. Neal
---------- Original Message ----------------------------------
From: "Errol Neal" <eneal at bnbtv.com>
Reply-To: <eneal at bnbtv.com>
Date: Fri, 29 Nov 2002 07:21:23 -0800
>Hello,
>
>I am using samba-3.0alpha21 on a out of the box debian-3.0 box trying to join a native windows 2000 (active directory) domain. I have used alpha18,19,and 20 in the past with alot of success on red hat and linux from scratch systems with minimum challenges. However I cannot seem join the domain in this instance. I am using openldap 2.1.8 and mit kerberos 1.2.7. The result of "net ads join" using alpha19 is that the command hangs after scrolling about 5 pages of text. Alpha20 segfaults for a reason unapparent to me and alpha21 hangs, as alpha19 did but only after the first line. The funny thing is that "net ads status" shows that my system is a member of the domain, but in starting winbindd, winbindd reports this:
>
> winbindd version 3.0alpha21 started.
> Copyright The Samba Team 2000-2001
>[2002/11/29 07:04:07, 1] nsswitch/winbindd_util.c:add_trusted_domain(140)
> Added domain JCNTV
>[2002/11/29 07:04:07, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
> krb5_cc_get_principal failed (No credentials cache found)
>[2002/11/29 07:04:07, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
> ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
>[2002/11/29 07:04:17, 1] nsswitch/winbindd_util.c:init_domain_list(220)
> Retrying startup domain sid fetch for JCNTV
>[2002/11/29 07:04:17, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
> krb5_cc_get_principal failed (No credentials cache found)
>[2002/11/29 07:04:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
> ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
>
>I compiled samba like so..
>./configure --prefix=/usr/local/samba3 --with-pam
>
>Here is a copy of my smb.conf
>
># Samba config file created using SWAT
># from 127.0.0.1 (127.0.0.1)
># Date: 2002/09/20 13:46:38
>
># Global parameters
>[global]
> workgroup = JCNTV
> realm = JCNTV.PRIVATE
> ADS server = 192.168.0.2
> netbios name = ISAIAH
> interfaces = **.**.**.**
> bind interfaces only = Yes
> security = ADS
> wins server = 192.168.0.2
> encrypt passwords = yes
> host msdfs = Yes
> msdfs root = Yes
> winbind gid = 1000-65000
> winbind uid = 1000-65000
> winbind separator = +
>
>[docroot]
> path = /home/var/www
> follow symlinks = no
> browsable = yes
> force create mode = 0664
> force directory mode = 0755
>
>
>My krb5.conf ..
>
>
>[logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
>[libdefaults]
> ticket_lifetime = 24000
> #default_tags_enctypes = des-cbc-crc
> #default_tkt_enctypes = des-cbc-crc
> default_realm = JCNTV.PRIVATE
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
>[realms]
> JCNTV.PRIVATE = {
> kdc = server2.jcntv.private:88
> default_domain = jcntv.private
> }
>
>[domain_realm]
> .jcntv.private = JCNTV.PRIVATE
> jcntv.private = JCNTV.PRIVATE
>
>[kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
>[pam]
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
>
>
>and finally, my ldap.conf..
>
># Your LDAP server. Must be resolvable without using LDAP.
>host 192.168.0.2
>
># The distinguished name of the search base.
>base dc=jcntv,dc=private
>
># The LDAP version to use (defaults to 3
># if supported by client library)
>ldap_version 3
>
># Use SSL
># ssl yes
>
># The distinguished name to bind to the server with.
># Optional: default is to bind anonymously.
>binddn cn=Administrator,cn=Users,dc=jcntv,dc=private
>bindpw JxZ#!@//
>#URI ldaps://192.168.0.2:636
># The credentials to bind with.
># Optional: default is no credential.
>
># The port.
>#port 636
>port 389
>
># The search scope.
>scope sub
>
>nss_base_passwd cn=Users,DC=jcntv,DC=private?one
>nss_base_shadow cn=Users,DC=jcntv,DC=private?one
>nss_base_group cn=Group,DC=jcntv,DC=private?one
>
>nss_map_objectclass posixAccount User
>nss_map_attribute uid sAMAccountName
>nss_map_attribute homeDirectory msSFUHomeDirectory
>nss_map_objectclass posixGroup Group
>nss_map_attribute cn msSFUName
>nss_map_attribute userPassword msSFUPassword
>nss_map_attribute uniqueMember Member
>
>pam_filter objectclass=user
>pam_login_attribute sAMAccountName
>pam_password ad
>
>
>Any help would be greatly appreciated. I don't know if this behavior is related to the version of glibc installed on the machine or what. But again, any help would be appreciated.
>
>
>Best Regards,
>
>Errol U. Neal
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list