[Samba] Samba as a member of the W2K ADS domain using Kerberos
Hirantha Wijayawardena
hirantha at crescat.com
Fri Oct 8 13:01:29 GMT 2004
Dear All,
This is my problem; I have successfully joined the samba server to ADS
domain W2k server: net ads join -Uadministrator at DOMAIN.COM without any
errors & ran tests: wbinfo -u, wbinfo -g, getent passwd, getent group,
without any errors too.
# net ads info - shows:
LDAP server: 10.1.1.70
LDAP server name: dc1
Realm: DOMAIN.COM
Bind Path: dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Fri, 08 Oct 2004 17:03:52 GMT
KDC server: 10.1.1.70
>From windows client machines (Win98/XP) I can access the samba machine
which is logged on to the AD server; but when I try to access the user's
folder at samba server- it won't allow & error message triggered in
/var/log/message:
Oct 8 17:15:34 smb-3 smbd[1920]: Failed to verify incoming ticket!
Oct 8 17:15:35 smb-3 smbd[1920]: [2004/10/08 17:15:35, 1]
smbd/sesssetup.c:reply_spnego_kerberos(173)
Oct 8 17:15:35 smb-3 smbd[1920]: Failed to verify incoming ticket!
I so many posts posted with referring to this issue, but I couldn't fine
the exact solution for this. Initially I tried from samba-3.0.2 with
krb5-1.3.3 & I upgraded to samba-3.0.7 & krb5-1.3.4 but no luck. Here
are my .conf files
Distro: Fedora 2
smb.conf file:
[global]
unix charset = LOCALE
workgroup = DOMAIN2K
realm = DOMAIN.COM
server string = Samba 3.0.7
security = ADS
password server = dc1.domain.com
username map = /etc/samba/smbusers
log level = 1
syslog = 9
log file = /var/log/samba/%m
encrypt passwords = yes
max log size = 50
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
[Homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
krb5.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CRESACT.COM = {
kdc = dc1.domain.com:88
admin_server = dc1.domain.com:749
default_domain = domain.com
}
[domain_realm]
.crescat.com = DOMAIN.COM
crescat.com = DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
Any advice is much appreciate & thanks in advance
- Hirantha
More information about the samba
mailing list