[Samba] Re: samba,ldap and kerberos
aarumuga arumugam
eccsamba at yahoo.com
Fri Mar 19 14:17:10 GMT 2004
Hi ,
In the configuration file , which has been posted , the password server is mentioned as kerbere.eng.utoledo.edu. It is an old configuration file.In the new one the server name is changed to kerby.eng.utoledo.edu , otherwise everything remains the same. we dont use ADS . but we need the samba and ldap to be authenticated with kerberos. Any suggestions apprecited
Thanx in advance
aarumugam
aarumuga arumugam <eccsamba at yahoo.com> wrote:
Hi Everybody,
We are integrating samba,kerberos and ldap
samba-3.0.2a
sun kerberos
sun ldap
all the three servers are on three different solaris machines.
we were able to successfully integrate samba and ldap and works fine. When trying to bring in kerberos support , we changed the samba configuration file as follows
interfaces = 131.183.20.96
bind interfaces only = true
workgroup = SAMBA_200X
server string = ECC Samba3.02a Secure Server
#adding kerberos security ADS
security =ADS
realm =ENG.UTOLEDO.EDU
password server=kerbere.eng.utoledo.edu
# ldap parameters
ldap admin dn ="cn=mgradmin"
ldap ssl = no
passdb backend = ldapsam:ldaps://sunldap.eng.utoledo.edu:389
ldap suffix = dc=eng,dc=utoledo,dc=edu
ldap user suffix = ou=People
ldap machine suffix= ou=machines
ldap group suffix = ou=Group
ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))"
ldap delete dn =no
hosts allow = 131.183.16. 131.183.17. 131.183.18. 131.183.19. \
131.183.20. 131.183.21. 131.183.22. 131.183.22. \
131.183.23. \
131.183.117. 127.0.0.1
deadtime = 0 # idle time out
getwd cache = yes
create mode = 0600
log file = /servers/sambatest/%v/var/logs/%m
max log size = 1000 # KB
utmp = true
utmp directory = /var/adm/
wtmp directory = /var/adm/
lock directory = /servers/sambatest/%v/var/locks/
pid directory = /servers/sambatest/%v/var/
encrypt passwords = yes
# enforcing case sensitivity
username = 0
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY
........................................
I am able to obtain a kerberos ticket for a user who has administrative right in the samba server.and when i use
net ads join -U administrator at REALM -d10
It tries to obtain ldap information. but it looks into the kerberos server on port 389 and fails with no error.
The debug information is as follows.
[2004/03/18 17:15:46, 6] libads/ldap.c:ads_find_dc(147)
ads_find_dc: looking for realm 'ENG.UTOLEDO.EDU'
[2004/03/18 17:15:46, 8] libsmb/namequery.c:get_sorted_dc_list(1240)
get_sorted_dc_list: attempting lookup using [ads]
[2004/03/18 17:15:46, 10] libsmb/namequery.c:internal_resolve_name(1006)
internal_resolve_name: looking up kerby.eng.utoledo.edu#20
[2004/03/18 17:15:46, 5] lib/gencache.c:gencache_init(59)
Opening cache file at /servers/sambatest/3.0.2a/var/locks//gencache.tdb
[2004/03/18 17:15:46, 10] lib/gencache.c:gencache_get(264)
Returning valid cache entry: key = NBT/KERBY.ENG.UTOLEDO.EDU#20, value = 131.183.18.105:0, timeout = Thu Mar 18 17:25:28 2004
[2004/03/18 17:15:46, 5] libsmb/namecache.c:namecache_fetch(201)
name kerby.eng.utoledo.edu#20 found.
[2004/03/18 17:15:46, 10] libsmb/namequery.c:remove_duplicate_addrs2(312)
remove_duplicate_addrs2: looking for duplicate address/port pairs
[2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1389)
get_dc_list: returning 1 ip addresses in an ordered list
[2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1390)
get_dc_list: 131.183.18.105:389
[2004/03/18 17:15:46, 5] libads/ldap.c:ads_try_connect(56)
ads_try_connect: trying ldap server '131.183.18.105' port 389
[2004/03/18 17:15:46, 10] libsmb/conncache.c:add_failed_connection_entry(132)
add_failed_connection_entry: added domain ENG.UTOLEDO.EDU (131.183.18.105) to failed conn cache
[2004/03/18 17:15:46, 1] utils/net_ads.c:ads_startup(181)
ads_connect: Transport endpoint is not connected
[2004/03/18 17:15:46, 2] utils/net.c:main(767)
return code = -1
can some one help me in proceeding the kerberos.
thanx in advance
eccsamba
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
More information about the samba
mailing list