[Samba] RedHat+Samba+Winbind to ADS

Greg Folkert greg at gregfolkert.net
Wed Feb 16 15:09:36 GMT 2005 

On Wed, 2005-02-16 at 11:49 +0100, Antón wrote:
> Hi,
> 
> I 've a gateway and I want to use squid authenticated with Windows 2000
> Active Directory users.
> 
> I've a development platform with Debian/Sarge as gateway, and it works.
> (samba 3.0.10-1 and Kerberos 1.3.6-1)
> 
> On the other side the production platform uses RedHat Enterprise AS3,
> initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not able to use
> Active directory groups without get smb panic errors in winbindd, so I
> update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 (last available
> updates).

You *ABSOLUTELY MUST USE* a version of MIT Kerberos5 v1.3.1 or newer.

For a good example of getting a newer version of mit krb5 (v1.4) see
bug:

https://bugzilla.samba.org/show_bug.cgi?id=2309

You can use the configure line as is for mit krb5 v1.3.3 and above
currently. It will work with RHAS, by installing overtop the RPM.

a recommendation, don't use v1.4 unless you want to add patches to
3.0.11 version of samba. You can just install over-top the RHAS samba
version as well.

Make sure you use the configure for samba as I did.

Both configure commands are for "RHAS" compatibility for existing
installs via RPM.

The patch(es) for 3.0.11 used for v1.4 of mit krb5 and other things are:

http://samba.org/~jerry/patches/post-3.0.11/

> Now I've following troubles with kerberos-winbind.
> If I not set encryption types in krb5.conf (As in debian working
> platform), windbind fails with following errors:
> 
> |ads_krb5_mk_req: krb5_get_credentials failed for PDC$@TEST.COM (No
> credentials found with supported encryption types)
> |spnego_gen_negTokenTarg failed: No credentials found with supported
> encryption types
> |failed kerberos session setup with No credentials found with supported
> encryption types
> 
> but kinit and klist works, wbinfo -t also works, but wbinfo -u and
> wbinfo -g gives an error.
> getent passwd -s winbind and getent group -s winbind doesn't work
> Also, net ads join gives an error (but computer was previously joined
> ok)
> wbinfo --sequence shows:
> GATEWAY : 1
> BUILTIN : 1
> TEST : DISCONNECTED
> 
> 
> Configuration files are:
> 
> -------------krb5.conf-------------------------------
> [libdefaults]
>  default_realm = TEST.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  kdc_timesync = 1
>  forwardable = true
>  proxiable = true
> 
> [realms]
>  CIKAUTXO.ES ={
>   kdc = PDC
>   admin_server = PDC
>   default_domain = TEST
>  }
> 
> [domain_realm]
>  .test.com = TEST.COM
>  test.com = TEST.COM
> -------------krb5.conf-------------------------------
> 
> PDC address is included in /etc/hosts
> 
> -------------nsswitch.conf---------------------------
> ···
> passwd:     files winbind
> shadow:     files
> group:      files winbind
> ···
> -------------nsswitch.conf---------------------------
> -------------smb.conf--------------------------------
> ···
>    workgroup = TEST
>    netbios name = GATEWAY
>    realm = TEST.COM
>    security = ads
>    encrypt passwords = yes
>    password server = PDC
>    interfaces = 192.168.254.1/16
>    winbind separator = /
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind use default domain = true
>    time server = Yes
>    ######winbind nested groups = true
> 
>    client NTLMv2 auth = No
>    client lanman auth = Yes
>    client plaintext auth = Yes
>    obey pam restrictions = Yes
>    passdb backend = tdbsam, guest
> 
>    log level = 2 winbind:10 ads:10 auth:10
> 
> ···
> -------------smb.conf--------------------------------
> Last options was included to replicate testparm -v obtained
> in debian development installation.
> 
> After some test, I was able to avoid encryption type error, using the
> following configuration in krb5.conf
> -------------krb5.conf-------------------------------
> [libdefaults]
>  default_realm = TEST.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  kdc_timesync = 1
>  forwardable = true
>  proxiable = true
>  default_tgs_enctypes = des-cbc-crc
>  default_tkt_enctypes = des-cbc-crc
>  permitted_enctypes = des-cbc-crc
> 
> 
> [realms]
>  CIKAUTXO.ES ={
>   master_key_type = des-cbc-crc
>   supported_enctypes = des-cbc-crc
>   kdc = PDC
>   admin_server = PDC
>   default_domain = TEST
>  }
> 
> [domain_realm]
>  .test.com = TEST.COM
>  test.com = TEST.COM
> -------------krb5.conf-------------------------------
> Choosing other enctypes in some params (default_tkt_enctypes
> default_tgs_enctypes ) give me the same error as above 
> 
> But this configuration also doesn't work fine. I get the following error
> with winbindd
> 
> |Doing kerberos session setup
> |failed tcon_X with NT_STATUS_ACCESS_DENIED
> 
> kinit and klist works.
> wbinfo -t returns following error:
> |checking the trust secret via RPC calls failed
> |error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> |Could not check secret
> but wbinfo -u and wbinfo -t works fine
> getent passwd -s winbind and getent group -s winbind also work
> wbinfo --sequence shows:
> GATEWAY : 1
> BUILTIN : 1
> TEST : 2951992
> 
> It seems that troubles with one configuration are solved with the other
> one and reverse, but I cannot get ALL working simultaneously...
> 
> Anybody has some lights on this?

-- 
greg, greg at gregfolkert.net

The technology that is
Stronger, better, faster:  Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050216/382289e3/attachment.bin

More information about the samba mailing list