[Samba] authentication against win2k3 server
Tom Skeren
tms3 at fsklaw.net
Tue Nov 16 21:29:20 GMT 2004
Carissa Srugis wrote:
>I've been trying to setup Samba to authenticate users against accounts
>existing on a Windows 2003 Server without any backwards capability.
>Ideally, this needs to be done without any changes to the Windows 2003
>Server. Users will not be logging into the Samba shares at all. This
>is merely for authentication.
>
>
OK, well, try getting a kerberos ticket first.
kinit Administrator at YOURDOMAIN.COM...
If you get a valid ticket, you can just do net ads join -U
Administrator, no need for pw.
If no kerberos ticket, then you've got a krb5.conf issue.
Heimdal requires these lines:
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
You also might need to have the w2k3 generate a keytab for you. If so you need this line as well.
default_keytab-name = FILE:/etc/krb5.keytab
>I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
>
>This is my smb.conf file:
>[global]
> realm = WIN2K3.DOMAIN.LOCAL
> security = ads
> auth methods = winbind
> winbind separator = +
> encrypt passwords = yes
> workgroup = DOMAIN.LOCAL
> netbios name = FREEBSD_Machine
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> password server = WIN2K3.DOMAIN.LOCAL
>
>So once winbindd is running, I type the following and get these results:
>
>freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
>administrator's password: *password*
>[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
> ads_connect: Permission denied
>
>In the winbindd log I've also gotten the following error messages at
>one point or another:
>
>Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
>Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
>get_trust_pw: could not fetch trust account password for my domain DOMAIN.LOCAL
>
>The odd part is when I try to use wbinfo to verify connections. If I
>type "wbinfo -g" it will display the correct group listing from the
>win2k3 server. But nothing else seems to work:
>
>freebsd_machine# wbinfo -t
>checking the trust secret via RPC calls failed
>error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
>Could not check secret
>
>freebsd_machine# wbinfo -u
>Error looking up domain users
>
>freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
>Name : WIN2K3.DOMAIN.LOCAL
>Alt_Name : DOMAIN.LOCAL
>SID : S-0-0
>Active Directory : No
>Native : No
>Primary : Yes
>Sequence : -1
>
>I'm obviously missing something, but I am at a loss. Any help is
>greatly appreciated!
>
>Carissa Srugis
>
>
>
>
More information about the samba
mailing list