[Samba] Authenticating off a Windows 2003 ADS DC with Samba/Winbind
Rafiq_Maniar at Dell.com
Rafiq_Maniar at Dell.com
Wed Nov 17 10:36:27 GMT 2004
[originally posted to fedora-users]
I'm having difficulty getting samba/winbind to authenticate of a W2K3
box. I've searched the list archives and although there
are some similar problems, none have seemed to help resolve this one.
Here's the network configuration:
- Windows 2003 Server gx270-rmaniar [192.168.0.100]
- Fedora Core 3 gx280rmaniarFC3 [192.168.0.5]
FYI: A Windows XP box correctly connects to the DC OK.
**********************
Here's what I've done:
- removed the Active Directory service from the W2K3 box and started
from scratch again.
- configured /etc/krb5.conf
- timesynced both the Linux and Windows boxes
- Used kinit Administrator at TEST.COM to login, all OK.
- Can login to smb share using smbclient -k //gx270-rmaniar/C$ so
kerberos ticket is ok.
- configured winbind/smb.conf using the Authentication applet.
- smb/winbind are started ok.
**********************
Here's the problem:
[root at gx280rmaniarFC3 samba]# net ads join -S gx270-rmaniar -U
Administrator
Administrator's password:
[2004/11/16 17:35:12, 0] libads/ldap.c:ads_join_realm(1640)
ads_add_machine_acct (gx280rmaniarfc3): Type or value exists
ads_join_realm: Type or value exists
So it says it exists already, despite the fact that its not shown in the
'Computers' list in AD.
Tried it again, and got:
[root at gx280rmaniarFC3 pam.d]# net ads join -S gx270-rmaniar -U
Administrator
Administrator's password:
[2004/11/16 17:51:26, 0] libads/ldap.c:ads_add_machine_acct(1297)
ads_add_machine_acct: Host account for gx280rmaniarfc3 already exists
- modifying old account
[2004/11/16 17:51:26, 0] libads/ldap.c:ads_join_realm(1640)
ads_add_machine_acct (gx280rmaniarfc3): Type or value exists
ads_join_realm: Type or value exists
The computer now appears in the "Computers" list on the Windows server.
[root at gx280rmaniarFC3 samba]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret
**********************
Here's the relevant info from smb.conf:
workgroup = TEST.COM
security = ads
password server = 192.168.0.100
realm = TEST.COM
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
And someone asked for authconfig --test --kickstart:
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = "127.0.0.1"
LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is enabled
SMB workgroup = "TEST.COM"
SMB servers = "192.168.0.100"
SMB security = "ads"
SMB realm = "TEST.COM"
Winbind template shell = "/bin/bash"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
shadow passwords are enabled
md5 passwords are enabled
pam_krb5 is disabled
krb5 realm = "TEST.COM"
krb5 realm via dns is disabled
krb5 kdc = "192.168.0.100:88,192.168.0.100"
krb5 kdc via dns is disabled
krb5 admin server = ""
pam_ldap is disabled
LDAP+TLS is disabled
LDAP server = "127.0.0.1"
LDAP base DN = "dc=example,dc=com"
pam_smb_auth is disabled
SMB workgroup = "TEST.COM"
SMB servers = "192.168.0.100"
pam_winbind is enabled
SMB workgroup = "TEST.COM"
SMB servers = "192.168.0.100"
SMB security = "ads"
SMB realm = "TEST.COM"
pam_cracklib is enabled (retry=3)
pam_passwdqc is disabled ()
So there you have it. I've googled for the problem with no luck. Any
ideas?
Thanks,
Rafiq
More information about the samba
mailing list