[Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK
though)
Jochen Schmidt
jochen.schmidt at millenux.com
Fri Oct 31 11:58:40 GMT 2003
Hi Christoph
On 31 Oct 2003, Andrew Bartlett wrote:
> On Fri, 2003-10-31 at 21:41, christoph.beyer at desy.de wrote:
> > Hi Jochen et al,
> >
> > that worked fine, though if I get it right everyone can now read the
> > active directory structure (?)
>
> No, you still need to authenticate, but nothing stops an attacker from
> 'stealing' the TCP/IP connection, if they control the network.
If you want see what *everybody* can see try an "ldapsearch -x -b
"dc=MYDOMAIN,dc=DE" -h adscontroller -p 389" on a UNIX-Box.
> > Connecting to the samba machine results still in errors, but that may be
> > something stupid on my behalf too...
> >
> > thanks for helping
> > ~christoph
> >
> >
> > connect_to_domain_password_server: unable to setup the NETLOGON
> > credentials to machine ADC1. Error was : NT_STATUS_UNSUCCESSFUL.
>
> You will need to turn up the debug level - it will probably be something
> simple...
I've attcht my own configuration I use on an ADS Domain Member. The
Winbind-Stuff comes from an other LDAP-Server and has no relation to the
ADS-LDAP. If you don't use winbind you won't need the winbind section.
You should first do the "kinit Administrator at REALM" and then a "net ads
join".
Greetings
Jochen
--
--------------------------------------------------------------------
Jochen Schmidt jochen.schmidt at millenux.com
Mi||enux GmbH mobile: +49.175.5752483
Lilienthalstraße 2 phone: +49.711.88770.300
70825 Stuttgart-Korntal fax: +49.711.88770.349
-= linux without limits -=- http://linux.zSeries.org/ =-
PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5
-------------- next part --------------
############################################################################
# smb.conf
############################################################################
#
# Samba ADS-Member Konfiguration
#
#
# (C) 2003 Thinking Objects Software GmbH
# Lilienthalstrasse 2/1
# 70825 Stuttgart-Korntal
# DE
# Web : http://www.to.com/
# Email : info at to.com
# Phone : +49.711.88770.400
# Fax : +49.711.88770.449
# Hotline: +49.711.88770.444 hotline at to.com
#
# Author: Jochen Schmidt
# $Id: smb.conf,v 1.3 2003/10/16 15:54:38 root Exp $
#
# Global parameters
[global]
# Allgemein
workgroup = TOPALIS-GROUP
realm = TOPALIS-GROUP.TO.COM
netbios name = saaac000
server string = Thinking Primary Domain Server
comment = by Thinking Objects Hotline
debuglevel = 3
unix charset = "CP850"
load printers = no
disable spoolss = no
# Pfade/Interfaces
lock directory = /var/cache/samba/saaac000
pid directory = /var/cache/samba/saaac000
private dir = /var/cache/samba/saaac000/private
log file = /var/log/samba/%m.c000
log level = 1
bind interfaces only = yes
interfaces = 3.8.8.107/255.255.255.0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins support = No
name resolve order = host lmhosts
# Winbind
idmap backend = ldap:ldap://3.8.8.103/
idmap uid = 40000-50000
idmap gid = 40000-50000
ldap idmap suffix = ou=idmap,o=topalis-group
ldap admin dn = cn=admin,o=topalis-group
winbind use default domain = no
# Security
security = ADS
use spnego = Yes
client signing = Yes
client use spnego = Yes
encrypt passwords = Yes
guest account = nobody
# Domain stuff
domain master = no
domain logons = no
preferred master = no
# EOF
More information about the samba
mailing list