[Samba] RedHat+Samba+Winbind to ADS
Greg Folkert
greg at gregfolkert.net
Wed Feb 16 15:09:36 GMT 2005
On Wed, 2005-02-16 at 11:49 +0100, Antón wrote:
> Hi,
>
> I 've a gateway and I want to use squid authenticated with Windows 2000
> Active Directory users.
>
> I've a development platform with Debian/Sarge as gateway, and it works.
> (samba 3.0.10-1 and Kerberos 1.3.6-1)
>
> On the other side the production platform uses RedHat Enterprise AS3,
> initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not able to use
> Active directory groups without get smb panic errors in winbindd, so I
> update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 (last available
> updates).
You *ABSOLUTELY MUST USE* a version of MIT Kerberos5 v1.3.1 or newer.
For a good example of getting a newer version of mit krb5 (v1.4) see
bug:
https://bugzilla.samba.org/show_bug.cgi?id=2309
You can use the configure line as is for mit krb5 v1.3.3 and above
currently. It will work with RHAS, by installing overtop the RPM.
a recommendation, don't use v1.4 unless you want to add patches to
3.0.11 version of samba. You can just install over-top the RHAS samba
version as well.
Make sure you use the configure for samba as I did.
Both configure commands are for "RHAS" compatibility for existing
installs via RPM.
The patch(es) for 3.0.11 used for v1.4 of mit krb5 and other things are:
http://samba.org/~jerry/patches/post-3.0.11/
> Now I've following troubles with kerberos-winbind.
> If I not set encryption types in krb5.conf (As in debian working
> platform), windbind fails with following errors:
>
> |ads_krb5_mk_req: krb5_get_credentials failed for PDC$@TEST.COM (No
> credentials found with supported encryption types)
> |spnego_gen_negTokenTarg failed: No credentials found with supported
> encryption types
> |failed kerberos session setup with No credentials found with supported
> encryption types
>
> but kinit and klist works, wbinfo -t also works, but wbinfo -u and
> wbinfo -g gives an error.
> getent passwd -s winbind and getent group -s winbind doesn't work
> Also, net ads join gives an error (but computer was previously joined
> ok)
> wbinfo --sequence shows:
> GATEWAY : 1
> BUILTIN : 1
> TEST : DISCONNECTED
>
>
> Configuration files are:
>
> -------------krb5.conf-------------------------------
> [libdefaults]
> default_realm = TEST.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> kdc_timesync = 1
> forwardable = true
> proxiable = true
>
> [realms]
> CIKAUTXO.ES ={
> kdc = PDC
> admin_server = PDC
> default_domain = TEST
> }
>
> [domain_realm]
> .test.com = TEST.COM
> test.com = TEST.COM
> -------------krb5.conf-------------------------------
>
> PDC address is included in /etc/hosts
>
> -------------nsswitch.conf---------------------------
> ···
> passwd: files winbind
> shadow: files
> group: files winbind
> ···
> -------------nsswitch.conf---------------------------
> -------------smb.conf--------------------------------
> ···
> workgroup = TEST
> netbios name = GATEWAY
> realm = TEST.COM
> security = ads
> encrypt passwords = yes
> password server = PDC
> interfaces = 192.168.254.1/16
> winbind separator = /
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = true
> time server = Yes
> ######winbind nested groups = true
>
> client NTLMv2 auth = No
> client lanman auth = Yes
> client plaintext auth = Yes
> obey pam restrictions = Yes
> passdb backend = tdbsam, guest
>
> log level = 2 winbind:10 ads:10 auth:10
>
> ···
> -------------smb.conf--------------------------------
> Last options was included to replicate testparm -v obtained
> in debian development installation.
>
> After some test, I was able to avoid encryption type error, using the
> following configuration in krb5.conf
> -------------krb5.conf-------------------------------
> [libdefaults]
> default_realm = TEST.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> kdc_timesync = 1
> forwardable = true
> proxiable = true
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
> permitted_enctypes = des-cbc-crc
>
>
> [realms]
> CIKAUTXO.ES ={
> master_key_type = des-cbc-crc
> supported_enctypes = des-cbc-crc
> kdc = PDC
> admin_server = PDC
> default_domain = TEST
> }
>
> [domain_realm]
> .test.com = TEST.COM
> test.com = TEST.COM
> -------------krb5.conf-------------------------------
> Choosing other enctypes in some params (default_tkt_enctypes
> default_tgs_enctypes ) give me the same error as above
>
> But this configuration also doesn't work fine. I get the following error
> with winbindd
>
> |Doing kerberos session setup
> |failed tcon_X with NT_STATUS_ACCESS_DENIED
>
> kinit and klist works.
> wbinfo -t returns following error:
> |checking the trust secret via RPC calls failed
> |error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> |Could not check secret
> but wbinfo -u and wbinfo -t works fine
> getent passwd -s winbind and getent group -s winbind also work
> wbinfo --sequence shows:
> GATEWAY : 1
> BUILTIN : 1
> TEST : 2951992
>
> It seems that troubles with one configuration are solved with the other
> one and reverse, but I cannot get ALL working simultaneously...
>
> Anybody has some lights on this?
--
greg, greg at gregfolkert.net
The technology that is
Stronger, better, faster: Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050216/382289e3/attachment.bin
More information about the samba
mailing list