[Samba] authentification in ads2003
Benoit Moeremans
benoit.moeremans at nectarine.be
Wed Jun 9 13:20:16 GMT 2004
Hello,
*This msg was already sent yesterday on this ml, but some i found some
faults in the mail.*
**If anyone can help me... the only thing i'm thinking now is to throw away
the servers**
I installed Samba 3.0.4 + kerberos 5 + winbind to make the debian woody
server joining
the Active directory service.
Everything seems to be ok, except the authentification. If i try to go to
the share of the linux server from a windows box, it asks me the password.
And of course, no
way to log in.
Here is the config:
*nsswitch.conf*
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
*samba*
[global]
workgroup = TEST
realm = CAR.BE.TEST.COM.LOCAL
server string = %h server (Samba %v)
; wins support = no
; wins server = w.x.y.z
dns proxy = no
; name resolve order = lmhosts host wins bcast
use spnego = yes
log file = /var/log/samba/log.%m
max log size = 1000
; syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
security = ADS
encrypt passwords = yes
passdb backend = tdbsam guest
obey pam restrictions = yes
password server = car-pdc
netbios name = rantanplan
; guest account = nobody
invalid users = root
; unix password sync = no
; passwd program = /usr/bin/passwd %u# passwd chat =
*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
; pam password change = no
; load printers = yes
; preserve case = yes
; short preserve case = yes
; include = /home/samba/etc/smb.conf.%m
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
; domain master = auto
idmap uid = 10000-20000
idmap gid = 10000-20000
; template shell = /bin/bash
[admin]
comment = Administration Directory
path = /home/benoit
admin users = TEST+bmo
browseable = yes
public = no
writable = yes
guest only = no
valid users = TEST+bmo
*kerberos*
[libdefaults]
default_realm = CAR.BE.TEST.COM
[realms]
CAR.BE.TEST.COM = {
kdc = car-pdc.car.be.test.com
default_domain = car.be.test.com
}
#[domain_realms]
#.kerberos.server=CAR.BE.TEST.COM
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[login]
krb4_convert = true
krb4_get_tickets = true
*winbind* (logs)
2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain CAR CAR.BE.TEST.COM.LOCAL S-0-0
[2004/06/07 13:38:57, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (No credentials cache found)
[2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain BUILTIN S-1-5-32
[2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain RANTANPLAN S-1-5-21-837388855-3362161430-1770541169
I found also some trace in the log.smbd
smbd version 3.0.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
[2004/06/09 10:29:16, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/06/09 10:34:28, 0] smbd/server.c:main(757)
All commands like kinit, net ads join, wbinfo -u (-g), getent etc works.
>From the linux server, no problem to go to the shares of the domain
controller (wich is a windows 2003 server).
Do i have to make the keytab for kerberos by myself for each ssamba server,
or does it create itself whith the "net ads join" cmd?
Any help would be welcome.
Regards,
Benoit
More information about the samba
mailing list