[Samba] Samba and Active Directory

Kevin Riggins kevin.riggins at comdev.com
Tue Oct 19 20:01:05 GMT 2004 

I had to add the following lines to the [libdefaults] section of my
/etc/krb5.conf file to get it working:

  default_tgs_enctypes = rc4-hmac
  default_tkt_enctypes = rc4-hmac
  dns_lookup_realm = false
  dns_lookup_kdc = false

This assumes you are trying to connect to a Win2K Domain Controller.  I
don't know if it works with a 2003 server.

Also, since your kinit was successful, the -U parameter is unnecessary
when using smbclient -k.

ex.  smbclient -k //fs02/Share

Kevin


-----Original Message-----
From: Mike Kelly [mailto:mike at piratehaven.org] 
Sent: Tuesday, October 19, 2004 2:42 PM
To: samba at lists.samba.org
Subject: [Samba] Samba and Active Directory


Hi,

I'm trying to join my Linux file server to an AD domain.  I've looked at
several different documents describing how to do this, but I still am
not
able to get everything to work correctly.

I am able to join my domain, but I cannot use smbclient to connect to
another file server in the domain, nor can I connect to the samba server
from
my desktop PC.

My kerberos tickets seem to be in order:

$ kinit mtkelly at MY.BIG.DOMAIN.LOC
Password for mtkelly at MY.BIG.DOMAIN.LOC:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mtkelly at MY.BIG.DOMAIN.LOC

Valid starting     Expires            Service principal
10/19/04 12:26:21  10/19/04 22:26:25
krbtgt/MY.BIG.DOMAIN.LOC at MY.BIG.DOMAIN.LOC
        renew until 10/19/04 13:26:21

$ smbclient -U mtkelly at my.big.domain.loc -k //fs02/Share
session setup failed: NT_STATUS_LOGON_FAILURE

Even with debug enabled, I don't get any clues:

$ smbclient -U mtkelly at my.big.domain.loc -k -d 4 //fs02/Share
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter local master = no
doing parameter realm = MY.BIG.DOMAIN.LOC
doing parameter password server = 10.109.40.128
doing parameter workgroup = MYDOMAIN
doing parameter netbios name = FS01
handle_netbios_name: set global_myname to: FS01
doing parameter encrypt passwords = yes
doing parameter security = ads
doing parameter log file = /var/log/samba.log
doing parameter server string = ""
doing parameter winbind separator = +
doing parameter winbind uid = 10000-20000
doing parameter winbind gid = 10000-20000
doing parameter template shell = /bin/bash
doing parameter wins server = 10.109.40.128
doing parameter client use spnego = no
doing parameter use spnego = yes
pm_process() returned Yes
added interface ip=10.109.40.77 bcast=10.109.41.255 nmask=255.255.254.0
Client started (version 3.0.7-2.FC2).
Connecting to 10.109.40.59 at port 445
 session request ok
Serverzone is 25200
session setup failed: NT_STATUS_LOGON_FAILURE

/var/log/samba.log has three error messages which might be related to my
problem:
[2004/10/19 11:46:21, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
  krb5_cc_get_principal failed (No credentials cache found)
[2004/10/19 11:51:31, 1] libads/ldap.c:ads_connect(251)
  Failed to get ldap server info
[2004/10/19 12:01:00, 1]
nsswitch/winbindd_group.c:winbindd_getgroups(1059)
  user 'root' does not exist

My smb.conf:
[global]
  local master = no
  realm = MY.BIG.DOMAIN.LOC
  password server = 10.109.40.128
  workgroup = MYDOMAIN
  netbios name = FS01
  encrypt passwords = yes
  security = ads
  log file = /var/log/samba.log
  server string = ""
  winbind separator = +
  winbind uid = 10000-20000
  winbind gid = 10000-20000
  template shell = /bin/bash
  wins server = 10.109.40.128
  client use spnego = no
  use spnego = yes

[Share]
  comment = Share
  browseable = yes
  writable = yes
  guest ok = no
  path = /smb/share



I'm running Fedora Core 2, Samba Version 3.0.7-2.FC2, and kernel
2.6.5-1.358.
Active Directory lives on 10.109.40.128.
The samba server is FS01 at 10.109.40.77.
A windows fileserver is FS02 at 10.109.40.59.

Does anyone have any suggestions about what I might do to get samba
working
correctly?

Thanks,

Mike
(:

-- 
--------Mike at PirateHaven.org-----------------------The_glass_is_too_big-
-------
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list