[Samba] authentification in ads2003

Benoit Moeremans benoit.moeremans at nectarine.be
Wed Jun 9 13:20:16 GMT 2004


Hello,
*This msg was already sent yesterday on this ml, but some i found some
faults in the mail.*

**If anyone can help me... the only thing i'm thinking now is to throw away
the servers**


I installed Samba 3.0.4 + kerberos 5 + winbind to make the debian woody
server joining
the Active directory service.

Everything seems to be ok, except the authentification. If i try to go to
the share of the linux server from a windows box, it asks me the password.
And of course, no
way to log in.

Here is the config:

*nsswitch.conf*

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis




*samba*

[global]


   workgroup = TEST
   realm = CAR.BE.TEST.COM.LOCAL
   server string = %h server (Samba %v)
;  wins support = no
;  wins server = w.x.y.z
   dns proxy = no
;  name resolve order = lmhosts host wins bcast
   use spnego = yes
   log file = /var/log/samba/log.%m
   max log size = 1000
;  syslog only = no
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

# separate domain and username with '+', like DOMAIN+username
winbind separator = +
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes

   security = ADS
   encrypt passwords = yes
   passdb backend = tdbsam guest
   obey pam restrictions = yes
   password server = car-pdc
   netbios name = rantanplan
;  guest account = nobody
   invalid users = root
;  unix password sync = no
;  passwd program = /usr/bin/passwd %u#   passwd chat =
*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
;  pam password change = no
;  load printers = yes
;  preserve case = yes
;  short preserve case = yes
;  include = /home/samba/etc/smb.conf.%m
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY
;  message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

;  domain master = auto
   idmap uid = 10000-20000
   idmap gid = 10000-20000
;   template shell = /bin/bash
[admin]
    comment = Administration Directory
    path = /home/benoit
    admin users =  TEST+bmo
    browseable = yes
    public = no
    writable = yes
    guest only = no
    valid users = TEST+bmo

*kerberos*
[libdefaults]
        default_realm = CAR.BE.TEST.COM

[realms]
CAR.BE.TEST.COM = {
kdc = car-pdc.car.be.test.com
default_domain = car.be.test.com
}
#[domain_realms]
#.kerberos.server=CAR.BE.TEST.COM

# The following krb5.conf variables are only for MIT Kerberos.
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true


v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }


[login]
        krb4_convert = true
        krb4_get_tickets = true


*winbind* (logs)

2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain CAR CAR.BE.TEST.COM.LOCAL S-0-0
[2004/06/07 13:38:57, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
  krb5_cc_get_principal failed (No credentials cache found)
[2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain BUILTIN  S-1-5-32
[2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain RANTANPLAN  S-1-5-21-837388855-3362161430-1770541169

I found also some trace in the log.smbd

  smbd version 3.0.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2004
[2004/06/09 10:29:16, 0] lib/util_sock.c:get_peer_addr(978)
  getpeername failed. Error was Transport endpoint is not connected
[2004/06/09 10:34:28, 0] smbd/server.c:main(757)


All commands like kinit, net ads join, wbinfo -u (-g), getent etc works.
>From the linux server, no problem to go to the shares of the domain
controller (wich is a windows 2003 server).
Do i have to make the keytab for kerberos by myself for each ssamba server,
or does it create itself whith the "net ads join" cmd?

Any help would be welcome.
Regards,

Benoit






More information about the samba mailing list