[Samba] RedHat+Samba+Winbind to ADS

Antón avelo at optaresolutions.com
Wed Feb 16 10:49:38 GMT 2005 

Hi,

I 've a gateway and I want to use squid authenticated with Windows 2000
Active Directory users.

I've a development platform with Debian/Sarge as gateway, and it works.
(samba 3.0.10-1 and Kerberos 1.3.6-1)

On the other side the production platform uses RedHat Enterprise AS3,
initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not able to use
Active directory groups without get smb panic errors in winbindd, so I
update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 (last available
updates).

Now I've following troubles with kerberos-winbind.
If I not set encryption types in krb5.conf (As in debian working
platform), windbind fails with following errors:

|ads_krb5_mk_req: krb5_get_credentials failed for PDC$@TEST.COM (No
credentials found with supported encryption types)
|spnego_gen_negTokenTarg failed: No credentials found with supported
encryption types
|failed kerberos session setup with No credentials found with supported
encryption types

but kinit and klist works, wbinfo -t also works, but wbinfo -u and
wbinfo -g gives an error.
getent passwd -s winbind and getent group -s winbind doesn't work
Also, net ads join gives an error (but computer was previously joined
ok)
wbinfo --sequence shows:
GATEWAY : 1
BUILTIN : 1
TEST : DISCONNECTED


Configuration files are:

-------------krb5.conf-------------------------------
[libdefaults]
 default_realm = TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 kdc_timesync = 1
 forwardable = true
 proxiable = true

[realms]
 CIKAUTXO.ES ={
  kdc = PDC
  admin_server = PDC
  default_domain = TEST
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM
-------------krb5.conf-------------------------------

PDC address is included in /etc/hosts

-------------nsswitch.conf---------------------------
···
passwd:     files winbind
shadow:     files
group:      files winbind
···
-------------nsswitch.conf---------------------------
-------------smb.conf--------------------------------
···
   workgroup = TEST
   netbios name = GATEWAY
   realm = TEST.COM
   security = ads
   encrypt passwords = yes
   password server = PDC
   interfaces = 192.168.254.1/16
   winbind separator = /
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = true
   time server = Yes
   ######winbind nested groups = true

   client NTLMv2 auth = No
   client lanman auth = Yes
   client plaintext auth = Yes
   obey pam restrictions = Yes
   passdb backend = tdbsam, guest

   log level = 2 winbind:10 ads:10 auth:10

···
-------------smb.conf--------------------------------
Last options was included to replicate testparm -v obtained
in debian development installation.

After some test, I was able to avoid encryption type error, using the
following configuration in krb5.conf
-------------krb5.conf-------------------------------
[libdefaults]
 default_realm = TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 kdc_timesync = 1
 forwardable = true
 proxiable = true
 default_tgs_enctypes = des-cbc-crc
 default_tkt_enctypes = des-cbc-crc
 permitted_enctypes = des-cbc-crc


[realms]
 CIKAUTXO.ES ={
  master_key_type = des-cbc-crc
  supported_enctypes = des-cbc-crc
  kdc = PDC
  admin_server = PDC
  default_domain = TEST
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM
-------------krb5.conf-------------------------------
Choosing other enctypes in some params (default_tkt_enctypes
default_tgs_enctypes ) give me the same error as above 

But this configuration also doesn't work fine. I get the following error
with winbindd

|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED

kinit and klist works.
wbinfo -t returns following error:
|checking the trust secret via RPC calls failed
|error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
|Could not check secret
but wbinfo -u and wbinfo -t works fine
getent passwd -s winbind and getent group -s winbind also work
wbinfo --sequence shows:
GATEWAY : 1
BUILTIN : 1
TEST : 2951992

It seems that troubles with one configuration are solved with the other
one and reverse, but I cannot get ALL working simultaneously...

Anybody has some lights on this?

Thanks
Antón

More information about the samba mailing list