[Samba] ADS winbind/krb5 error

simone72 simone72 at email.it
Mon Feb 2 17:26:53 GMT 2004

Hi all. 
Pretty new in Linux side of the world. I'm trying to run Samba 3.x on Fedora-core-1 in an ADS environment, 
with krb5 authentication. Installed Samba 3.0.2rc2 from source, installed the required libraries for 
kerberos MIT, configured smb.conf and krb5.conf.  
Run net ads join -U administrator and it worked, i can see the machine account in the active directory. From 
my linux box I can smbclient -U user -L windows2kclient and I get the list of the shares, while if i do from 
my linuxbox smbclient -U adsuser -L localhost i get this error: 
[root at fbcsrvsmb01 root]# smbclient -U user -L 
session setup failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO. 
When I start winbind I get this error: 
[2004/02/02 17:51:58, 1] nsswitch/winbindd.c:main(843) 
  winbindd version 3.0.2rc2 started. 
  Copyright The Samba Team 2000-2004 
[2004/02/02 17:51:58, 1] nsswitch/winbindd_util.c:add_trusted_domain(166) 
  Added domain DOMAIN domain.com S-1-5-21-73586283-1897051121-1417001333 
[2004/02/02 17:51:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) 
  krb5_cc_get_principal failed (No credentials cache found) 
[2004/02/02 17:51:58, 1] nsswitch/winbindd_ads.c:ads_cached_connection(65) 
  ads_connect for domain DOMAIN failed: Cannot read password 
[2004/02/02 17:51:58, 1] nsswitch/winbindd_util.c:init_domain_list(300) 
  Could not fetch sid for our domain DOMAIN 
[2004/02/02 17:51:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) 
  krb5_cc_get_principal failed (No credentials cache found) 
[2004/02/02 17:51:58, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(516) 
  spnego_gen_negTokenTarg failed: No credentials cache found 
wbinfo -u and -g doesn't work (Error looking up domain users). 
Edited the nsswitch to include winbind, and tryied to use the win2kserver WINS server or to enable nmbd wins 
from smb.conf but no luck. To check krb functionality I did 
[root at fbcsrvsmb01 root]# kinit adsuser 
Password for adsuser at DOMAIN.COM: 
[root at fbcsrvsmb01 root]# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: adsuser at DOMAIN.COM 
Valid starting     Expires            Service principal 
02/02/04 18:05:16  02/03/04 04:05:20  krbtgt/DOMAIN.COM at DOMAIN.COM 
        renew until 02/03/04 18:05:16 
Kerberos 4 ticket cache: /tmp/tkt0 
klist: You have no tickets cached 
My config files: 
        workgroup = DOMAIN 
        realm = DOMAIN.COM 
        server string = Samba Server 
        security = ADS 
        auth methods = winbind 
        password server = 
        log file = /var/log/samba/log.%m 
        max log size = 100 
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
        dns proxy = No 
        wins support = Yes 
        idmap uid = 10000-20000 
        idmap gid = 10000-20000 
        winbind separator = # 
        winbind use default domain = Yes 
        hosts allow = 192.168.100. 
 default = FILE:/var/log/krb5libs.log 
 kdc = FILE:/var/log/krb5kdc.log 
 admin_server = FILE:/var/log/kadmind.log 
 ticket_lifetime = 36000 
 default_realm = DOMAIN.COM 
 dns_lookup_realm = false 
 dns_lookup_kdc = false 
  kdc = 
  admin_server = 
 .domain.com = DOMAIN.COM 
 domain.com = DOMAIN.COM 
 profile = /var/kerberos/krb5kdc/kdc.conf 
 pam = { 
   debug = false 
   ticket_lifetime = 36000 
   renew_lifetime = 36000 
   forwardable = true 
   krb4_convert = false 
passwd:     files winbind 
shadow:     files winbind 
group:      files winbind 
hosts:      files dns 
bootparams: nisplus [NOTFOUND=return] files 
ethers:     files 
netmasks:   files 
networks:   files 
protocols:  files 
rpc:        files 
services:   files 
netgroup:   files 
publickey:  nisplus 
automount:  files 
aliases:    files nisplus 
I went through the samba howto and red a lot of posts and documents around, but still can't figure out 
what's wrong. As far as I can understand it looks like kerb is working (kinit) but still samba (winbind) is 
not able to use it for authentication.  
I would really really really appreciate if someone could point me in the right direction. 
Meanwhile......back to samba howto!! 

Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Al Garden Center Peraga fioriscono nuove iniziative: ecco i Tour Day Peraga, per andare alla scoperta del Canavese! INFO 0125 665500
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=1613&d=2-2

More information about the samba mailing list