[Samba] Authentification in windows ads 2003

[Benoit Moeremans]

Hello,

I installed Samba 3 + kerberos + winbind to make the debian server joining
the Active directory service.

Everything seems to be ok, except the authentification. If i try to go to
the share of the linux server, it asks me the password. And of course, no
way to log in. B

Here is the config:

*samba*

[global]


   workgroup = TEST
   realm = CARDS.BE.TEST.COM.LOCAL
   server string = %h server (Samba %v)
;  wins support = no
;  wins server = w.x.y.z
   dns proxy = no
;  name resolve order = lmhosts host wins bcast
   use spnego = yes
   log file = /var/log/samba/log.%m
   max log size = 1000
;  syslog only = no
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

# separate domain and username with '+', like DOMAIN+username
winbind separator = +
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes

   security = ADS
   encrypt passwords = yes
   passdb backend = tdbsam guest
   obey pam restrictions = yes
   password server = zscards-pdc
   netbios name = rantanplan
;  guest account = nobody
   invalid users = root
;  unix password sync = no
;  passwd program = /usr/bin/passwd %u#   passwd chat =
*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
;  pam password change = no
;  load printers = yes
;  preserve case = yes
;  short preserve case = yes
;  include = /home/samba/etc/smb.conf.%m
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY
;  message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

;  domain master = auto
   idmap uid = 10000-20000
   idmap gid = 10000-20000
;   template shell = /bin/bash
[admin]
    comment = Administration Directory
    path = /home/benoit
    admin users =  bmo
    browseable = yes
    public = no
    writable = yes
    guest only = no
    valid users = bmo

*kerberos*
[libdefaults]
        default_realm = CAR.BE.TESTCOM

[realms]
CAR.BE.TEST.COM = {
kdc = car-pdc.cards.be.test.com
default_domain = car.be.test.com
}
#[domain_realms]
#.kerberos.server=CAR.BE.TEST.COM

# The following krb5.conf variables are only for MIT Kerberos.
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true


v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }


[login]
        krb4_convert = true
        krb4_get_tickets = true


*winbind* (logs)

2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain CAR CAR.BE.TEST.COM.LOCAL S-0-0
[2004/06/07 13:38:57, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
  krb5_cc_get_principal failed (No credentials cache found)
[2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain BUILTIN  S-1-5-32
[2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain RANTANPLAN  S-1-5-21-837388855-3362161430-1770541169






All commands like kinit, net ads join, wbinfo -u (-g), getent etc works.
>From the linux server, no problem to go to the shares of the domain
controller (wich is a windows 2003 server).

Any help would be helpful

Regards,

Benoit