[Samba] Re: samba,ldap and kerberos

aarumuga arumugam eccsamba at yahoo.com
Fri Mar 19 14:17:10 GMT 2004 

Hi ,
  In the configuration file , which has been posted , the password server is mentioned as kerbere.eng.utoledo.edu. It is an old configuration file.In the  new one the server name is changed to kerby.eng.utoledo.edu , otherwise everything remains the same.  we dont use ADS . but we need the samba and ldap to be authenticated with kerberos. Any suggestions apprecited
Thanx in advance
aarumugam


aarumuga arumugam <eccsamba at yahoo.com> wrote:
Hi Everybody,
                We are integrating samba,kerberos and ldap
samba-3.0.2a
sun kerberos
sun ldap
all the three servers are on three different solaris machines.
 
we were able to successfully integrate samba and ldap and works fine. When trying to bring in kerberos support , we changed the samba configuration file as follows
interfaces      = 131.183.20.96
        bind interfaces only    = true
        workgroup       = SAMBA_200X
        server string   = ECC Samba3.02a Secure Server
        #adding kerberos security ADS
        security =ADS
        realm   =ENG.UTOLEDO.EDU
        password server=kerbere.eng.utoledo.edu
        # ldap parameters
        ldap admin dn   ="cn=mgradmin"
        ldap ssl        = no
        passdb backend  = ldapsam:ldaps://sunldap.eng.utoledo.edu:389
        ldap suffix     = dc=eng,dc=utoledo,dc=edu
        ldap user suffix = ou=People
        ldap machine suffix= ou=machines
        ldap group suffix = ou=Group
        ldap filter             = "(&(uid=%u)(objectclass=sambaSamAccount))"
        ldap delete dn  =no
        hosts allow     = 131.183.16. 131.183.17. 131.183.18. 131.183.19. \
                          131.183.20. 131.183.21. 131.183.22. 131.183.22. \
                          131.183.23.                                     \
                          131.183.117.  127.0.0.1
        deadtime        = 0                     # idle time out
        getwd cache     = yes
        create mode     = 0600

        log file        = /servers/sambatest/%v/var/logs/%m
        max log size    = 1000                  # KB
        utmp = true
        utmp directory  = /var/adm/
        wtmp directory  = /var/adm/
        lock directory  = /servers/sambatest/%v/var/locks/
        pid directory   = /servers/sambatest/%v/var/
        encrypt passwords       = yes
        # enforcing case sensitivity
        username        = 0

        # See speed.txt and the manual pages for details
        socket options  = TCP_NODELAY
........................................
 
 
I am able to obtain a kerberos ticket for a user who has administrative right in the samba server.and when i use
net ads join -U administrator at REALM -d10
It tries to obtain ldap information. but it looks into the kerberos server on port 389 and fails with no error.
The debug information is as follows.
 
[2004/03/18 17:15:46, 6] libads/ldap.c:ads_find_dc(147)
  ads_find_dc: looking for realm 'ENG.UTOLEDO.EDU'
[2004/03/18 17:15:46, 8] libsmb/namequery.c:get_sorted_dc_list(1240)
  get_sorted_dc_list: attempting lookup using [ads]
[2004/03/18 17:15:46, 10] libsmb/namequery.c:internal_resolve_name(1006)
  internal_resolve_name: looking up kerby.eng.utoledo.edu#20
[2004/03/18 17:15:46, 5] lib/gencache.c:gencache_init(59)
  Opening cache file at /servers/sambatest/3.0.2a/var/locks//gencache.tdb
[2004/03/18 17:15:46, 10] lib/gencache.c:gencache_get(264)
  Returning valid cache entry: key = NBT/KERBY.ENG.UTOLEDO.EDU#20, value = 131.183.18.105:0, timeout = Thu Mar 18 17:25:28 2004
[2004/03/18 17:15:46, 5] libsmb/namecache.c:namecache_fetch(201)
  name kerby.eng.utoledo.edu#20 found.
[2004/03/18 17:15:46, 10] libsmb/namequery.c:remove_duplicate_addrs2(312)
  remove_duplicate_addrs2: looking for duplicate address/port pairs
[2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1389)
  get_dc_list: returning 1 ip addresses in an ordered list
[2004/03/18 17:15:46, 4] libsmb/namequery.c:get_dc_list(1390)
  get_dc_list: 131.183.18.105:389
[2004/03/18 17:15:46, 5] libads/ldap.c:ads_try_connect(56)
  ads_try_connect: trying ldap server '131.183.18.105' port 389
[2004/03/18 17:15:46, 10] libsmb/conncache.c:add_failed_connection_entry(132)
  add_failed_connection_entry: added domain ENG.UTOLEDO.EDU (131.183.18.105) to failed conn cache
[2004/03/18 17:15:46, 1] utils/net_ads.c:ads_startup(181)
  ads_connect: Transport endpoint is not connected
[2004/03/18 17:15:46, 2] utils/net.c:main(767)
  return code = -1

can some one help me in proceeding the kerberos.
 
thanx in advance
eccsamba
 
 
 
 
 


Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam

Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam

More information about the samba mailing list