[Samba] authentication against win2k3 server
Carissa Srugis
csrugis at gmail.com
Wed Nov 17 19:02:43 GMT 2004
OK, I've tried to get a kerberos ticket, without success. I generated
the w2k3 keytab, then integrated into the freebsd machine via the
ktutil command.
I tried to use the kinit Administrator at YOURDOMAIN.COM. but got this error:
secureschool# kinit administrator at DOMAIN.LOCAL
FreeBSD Inc. (freebsd.newdomain.com)
Kerberos Initialization for "administrator at DOMAIN.LOCAL"
Password:
kinit: Can't send request (send_to_kdc)
Here's the krb5.conf file:
[libdefaults]
default_realm = DOMAIN.LOCAL
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_keytab-name = FILE:/usr/src/crypto/heimdal/freebsd_mchine.keytab
clockskew = 300
[realms]
ANDLESS.LOCAL = {
kdc= WIN2K3.DOMAIN.LOCAL
admin_server = WIN2K3.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL
The one thing I noticied is I do not have a krb5.conf in /etc or
anywhere else on my system. Should thisfile be there already, or do I
have to manually create it?
Thanks for the help!
Carissa Srugis
On Tue, 16 Nov 2004 13:29:20 -0800, Tom Skeren <tms3 at fsklaw.net> wrote:
> Carissa Srugis wrote:
>
> >I've been trying to setup Samba to authenticate users against accounts
> >existing on a Windows 2003 Server without any backwards capability.
> >Ideally, this needs to be done without any changes to the Windows 2003
> >Server. Users will not be logging into the Samba shares at all. This
> >is merely for authentication.
> >
> >
> OK, well, try getting a kerberos ticket first.
>
> kinit Administrator at YOURDOMAIN.COM...
> If you get a valid ticket, you can just do net ads join -U
> Administrator, no need for pw.
>
> If no kerberos ticket, then you've got a krb5.conf issue.
>
> Heimdal requires these lines:
>
> default_etypes = des-cbc-crc des-cbc-md5
> default_etypes_des = des-cbc-crc des-cbc-md5
>
> You also might need to have the w2k3 generate a keytab for you. If so you need this line as well.
>
> default_keytab-name = FILE:/etc/krb5.keytab
>
>
>
>
> >I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
> >
> >This is my smb.conf file:
> >[global]
> > realm = WIN2K3.DOMAIN.LOCAL
> > security = ads
> > auth methods = winbind
> > winbind separator = +
> > encrypt passwords = yes
> > workgroup = DOMAIN.LOCAL
> > netbios name = FREEBSD_Machine
> > winbind uid = 10000-20000
> > winbind gid = 10000-20000
> > winbind enum users = yes
> > winbind enum groups = yes
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > password server = WIN2K3.DOMAIN.LOCAL
> >
> >So once winbindd is running, I type the following and get these results:
> >
> >freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
> >administrator's password: *password*
> >[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
> > Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
> > Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
> > ads_connect: Permission denied
> >
> >In the winbindd log I've also gotten the following error messages at
> >one point or another:
> >
> >Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
> >Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
> >get_trust_pw: could not fetch trust account password for my domain DOMAIN.LOCAL
> >
> >The odd part is when I try to use wbinfo to verify connections. If I
> >type "wbinfo -g" it will display the correct group listing from the
> >win2k3 server. But nothing else seems to work:
> >
> >freebsd_machine# wbinfo -t
> >checking the trust secret via RPC calls failed
> >error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
> >Could not check secret
> >
> >freebsd_machine# wbinfo -u
> >Error looking up domain users
> >
> >freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
> >Name : WIN2K3.DOMAIN.LOCAL
> >Alt_Name : DOMAIN.LOCAL
> >SID : S-0-0
> >Active Directory : No
> >Native : No
> >Primary : Yes
> >Sequence : -1
> >
> >I'm obviously missing something, but I am at a loss. Any help is
> >greatly appreciated!
> >
> >Carissa Srugis
> >
> >
> >
> >
>
>
--
*********************************************************
Carissa Srugis
csrugis at gmail.com
More information about the samba
mailing list