[Samba] RedHat+Samba+Winbind to ADS
Anton Velo
avelo at optaresolutions.com
Mon Feb 21 13:14:50 GMT 2005
On Friday 18 February 2005 23:28, Andrew Bartlett wrote:
AB> On Wed, 2005-02-16 at 10:09 -0500, Greg Folkert wrote:
AB> > On Wed, 2005-02-16 at 11:49 +0100, Antón wrote:
AB> > > Hi,
AB> > >
AB> > > I 've a gateway and I want to use squid authenticated with Windows 2000
AB> > > Active Directory users.
AB> > >
AB> > > I've a development platform with Debian/Sarge as gateway, and it works.
AB> > > (samba 3.0.10-1 and Kerberos 1.3.6-1)
AB> > >
AB> > > On the other side the production platform uses RedHat Enterprise AS3,
AB> > > initially with Samba 3.0.6 and Kerberos 1.2.7-28. I was not able to use
AB> > > Active directory groups without get smb panic errors in winbindd, so I
AB> > > update to Samba 3.0.9-1.3E.2 and Kerberos 1.2.7-38 (last available
AB> > > updates).
AB> >
AB> > You *ABSOLUTELY MUST USE* a version of MIT Kerberos5 v1.3.1 or newer.
AB>
AB> Yes and no. My understanding is that the issues regarding MIT < 1.3.1
AB> have been again resolved, in the latest Samba (including what has been
AB> released for RHEL by RedHat). Linking to another kerberos
AB> implementation is a real pain (you would need to statically link to even
AB> start).
AB>
AB> (Of course, life is much easier with krb5 1.3.1 or later, but I know
AB> what a pain it is for RHEL users)
AB>
AB> I think the issue here is that the machine must be rejoined to the
AB> domain, after the upgrade.
AB>
AB> Andrew Bartlett
AB>
First of all, sincerely, thanks a lot for both answers
Upgrade to kerberos5 > 1.3.1 was a pain but now I've 1.3.4 installed.
Now, If I start winbind without specify any encryption it works, but only parcially.
kinit works.
klist -e returns:
|Ticket cache: FILE:/tmp/krb5cc_0
|Default principal: USER at TEST.COM
|
|Valid starting Expires Service principal
|02/21/05 09:11:49 02/21/05 19:11:42 krbtgt/TEST.COM at TEST.COM
| renew until 02/22/05 09:11:49, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
|
|
|Kerberos 4 ticket cache: /tmp/tkt0
|klist: You have no tickets cached
wbinfo --sequence
|PASARELA : 1
|BUILTIN : 1
|TEST : 2975164
wbinfo -u and -g works
but ...
wbinfo -t
|checking the trust secret via RPC calls failed
|error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
|Could not check secret
error in winbind log is
|accepted socket 18
|client_read: read 1824 bytes. Need 0 more for a full request.
|process_request: request fn INTERFACE_VERSION
|[20287]: request interface version
|client_write: wrote 1300 bytes.
|client_read: read 1824 bytes. Need 0 more for a full request.
|process_request: request fn WINBINDD_PRIV_PIPE_DIR
|[20287]: request location of privileged pipe
|client_write: wrote 1300 bytes.
|client_write: need to write 37 extra data bytes.
|client_write: wrote 37 bytes.
|client_write: client_write: complete response written.
|accepted socket 19
|client_read: read 0 bytes. Need 1824 more for a full request.
|read failed on sock 18, pid 20287: EOF
|client_read: read 1824 bytes. Need 0 more for a full request.
|process_request: request fn CHECK_MACHACC
|[20287]: check machine account
|IPC$ connections done anonymously
|connecting to PDC from GATEWAY with kerberos principal [GATEWAY$@TEST.COM]
|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED
|connecting to PDC from GATEWAY with kerberos principal [GATEWAY$@TEST.COM]
|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED
|connecting to PDC from GATEWAY with kerberos principal [GATEWAY$@TEST.COM]
|Doing kerberos session setup
|failed tcon_X with NT_STATUS_ACCESS_DENIED
|Could not open a connection to TEST for \PIPE\NETLOGON (NT_STATUS_ACCESS_DENIED)
|could not open handle to NETLOGON pipe
|Checking the trust account password returned NT_STATUS_ACCESS_DENIED
|client_write: wrote 1300 bytes.
|client_read: read 0 bytes. Need 1824 more for a full request.
|read failed on sock 19, pid 20287: EOF
also, if I try a net join, it works:
net ads join -U user
|users password:
|[2005/02/21 09:14:14, 0] libads/ldap.c:ads_add_machine_acct(1368)
| ads_add_machine_acct: Host account for pasarela already exists - modifying old account
|Using short domain name -- TEST
|Joined 'GATEWAY' to realm 'TEST.COM'
Also I've checked permisions (750 root:squid) for
winbindd_privileged directory
I'm completely missed about what happens
Anton
More information about the samba
mailing list