[Samba] mystified by interaction between krb5.conf, smb.conf,
and winbindd
Alan Munter
alan.munter at nist.gov
Fri Oct 10 19:58:33 GMT 2003
I am stumped here. I am a novice at using samba to do MS Active
Directory stuff, but I have read everything I could find in the HOWTO
collection and on the linux.samba cache of the list and am still stuck.
A bit of background... I have set up a Windows 2003 server as a domain
controller here and configured it to be the DNS for a ficticious domain
for internal use only. The domain functional level is Windows 2003. I
am calling the domain "windomain.nist.gov" and have set up the Win2003
server to do DNS and AD authentication for the "windomain" domain.
I have a Redhat 7.3 machine on my desk that I wanted to add to the AD
domain and do authentication to it using winbind. I uninstalled the
samba rpms supplied by redhat and installed the samba 3.0.0 binary rpm
compiled for redhat 7.3 by Gerald Carter. I also got the source for MIT
Kerberos5 1.3.1, compiled it with the prefix "/usr/kerberos" (since that
is where redhat installs the kerberos stuff) and just installed it on
top of the redhat supplied kerberos stuff since there were too many
dependencies to remove the redhat ones.
I was able to use kinit to get a kerberos ticket and then add my Linux
Samba machine to the AD domain. I modified smb.conf and krb5.conf and
started winbind and am able to use wbinfo to check some things, but not
others.
I cannot seem to get "wbinfo -u/wbinfo -g" and "wbinfo -t/wbinfo -a" to
work simultaneously unless I play a little trick with my krb5.conf
file.
Here is what happens:
/etc/init.d/smb start
/etc/init.d/winbind start
[root at desktop bin]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
Could not check secret
[root at bhd bin]# wbinfo -u
Administrator
Guest
SUPPORT_388945a0
krbtgt
amunter
IUSR_WINSERVER
IWAM_WINSERVER
so -u worked but -t failed. Then I go into krb5.conf and comment out
the kdc line like so:
[realms]
WINDOMAIN.NIST.GOV = {
admin_server = winserver.windomain.nist.gov
default_domain = WINDOMAIN.NIST.GOV
#kdc = winserver.windomain.nist.gov
}
and now they both work. However when I then restart winbind with that
line commented out
/etc/init.d/winbind restart
now "wbinfo -t" still works to check the secret, but "wbinfo -u" does
not work to get the list of users.
Here are the relevant files:
-----------------
krb5.conf
-----------------
[libdefaults]
default_realm = WINDOMAIN.NIST.GOV
[realms]
WINDOMAIN.NIST.GOV = {
admin_server = winserver.windomain.nist.gov
default_domain = WINDOMAIN.NIST.GOV
kdc = winserver.windomain.nist.gov
}
[domain_realm]
.ncnr.nist.gov = WINDOMAIN.NIST.GOV
ncnr.nist.gov = WINDOMAIN.NIST.GOV
[logging]
kdc = CONSOLE
-------------------------
section of smb.conf
-------------------------
[global]
workgroup = WINDOMAIN
server string = Alan's Samba 3.0 Server
realm = WINDOMAIN.NIST.GOV
security = ADS
winbind separator = +
winbind use default domain = yes
idmap uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
client use spnego = yes
template homedir = /home/WINDOMAIN
template shell = /bin/bash
password server = WINSERVER
-------------------------
I only have one DNS server in resolv.conf and that is pointing to the
windows DC.
Any suggestions for what is going wrong or what other log files I should
look at to figure out whats up?
Thanks for any suggestions,
Alan
--
Alan E. Munter NIST Center for Neutron Research
Physical Scientist 100 Bureau Dr., Stop 8562
alan.munter at nist.gov Gaithersburg, MD 20899-8562
http://www.ncnr.nist.gov/ (301)975-6244
More information about the samba
mailing list