[Samba] Help for the Kerberos challenged in the audience, config files

Edward W. Ray ewray at mmicman.com
Thu Apr 15 04:53:08 GMT 2004


Nsswitch.conf now reads:

  [root at ns2 root]# more /etc/nsswitch.conf

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files ldap winbind
shadow:     files ldap
group:      files ldap winbind

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files ldap
rpc:        files
services:   files ldap

netgroup:   files ldap

publickey:  files

automount:  files ldap
aliases:    files 


However 


[2004/04/14 21:30:10, 0] libads/kerberos.c:ads_kinit_password(133)
  kerberos_kinit_password root at MMICMANHOMENET.LOCAL failed: ASN.1 failed
call to system time library
[root at ns2 root]# kinit root at MMICMANHOMENET.LOCAL
Password for root at MMICMANHOMENET.LOCAL: 
kinit(v5): ASN.1 failed call to system time library while getting initial
credentials
[root at ns2 root]# 
 

-----Original Message-----
From: Brett Stevens [mailto:brett.stevens at hubbub.com.au] 
Sent: Tuesday, April 13, 2004 7:57 PM
To: ewray at mmicman.com; samba at lists.samba.org
Subject: Re: [Samba] Help for the Kerberos challenged in the audience,config
files

Nsswitch set properly?
Check it and make sure there is a "passwd files winbind "and a "group files
winbind"
Also check that your time is synced correctly.


________________________________

From: "Edward W. Ray" <ewray at mmicman.com>
Organization: MMICMAN, LLC
Reply-To: <ewray at mmicman.com>
Date: Tue, 13 Apr 2004 19:27:14 -0700
To: "'Brett Stevens'" <brett.stevens at hubbub.com.au>, <samba at lists.samba.org>
Subject: RE: [Samba] Help for the Kerberos challenged in the audience,
config files

 The error has changed since the previous e-mail:

[root at ns2 root]# net ads join -U root

root password:
[2004/04/13 19:23:05, 0] libads/kerberos.c:ads_kinit_password(133)
  kerberos_kinit_password root at MMICMANHOMENET.LOCAL failed: ASN.1 failed
call to system time library
[root at ns2 root]#


Below is my smb.conf:

 
[root at ns2 root]# more /etc/samba/smb.conf # This is the main Samba
configuration file. You should read the # smb.conf(5) manual page in order
to understand the options listed # here. Samba has a huge number of
configurable options (perhaps too # many!) most of which are not shown in
this example # # Any line which starts with a ; (semi-colon) or a # (hash) #
is a comment and is ignored. In this example we will use a # # for commentry
and a ; for parts of the config file that you # may wish to enable # # NOTE:
Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors. 
#
#======================= Global Settings
=====================================
[global]
        dns proxy = no 
        log file = /var/log/samba/log.%m
        server string = mail
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        password server = 192.168.1.100 192.168.1.102
        winbind gid = 10000-20000
        workgroup = mmicmanhomenet
        username map = /etc/samba/user.map
        use spnego = yes
        ldap ssl = yes
        hosts allow = 192.168.1.
        encrypt passwords = yes
        realm = mmicmanhomenet.local
        security = ADS
        winbind uid = 10000-20000
        max log size = 50

[netlogon]
   comment = Network Logon Service
   path = /home/netlogon
   read only = yes
;   guest ok = yes
;   writable = no
;   share modes = no


# Un-comment the following to provide a specific roving profile share # the
default is to use the user's home directory ;[Profiles]
;    path = /home/profiles
;    browseable = no
;    guest ok = yes
 

# NOTE: If you have a BSD-style print system there is no need to #
specifically define each individual printer ; [printers]
;   comment = All Printers
;   path = /var/spool/samba
;   browseable = no
# Set public = yes to allow user 'guest account' to print
;   guest ok = no
;   writable = no
;   printable = yes
 
# This one is useful for people to share files ;[tmp]
;   comment = Temporary file space
;   path = /tmp
;   read only = no
;   public = yes
 
# A publicly accessible directory, but read only, except for people in # the
"staff" group ;[public]
;   comment = Public Stuff
;   path = /home/samba
;   public = yes
;   read only = yes
;   write list = @staff
 
# Other examples. 
#
# A private printer, usable only by fred. Spool data will be placed in
fred's # home directory. Note that fred must have write access to the spool
directory, # wherever it is.
;[fredsprn]
;   comment = Fred's Printer
;   valid users = fred
;   path = /homes/fred
;   printer = freds_printer
;   public = no
;   writable = no
;   printable = yes
 
# A private directory, usable only by fred. Note that fred requires write #
access to the directory.
;[fredsdir]
;   comment = Fred's Service
;   path = /usr/somewhere/private
;   valid users = fred
;   public = no
;   writable = yes
;   printable = no
 
# a service which has a different directory for each machine that connects #
this allows you to tailor configurations to incoming machines. You could #
also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
;  comment = PC Directories
;  path = /usr/pc/%m
;  public = no
;  writable = yes
 
# A publicly accessible directory, read/write to all users. Note that all
files # created in the directory by users will be owned by the default user,
so # any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of
course # be specified, in which case all files would be owned by that user
instead.
;[public]
;   path = /usr/somewhere/else/public
;   public = yes
;   only guest = yes
;   writable = yes
;   printable = no
 
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In
this # setup, the directory should be writable by both users and should have
the # sticky bit set on it to prevent abuse. Obviously this could be
extended to # as many users as required.
;[myshare]
;   comment = Mary's and Fred's stuff
;   path = /usr/somewhere/shared
;   valid users = mary fred
;   public = no
;   writable = yes
;   printable = no
;   create mask = 0765
 

[root at ns2 root]# 
 
Below is my krb5.conf:

[root at ns2 root]# more /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = MMICMANHOMENET.LOCAL
 
[realms]
 MMICMANHOMENET.LOCAL = {
  kdc = 192.168.1.100:88
 }
 
[domain_realm]
 .mmicmanhomenet.local = MMICMANHOMENET.LOCAL  mmicmanhomenet.local =
MMICMANHOMENET.LOCAL
 
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
[root at ns2 root]# 








More information about the samba mailing list