[Samba] authentication against win2k3 server

Carissa Srugis csrugis at gmail.com
Wed Nov 17 19:02:43 GMT 2004 

OK, I've tried to get a kerberos ticket, without success.  I generated
the w2k3 keytab, then integrated into the freebsd machine via the
ktutil command.

I tried to use the kinit Administrator at YOURDOMAIN.COM. but got this error:

secureschool# kinit administrator at DOMAIN.LOCAL
FreeBSD Inc. (freebsd.newdomain.com)
Kerberos Initialization for "administrator at DOMAIN.LOCAL"
Password:
kinit: Can't send request (send_to_kdc)

Here's the krb5.conf file:

[libdefaults]
        default_realm = DOMAIN.LOCAL
        default_etypes = des-cbc-crc des-cbc-md5
        default_etypes_des = des-cbc-crc des-cbc-md5
        default_keytab-name = FILE:/usr/src/crypto/heimdal/freebsd_mchine.keytab
        clockskew = 300

[realms]
        ANDLESS.LOCAL = {
                kdc= WIN2K3.DOMAIN.LOCAL
                admin_server = WIN2K3.DOMAIN.LOCAL
                default_domain = DOMAIN.LOCAL
        }
[domain_realm]
        .DOMAIN.LOCAL = DOMAIN.LOCAL

The one thing I noticied is I do not have a krb5.conf in /etc or
anywhere else on my system.  Should thisfile be there already, or do I
have to manually create it?

Thanks for the help!
Carissa Srugis




On Tue, 16 Nov 2004 13:29:20 -0800, Tom Skeren <tms3 at fsklaw.net> wrote:
> Carissa Srugis wrote:
>
> >I've been trying to setup Samba to authenticate users against accounts
> >existing on a Windows 2003 Server without any backwards capability.
> >Ideally, this needs to be done without any changes to the Windows 2003
> >Server.  Users will not be logging into the Samba shares at all.  This
> >is merely for authentication.
> >
> >
> OK, well, try getting a kerberos ticket first.
>
> kinit Administrator at YOURDOMAIN.COM...
> If you get a valid ticket, you can just do net ads join -U
> Administrator, no need for pw.
>
> If no kerberos ticket, then you've got a krb5.conf issue.
>
> Heimdal requires these lines:
>
> default_etypes  = des-cbc-crc des-cbc-md5
>  default_etypes_des = des-cbc-crc des-cbc-md5
>
> You also might need to have the w2k3 generate a keytab for you.  If so you need this line as well.
>
>  default_keytab-name = FILE:/etc/krb5.keytab
>
>
>
>
> >I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
> >
> >This is my smb.conf file:
> >[global]
> >      realm = WIN2K3.DOMAIN.LOCAL
> >      security = ads
> >      auth methods = winbind
> >      winbind separator = +
> >      encrypt passwords = yes
> >      workgroup = DOMAIN.LOCAL
> >      netbios name = FREEBSD_Machine
> >      winbind uid = 10000-20000
> >      winbind gid = 10000-20000
> >      winbind enum users = yes
> >      winbind enum groups = yes
> >      idmap uid = 10000-20000
> >      idmap gid = 10000-20000
> >      password server = WIN2K3.DOMAIN.LOCAL
> >
> >So once winbindd is running, I type the following and get these results:
> >
> >freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
> >administrator's password: *password*
> >[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
> >  Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
> >  Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
> >  ads_connect: Permission denied
> >
> >In the winbindd log I've also gotten the following error messages at
> >one point or another:
> >
> >Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
> >Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
> >get_trust_pw: could not fetch trust account password for my domain DOMAIN.LOCAL
> >
> >The odd part is when I try to use wbinfo to verify connections.  If I
> >type "wbinfo -g" it will display the correct group listing from the
> >win2k3 server.  But nothing else seems to work:
> >
> >freebsd_machine# wbinfo -t
> >checking the trust secret via RPC calls failed
> >error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
> >Could not check secret
> >
> >freebsd_machine# wbinfo -u
> >Error looking up domain users
> >
> >freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
> >Name              : WIN2K3.DOMAIN.LOCAL
> >Alt_Name          : DOMAIN.LOCAL
> >SID               : S-0-0
> >Active Directory  : No
> >Native            : No
> >Primary           : Yes
> >Sequence          : -1
> >
> >I'm obviously missing something, but I am at a loss.  Any help is
> >greatly appreciated!
> >
> >Carissa Srugis
> >
> >
> >
> >
>
>

--
*********************************************************
Carissa Srugis
csrugis at gmail.com

More information about the samba mailing list