[Samba] Samba as a member of the W2K ADS domain using Kerberos

Hirantha Wijayawardena hirantha at crescat.com
Fri Oct 8 13:01:29 GMT 2004 

Dear All,

This is my problem; I have successfully joined the samba server to ADS
domain W2k server: net ads join -Uadministrator at DOMAIN.COM without any
errors & ran tests:  wbinfo -u, wbinfo -g, getent passwd, getent group,
without any errors too.

# net ads info - shows:
LDAP server: 10.1.1.70
LDAP server name: dc1
Realm: DOMAIN.COM
Bind Path: dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Fri, 08 Oct 2004 17:03:52 GMT
KDC server: 10.1.1.70

>From windows client machines (Win98/XP) I can access the samba machine
which is logged on to the AD server; but when I try to access the user's
folder at samba server- it won't allow & error message triggered in
/var/log/message:

Oct  8 17:15:34 smb-3 smbd[1920]:   Failed to verify incoming ticket!
Oct  8 17:15:35 smb-3 smbd[1920]: [2004/10/08 17:15:35, 1]
smbd/sesssetup.c:reply_spnego_kerberos(173)
Oct  8 17:15:35 smb-3 smbd[1920]:   Failed to verify incoming ticket!

I so many posts posted with referring to this issue, but I couldn't fine
the exact solution for this. Initially I tried from samba-3.0.2 with
krb5-1.3.3 & I upgraded to samba-3.0.7 & krb5-1.3.4 but no luck. Here
are my .conf files

Distro: Fedora 2

smb.conf file:

[global]
        unix charset = LOCALE
        workgroup = DOMAIN2K
        realm = DOMAIN.COM
        server string = Samba 3.0.7
        security = ADS
        password server = dc1.domain.com
        username map = /etc/samba/smbusers
        log level = 1
        syslog = 9
        log file = /var/log/samba/%m
        encrypt passwords = yes
        max log size = 50
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template primary group = "Domain Users"
        template shell = /bin/bash
        winbind separator = +
[Homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No


krb5.conf file:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 CRESACT.COM = {
  kdc = dc1.domain.com:88
  admin_server = dc1.domain.com:749
  default_domain = domain.com
 }

[domain_realm]
 .crescat.com = DOMAIN.COM
 crescat.com = DOMAIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

Any advice is much appreciate & thanks in advance 

- Hirantha

More information about the samba mailing list