[Samba] Trouble in Joining Suse 9.3 to Win2k3 Server

Sanjay Upadhyay glowfriend at gmail.com
Mon Aug 8 08:38:29 GMT 2005 

Hi karl,
Thanks for your such a detailed reply,
I did as you said, and my domain join worked. Thanks again.
A little clarification, as I had done this in SLES9, and in there, I was 
required to install the heimdal-tools,heimdal-libraries etc... Here I am 
astonished no such packages are required, Neither I have any kerberos 
installed. 
The kinit program is located at /usr/lib/jvm/jre/bin/kinit
and belongs to the package 'java-1_4_2-sun-1.4.2.06-4' (found that from RPM 
querry).
Anyway, When it seems /usr/lib/jvm/jre/bin/kinit is $PATH, and I can call 
'kinit' from command line... and astonishingly it worked this time.
Just wondering, is that Suse people are packaging Heimdal libraries within 
the Samba Packages ?

regards


On 8/8/05, Karl.Kirchen at commerzbank.com <Karl.Kirchen at commerzbank.com> 
wrote:
> 
> Hi, 
>  when you take the "normal" SUSE 9.3 professional you should have all you 
> need. for the kerberos part.
> In addition take from Samba.org <http://Samba.org> the release 3.0.14arelease of samba.
> then do the following:
>   - as you have the clocks already in sync, 
>  go on configure the kerberos client.
>  as standard domain name and standard realm enter your fully qualified 
> windows domain name in capital letter
>  e.g XX.YYY.COMPANY.COM <http://XX.YYY.COMPANY.COM>
>  as KDC server adress enter the IP adress of the maschine holding the ADS
>  don't tag the AFS settings
>  in the enhanced property setting, set lifetime of ticket to 1d as well as 
> renewal time
>  tag tickets are forwardabkle and proxiale, set clock skew to 300
>   that all for kerberos
>   the NTP Setting should be set to a valid system delivering correct time.
>  now things should work.
>  you smb.conf should look like this
>  [global]
> workgroup = <ads domain name>
> netbios name = <your local maschine name>
> server string = Karls linux desktop
> printcap name = cups
> printcap cache time = 750
> printer admin = @ntadmin,root,administrator
> map to guest = Bad User
> cups options = raw
> load printers = yes
> log file = /var/log/samba/%m.log
> max log size = 50
>   security = ADS
> password server = <full qualified name of your ADS maschine> 
>  encrypt passwords = yes
> smb passwd file = /etc/samba/smbpasswd
>   unix password sync = no
>   passwd program = /etc/bin/passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
> *passwd:*all*authentication*tokens*updated*successfully*
>   pam password change = yes
> obey pam restrictions = yes
>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> case sensitive = no
>   dns proxy = no
>   idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> 
> winbind use default domain = yes
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> 
> wins server = <your wins server in the domain>
> 
> template shell = /bin/bash
> template homedir = /home/%D/%U %D = domain name , %U=username
>   realm = <realm as entered in Kerberos client window all in capital 
> letters>
>  username map = /etc/samba/smbusers
>   unix extensions = yes
>  [homes]
>   after this restart the processes are the whiole machine.
>   now you should be able to issue a kinit command.
>  for testing purposes create a local unix user with exactly the same 
> username as in the ads without the precedding domain 
> name and a different password as used in the ADS
>  try kinit with this user - you should get a prompt asking for the 
> password - enter the one from the windows domain.
>  should be successfull. you can cotrol this by the command klist.
>  after this you can setup the pam to be used for login and so on.
>  to automatically mount shares during the login phase look in the net for 
> pam_script.
>   regards
> karl
>  
>  ------------------------------
> *From:* Sanjay Upadhyay [mailto:glowfriend at gmail.com] 
> *Sent:* Thursday, August 04, 2005 4:27 PM
> *To:* Karl.Kirchen at commerzbank.com; samba at lists.samba.org
> *Subject:* Re: [Samba] Trouble in Joining Suse 9.3 to Win2k3 Server
> 
> Hi, 
> From the suggestion as you said, I will need to install kerberos packages, 
> as on Suse, building is not what I can do, Can you give me some links... to 
> the required RPMS
> I have done the time sync before the kinit process, and they are 
> absolutely in sync...
> 
> On 8/4/05, Karl.Kirchen at commerzbank.com <Karl.Kirchen at commerzbank.com> 
> wrote: 
> > 
> > Hi,
> > You have not to use heimdahl, instead use mit kerberos.
> > 
> > Next point is to check the clocks between systems.
> > 
> > Then it should work
> > 
> > karl
> > 
> > -----Original Message-----
> > From: samba-bounces+karl.kirchen= commerzbank.com at lists.samba.org
> > [mailto:samba-bounces+karl.kirchen=commerzbank.com at lists.samba.org ] On
> > Behalf Of Sanjay Upadhyay
> > Sent: Thursday, August 04, 2005 3:52 PM
> > To: samba at lists.samba.org
> > Subject: [Samba] Trouble in Joining Suse 9.3 to Win2k3 Server
> > 
> > Hi,
> > After installing Suse 9.3 Professional, I am unable to join it to AD.
> > >From the Docs (
> > http://www.samba.org/samba/docs/man/Samba3-HOWTO/domain-member.html#ads-memb 
> > 
> > er)
> > 
> > its clear that we need to first get a kerberos ticket... via #>kinit
> > Administrato at REALM
> > 
> > in Suse9,3, I get this error
> > 
> > susles93WSA:~ # kinit Administrator at HUNGERFORD.KOL Password for
> > Administrator at HUNGERFORD.KOL:dingdong.com <http://dingdong.com> <
> > http://dingdong.com>
> > Exception: krb_error 24 Pre-authentication information was invalid (24) 
> > Pre-authentication information was invalid
> > KrbException: Pre-authentication information was invalid (24) at
> > sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
> > at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315) 
> > at sun.security.krb5.KrbAsReq.getReply(DashoA12275:276)
> > at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:271)
> > at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109)
> > Caused by: KrbException: Identifier doesn't match expected value (906) 
> > at 
> > sun.security.krb5.internal.af.a(DashoA12275:134)
> > at sun.security.krb5.internal.at.a(DashoA12275:63)
> > at sun.security.krb5.internal.at.<init>(DashoA12275:58)
> > at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53) 
> > 
> > This is kind of a strange error and the kinit program is located at
> > /usr/lib/jvm/jre/bin/kinit and from a RPM querry it belongs to the 
> > package
> > 'java-1_4_2-sun-1.4.2.06-4'
> > 
> > when I querried 'rpm -qa | grep heimdal' there was none, meaning heimdal 
> > 
> > libraries were not installed. and neither is it in the ISO images.
> > 
> > Hence I wonder if it is at all possible to join a Suse 9.3 to an AD.
> > 
> > Any suggestion would be very helpfull..
> > 
> > regards
> > --
> > Sanjay Upadhyay 
> > http://saneax.blogspot.com
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
> > 
> 
> 
> 
> -- 
> Sanjay Upadhyay
> http://saneax.blogspot.com 
> 
> 


-- 
Sanjay Upadhyay
http://saneax.blogspot.com

More information about the samba mailing list