[Samba] member server and kerberos

Fri Oct 15 14:45:53 GMT 2004

hello

i have been struggling for to long trying to setup the following
configuration:

debian samba 3 member server of a win 2000 AD

here is my configuration:

## smb.conf ##
[global]
log level = 4
interfaces = 192.168.10.11/255.255.255.0
workgroup = datom
realm = datom.dyndns.org
server string = samba membre
security = ads
netbios name = cafeine

log file = /var/log/samba/samba.log
max log size = 50
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = nicotine.datom.dyndns.org
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
preferred master = no
domain logons = no
dns proxy = no
obey pam restrictions = Yes
winbind separator = /
inherit acls = yes
inherit permissions = yes
admin users = DATOM.DYNDNS.ORG/administrateur
winbind enum users = yes
winbind enum groups = yes

[share]
comment = partage
path = /home/samba
browseable = yes

## krb5.conf ##

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
#ticket_lifetime = 24000
default_realm = DATOM.DYNDNS.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DATOM.DYNDNS.ORG = {
  kdc = NICOTINE.DATOM.DYNDNS.ORG:88
  admin_server = DATOM.DYNDNS.ORG:749
  default_domain = DATOM.DYNDNS.ORG
}
[domain_realm]
.datom.dyndns.org = DATOM.DYNDNS.ORG
datom.dyndns.org = DATOM.DYNDNS.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

## nsswitch.conf ##

passwd:        files winbind #ldap
group:         files winbind #ldap
shadow:        files #ldap

tests effectués:
# kinit administrateur + mdp -> ok
# net ads join
[2004/10/15 16:30:32, 0] libads/ldap.c:ads_add_machine_acct(1283)
  ads_add_machine_acct: Host account for cafeine already exists -
modifying old account
Using short domain name -- DATOM
Joined 'CAFEINE' to realm 'DATOM.DYNDNS.ORG'

# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrateur at DATOM.DYNDNS.ORG

Valid starting     Expires            Service principal
10/15/04 13:50:20  10/15/04 23:50:20 
krbtgt/DATOM.DYNDNS.ORG at DATOM.DYNDNS.ORG
10/15/04 13:50:54  10/15/04 23:50:20  nicotine$@DATOM.DYNDNS.ORG
10/15/04 13:50:55  10/15/04 23:50:20  kadmin/changepw at DATOM.DYNDNS.ORG

# wbinfo -D datom
Name              : DATOM
Alt_Name          : datom.dyndns.org
SID               : S-1-5-21-1214440339-616249376-839522115
Active Directory  : Yes
Native            : No
Primary           : Yes
Sequence          : -1

# wbinfo -g  
BUILTIN/System Operators
BUILTIN/Replicators
BUILTIN/Guests
BUILTIN/Power Users
BUILTIN/Print Operators
BUILTIN/Administrators
BUILTIN/Account Operators
BUILTIN/Backup Operators
BUILTIN/Users

BUT

# wbinfo -u
Error looking up domain users

i suspect a kerberos configuration issue because reverting to a security
= domain model, and everything works perfectly

can anybody shed a light on this ???

thanx in advance

-- 
thomas constans <thomas.constans at opendoor.fr>
openDoor.fr