[Samba] Linux server & client in Win2k3 AD domain

Jonas Printzén jonas at printzen.net
Sun Jan 30 16:08:50 GMT 2005


Hi!

Yes, you are right, sorry it was late... 8-)

I am running Win2k3 from october release MSDN, with updates.
Linux is FC3 with lates updates.

Samba: 3.0.10
Kerberos: 1.3.6 (MIT i think, rpm is krb5-libs)
DSN: bind-9.2.4 on linux host,
    Internal view allow forward update.
    No backward update. (problem?)

Everything installed as rpm-binaries from FC3-us base/update ...
... se below for config details.

wbinfo -u/-g and getent passwd/group works.
I can login with <domain>+<username> i ssh or su
locally. But as soon as a windows client is involved
I have no luck. And i get "Failed to verify ticket"
in the loggs on linux.

Any help would be appreciated!
Even alternative suggestions to how to
integrate auth Win/Linux.

My problem is that my office must be able to
interact with the HK-forrest.... (or something AD!? ;) )

/Jonas

PS: Config...

smbd -b =>
----8<----8<----8<----8<----8<----8<----8<----8<----8<----
   HAVE_LDAP_H
   HAVE_LDAP
   HAVE_LDAP_DOMAIN2HOSTLIST
   HAVE_LDAP_INIT
   HAVE_LDAP_INITIALIZE
   HAVE_LDAP_SET_REBIND_PROC
   HAVE_LIBLDAP
   LDAP_SET_REBIND_PROC_ARGS
   HAVE_KRB5_H
   HAVE_ADDRTYPE_IN_KRB5_ADDRESS
   HAVE_KRB5
   HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
   HAVE_KRB5_C_ENCTYPE_COMPARE
   HAVE_KRB5_ENCRYPT_BLOCK
   HAVE_KRB5_ENCRYPT_DATA
   HAVE_KRB5_FREE_DATA_CONTENTS
   HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS
   HAVE_KRB5_FREE_KTYPES
   HAVE_KRB5_FREE_UNPARSED_NAME
   HAVE_KRB5_GET_PERMITTED_ENCTYPES
   HAVE_KRB5_KEYBLOCK_IN_CREDS
   HAVE_KRB5_KEYTAB_ENTRY_KEY
   HAVE_KRB5_KT_FREE_ENTRY
   HAVE_KRB5_LOCATE_KDC
   HAVE_KRB5_MK_REQ_EXTENDED
   HAVE_KRB5_PRINCIPAL2SALT
   HAVE_KRB5_PRINC_COMPONENT
   HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
   HAVE_KRB5_SET_REAL_TIME
   HAVE_KRB5_STRING_TO_KEY
   HAVE_KRB5_TKT_ENC_PART2
   HAVE_KRB5_USE_ENCTYPE
   HAVE_LIBGSSAPI_KRB5
   HAVE_LIBKRB5
---------------------------------------------------------

/etc/krb5.conf is:
----8<----8<----8<----8<----8<----8<----8<----8<----8<----
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HIQ.PRINTZEN.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 HIQ.PRINTZEN.NET = {
  kdc = 192.168.1.20
  default_domain = printzen.net
 }

[domain_realm]
 .printzen.net = HIQ.PRINTZEN.NET

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

---------------------------------------------------------

/etc/samba/smb.conf:
----8<----8<----8<----8<----8<----8<----8<----8<----8<----
[global]
unix charset = LOCALE
workgroup = HIQ
realm = HIQ.PRINTZEN.NET
server string = Samba 3.0.10
security = ADS
username map = /etc/samba/smbusers
log level = 3
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
printing = cups

[homes]
comment = Home
valid users = %S
read only = No
browsable = No

[public]
comment = Virtual
path = /home/pub
valid users = %S
read only = No
writeable = Yes
group = users


/etc/pam.d/system-auth:
----8<----8<----8<----8<----8<----8<----8<----8<----8<----
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pa
ss
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$
ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_auth
tok md5
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
-----------------------------------------------------------


/etc/nsswitch.conf:
----8<----8<----8<----8<----8<----8<----8<----8<----8<----
passwd:     compat winbind
group:      compat winbind

hosts:      files dns
networks:   files dns

bootparams: [NOTFOUND=return] files

ethers:     files
netmasks:   files
protocols:  files winbind
rpc:        files
services:   files winbind

netgroup:   files winbind

publickey:  files

automount:  files winbind
aliases:    files

shadow:     files winbind


> Hi,
> you didn't tell us your distribution etc, so this is a bit guesswork.
>
> you need a verry recent version of kerberos libraries on your system.
> If you use MIT-kerberos you need at least version 1.3.4.
> for heimdal i can't recall the exact version.
> Please search the list-archives for the minimal required versions.
> After installing these libraries you'll have to recompile samba against
> them.
> Christoph
>
> Jonas Printzén schrieb:
>> Hello folks!
>>
>> I am trying to make sure we can use Linux/Win2k3 mix in
>> my company. After reading up in the documentation I fealt
>> it sounded so good I would propably get there with little effort...
>>
>> Well, halfway there I got fast enough. But that won't do...
>>
>> I have successfully joined the AD-Domain from my Linux host.
>> And I also can authenticate a AD user in the Linux host.
>> I used nsswitch and pam.d/system-auth with winbind...
>>
>> However I can't get to the shared files from a Windows
>> client. I can browse, with a LOT of waiting, so I can see
>> the machine and shares. But I can't login and access files.
>> I tried this both from the Win2k3 AD machine and from my XP
>> desktop.
>>
>> Windows client says the user/password is wrong.
>> In the /var/log/samba/<machine> logfile i get:
>>
>> [2005/01/29 15:21:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>>   Failed to verify incoming ticket!
>>
>> Painfull as it is I have to admit I don't know enough to get
>> any further.
>>
>> Please advice!!
>>
>>
>
>





More information about the samba mailing list