[Samba] Samba meet Kerberos on a debian woody
Marco F. Cavaliere
marco.cavaliere at ulixe.com
Mon Apr 19 21:53:38 GMT 2004
I've just setup the samba box on my debian server (woody) with the standard
debian packages provided by
http://us1.samba.org/samba/ftp/Binary_Packages/Debian/samba3/ that i know as
a standard samba package repository.
The other libs are the standard woody kerberos library (not the heimdal
one).
At this point the things that works are:
I can join into domain,
I can see with getent all the user and groups by my "active directory
server" ( so the winbind seems to works!)
I can use all the net commands
I can see any machine in my windos network.
The things that I can do is to enter with the machine name (
\\sambabox\share\ ) of course if I use the Ip i can enter into, but as i
read here, is because with ip, no check has been done.
I've check in my samba log .. and the error that i see is:
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/04/19 23:37:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
I dunno if this is an error related with my kerberos library, I also tryed
( i'm going creazy) to install kerberos-heimdall library, but whit that
library the winbind daemon dosen't work....
I paste my configurations file ... PLEASE PLEASE PLEASE ..... HELP ME!!!!!
---- smb.conf
[global]
workgroup = ULIXE
realm = ULIXE.TO
server string = %h server (Samba %v)
security = ADS
#ads server = 10.0.0.222
update encrypted = Yes
encrypt passwords = Yes
obey pam restrictions = no
password server = nexus.ulixe.to
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = Yes
wins server = 10.0.0.222
# ldap ssl = no
# WINBIND OPTIONS
winbind separator = -
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
template shell = /bin/bash
hostname lookups = Yes
[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No
[ftp]
path = /var/ftp
read only = No
guest ok = Yes
[backup]
comment = Directory di Backup
path = /mnt/backup
guest ok = No
read only = Yes
-
-
-
-
-
---- kerberos.conf
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log
[libdefaults]
ticket_lifetime = 24000
default_realm = ULIXE.TO
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
permitted_enctypes = des-cbc-md5 des-cbc-crc
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
#default_tgs_enctypes = des-cbc-crc des-cbc-md5
#default_tkt_enctypes = des-cbc-crc des-cbc-md5
kdc_req_checksum_type = 2
forwardable = true
proxiable = true
ccache_type = 1
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
ULIXE.TO = {
kdc = nexus.ulixe.to
default_domain = ulixe.to
}
[domain_realm]
.ulixe.to = ULIXE.TO
ulixe.to = ULIXE.TO
[kdc]
#profile = /etc/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
More information about the samba
mailing list