[Samba] Help for the Kerberos challenged in the audience,
config files
Edward W. Ray
ewray at mmicman.com
Thu Apr 15 04:53:08 GMT 2004
Nsswitch.conf now reads:
[root at ns2 root]# more /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap winbind
shadow: files ldap
group: files ldap winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files
However
[2004/04/14 21:30:10, 0] libads/kerberos.c:ads_kinit_password(133)
kerberos_kinit_password root at MMICMANHOMENET.LOCAL failed: ASN.1 failed
call to system time library
[root at ns2 root]# kinit root at MMICMANHOMENET.LOCAL
Password for root at MMICMANHOMENET.LOCAL:
kinit(v5): ASN.1 failed call to system time library while getting initial
credentials
[root at ns2 root]#
-----Original Message-----
From: Brett Stevens [mailto:brett.stevens at hubbub.com.au]
Sent: Tuesday, April 13, 2004 7:57 PM
To: ewray at mmicman.com; samba at lists.samba.org
Subject: Re: [Samba] Help for the Kerberos challenged in the audience,config
files
Nsswitch set properly?
Check it and make sure there is a "passwd files winbind "and a "group files
winbind"
Also check that your time is synced correctly.
________________________________
From: "Edward W. Ray" <ewray at mmicman.com>
Organization: MMICMAN, LLC
Reply-To: <ewray at mmicman.com>
Date: Tue, 13 Apr 2004 19:27:14 -0700
To: "'Brett Stevens'" <brett.stevens at hubbub.com.au>, <samba at lists.samba.org>
Subject: RE: [Samba] Help for the Kerberos challenged in the audience,
config files
The error has changed since the previous e-mail:
[root at ns2 root]# net ads join -U root
root password:
[2004/04/13 19:23:05, 0] libads/kerberos.c:ads_kinit_password(133)
kerberos_kinit_password root at MMICMANHOMENET.LOCAL failed: ASN.1 failed
call to system time library
[root at ns2 root]#
Below is my smb.conf:
[root at ns2 root]# more /etc/samba/smb.conf # This is the main Samba
configuration file. You should read the # smb.conf(5) manual page in order
to understand the options listed # here. Samba has a huge number of
configurable options (perhaps too # many!) most of which are not shown in
this example # # Any line which starts with a ; (semi-colon) or a # (hash) #
is a comment and is ignored. In this example we will use a # # for commentry
and a ; for parts of the config file that you # may wish to enable # # NOTE:
Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings
=====================================
[global]
dns proxy = no
log file = /var/log/samba/log.%m
server string = mail
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
password server = 192.168.1.100 192.168.1.102
winbind gid = 10000-20000
workgroup = mmicmanhomenet
username map = /etc/samba/user.map
use spnego = yes
ldap ssl = yes
hosts allow = 192.168.1.
encrypt passwords = yes
realm = mmicmanhomenet.local
security = ADS
winbind uid = 10000-20000
max log size = 50
[netlogon]
comment = Network Logon Service
path = /home/netlogon
read only = yes
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share # the
default is to use the user's home directory ;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to #
specifically define each individual printer ; [printers]
; comment = All Printers
; path = /var/spool/samba
; browseable = no
# Set public = yes to allow user 'guest account' to print
; guest ok = no
; writable = no
; printable = yes
# This one is useful for people to share files ;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only, except for people in # the
"staff" group ;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; read only = yes
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in
fred's # home directory. Note that fred must have write access to the spool
directory, # wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write #
access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects #
this allows you to tailor configurations to incoming machines. You could #
also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all
files # created in the directory by users will be owned by the default user,
so # any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of
course # be specified, in which case all files would be owned by that user
instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In
this # setup, the directory should be writable by both users and should have
the # sticky bit set on it to prevent abuse. Obviously this could be
extended to # as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
[root at ns2 root]#
Below is my krb5.conf:
[root at ns2 root]# more /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MMICMANHOMENET.LOCAL
[realms]
MMICMANHOMENET.LOCAL = {
kdc = 192.168.1.100:88
}
[domain_realm]
.mmicmanhomenet.local = MMICMANHOMENET.LOCAL mmicmanhomenet.local =
MMICMANHOMENET.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root at ns2 root]#
More information about the samba
mailing list