[Samba] member server and kerberos

Mark Le Noury markl at bbd.co.za
Fri Oct 15 14:58:42 GMT 2004 

Hi,

I had the exact same problem yesterday - which I managed to somehow
correct.

What I think happened was that after I had re-compiled kerberos support
into samba, I forgot to copy the new  libnns_winbind.so to the /lib
directory.

Once I had copied the new library, I did a "killall -9 winbindd" and a
"service smb stop" and then restarted it all again. It just seemed to
work after that. 

But I am just taking a huge guess about that being the cause - I could
have been something else that I changed by mistake.


I also found it necessary to build and install krb5-1.3.5  from MIT in
order to get everything to work correctly together. The older version of
kerberos that came with my distribution just wasn't happy talking to my
windows server. (Although I am using windows server 2003)    


Thanks,

Mark
-----Original Message-----
From: samba-bounces+markl=bbd.co.za at lists.samba.org
[mailto:samba-bounces+markl=bbd.co.za at lists.samba.org] On Behalf Of
thomas constans
Sent: 15 October 2004 04:46 PM
To: samba at lists.samba.org
Subject: [Samba] member server and kerberos


hello

i have been struggling for to long trying to setup the following
configuration:

debian samba 3 member server of a win 2000 AD

here is my configuration:

## smb.conf ##
[global]
log level = 4
interfaces = 192.168.10.11/255.255.255.0
workgroup = datom
realm = datom.dyndns.org
server string = samba membre
security = ads
netbios name = cafeine

log file = /var/log/samba/samba.log
max log size = 50
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = nicotine.datom.dyndns.org
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master
= no domain master = no preferred master = no domain logons = no dns
proxy = no obey pam restrictions = Yes winbind separator = / inherit
acls = yes inherit permissions = yes admin users =
DATOM.DYNDNS.ORG/administrateur winbind enum users = yes winbind enum
groups = yes

[share]
comment = partage
path = /home/samba
browseable = yes


## krb5.conf ##

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
#ticket_lifetime = 24000
default_realm = DATOM.DYNDNS.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DATOM.DYNDNS.ORG = {
  kdc = NICOTINE.DATOM.DYNDNS.ORG:88
  admin_server = DATOM.DYNDNS.ORG:749
  default_domain = DATOM.DYNDNS.ORG
}
[domain_realm]
.datom.dyndns.org = DATOM.DYNDNS.ORG
datom.dyndns.org = DATOM.DYNDNS.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

## nsswitch.conf ##


passwd:        files winbind #ldap
group:         files winbind #ldap
shadow:        files #ldap


tests effectués:
# kinit administrateur + mdp -> ok
# net ads join
[2004/10/15 16:30:32, 0] libads/ldap.c:ads_add_machine_acct(1283)
  ads_add_machine_acct: Host account for cafeine already exists -
modifying old account Using short domain name -- DATOM Joined 'CAFEINE'
to realm 'DATOM.DYNDNS.ORG'

# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrateur at DATOM.DYNDNS.ORG

Valid starting     Expires            Service principal
10/15/04 13:50:20  10/15/04 23:50:20 
krbtgt/DATOM.DYNDNS.ORG at DATOM.DYNDNS.ORG
10/15/04 13:50:54  10/15/04 23:50:20  nicotine$@DATOM.DYNDNS.ORG
10/15/04 13:50:55  10/15/04 23:50:20  kadmin/changepw at DATOM.DYNDNS.ORG

# wbinfo -D datom
Name              : DATOM
Alt_Name          : datom.dyndns.org
SID               : S-1-5-21-1214440339-616249376-839522115
Active Directory  : Yes
Native            : No
Primary           : Yes
Sequence          : -1

# wbinfo -g  
BUILTIN/System Operators
BUILTIN/Replicators
BUILTIN/Guests
BUILTIN/Power Users
BUILTIN/Print Operators
BUILTIN/Administrators
BUILTIN/Account Operators
BUILTIN/Backup Operators
BUILTIN/Users

BUT

# wbinfo -u
Error looking up domain users

i suspect a kerberos configuration issue because reverting to a security
= domain model, and everything works perfectly

can anybody shed a light on this ???

thanx in advance

-- 
thomas constans <thomas.constans at opendoor.fr>
openDoor.fr

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list