[Samba] Linux server & client in Win2k3 AD domain
Jonas Printzén
jonas at printzen.net
Sun Jan 30 16:08:50 GMT 2005
Hi!
Yes, you are right, sorry it was late... 8-)
I am running Win2k3 from october release MSDN, with updates.
Linux is FC3 with lates updates.
Samba: 3.0.10
Kerberos: 1.3.6 (MIT i think, rpm is krb5-libs)
DSN: bind-9.2.4 on linux host,
Internal view allow forward update.
No backward update. (problem?)
Everything installed as rpm-binaries from FC3-us base/update ...
... se below for config details.
wbinfo -u/-g and getent passwd/group works.
I can login with <domain>+<username> i ssh or su
locally. But as soon as a windows client is involved
I have no luck. And i get "Failed to verify ticket"
in the loggs on linux.
Any help would be appreciated!
Even alternative suggestions to how to
integrate auth Win/Linux.
My problem is that my office must be able to
interact with the HK-forrest.... (or something AD!? ;) )
/Jonas
PS: Config...
smbd -b =>
----8<----8<----8<----8<----8<----8<----8<----8<----8<----
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_SET_REBIND_PROC_ARGS
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
HAVE_KRB5_C_ENCTYPE_COMPARE
HAVE_KRB5_ENCRYPT_BLOCK
HAVE_KRB5_ENCRYPT_DATA
HAVE_KRB5_FREE_DATA_CONTENTS
HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS
HAVE_KRB5_FREE_KTYPES
HAVE_KRB5_FREE_UNPARSED_NAME
HAVE_KRB5_GET_PERMITTED_ENCTYPES
HAVE_KRB5_KEYBLOCK_IN_CREDS
HAVE_KRB5_KEYTAB_ENTRY_KEY
HAVE_KRB5_KT_FREE_ENTRY
HAVE_KRB5_LOCATE_KDC
HAVE_KRB5_MK_REQ_EXTENDED
HAVE_KRB5_PRINCIPAL2SALT
HAVE_KRB5_PRINC_COMPONENT
HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
HAVE_KRB5_SET_REAL_TIME
HAVE_KRB5_STRING_TO_KEY
HAVE_KRB5_TKT_ENC_PART2
HAVE_KRB5_USE_ENCTYPE
HAVE_LIBGSSAPI_KRB5
HAVE_LIBKRB5
---------------------------------------------------------
/etc/krb5.conf is:
----8<----8<----8<----8<----8<----8<----8<----8<----8<----
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HIQ.PRINTZEN.NET
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
HIQ.PRINTZEN.NET = {
kdc = 192.168.1.20
default_domain = printzen.net
}
[domain_realm]
.printzen.net = HIQ.PRINTZEN.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
---------------------------------------------------------
/etc/samba/smb.conf:
----8<----8<----8<----8<----8<----8<----8<----8<----8<----
[global]
unix charset = LOCALE
workgroup = HIQ
realm = HIQ.PRINTZEN.NET
server string = Samba 3.0.10
security = ADS
username map = /etc/samba/smbusers
log level = 3
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
printing = cups
[homes]
comment = Home
valid users = %S
read only = No
browsable = No
[public]
comment = Virtual
path = /home/pub
valid users = %S
read only = No
writeable = Yes
group = users
/etc/pam.d/system-auth:
----8<----8<----8<----8<----8<----8<----8<----8<----8<----
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pa
ss
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$
ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_auth
tok md5
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
-----------------------------------------------------------
/etc/nsswitch.conf:
----8<----8<----8<----8<----8<----8<----8<----8<----8<----
passwd: compat winbind
group: compat winbind
hosts: files dns
networks: files dns
bootparams: [NOTFOUND=return] files
ethers: files
netmasks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: files
automount: files winbind
aliases: files
shadow: files winbind
> Hi,
> you didn't tell us your distribution etc, so this is a bit guesswork.
>
> you need a verry recent version of kerberos libraries on your system.
> If you use MIT-kerberos you need at least version 1.3.4.
> for heimdal i can't recall the exact version.
> Please search the list-archives for the minimal required versions.
> After installing these libraries you'll have to recompile samba against
> them.
> Christoph
>
> Jonas Printzén schrieb:
>> Hello folks!
>>
>> I am trying to make sure we can use Linux/Win2k3 mix in
>> my company. After reading up in the documentation I fealt
>> it sounded so good I would propably get there with little effort...
>>
>> Well, halfway there I got fast enough. But that won't do...
>>
>> I have successfully joined the AD-Domain from my Linux host.
>> And I also can authenticate a AD user in the Linux host.
>> I used nsswitch and pam.d/system-auth with winbind...
>>
>> However I can't get to the shared files from a Windows
>> client. I can browse, with a LOT of waiting, so I can see
>> the machine and shares. But I can't login and access files.
>> I tried this both from the Win2k3 AD machine and from my XP
>> desktop.
>>
>> Windows client says the user/password is wrong.
>> In the /var/log/samba/<machine> logfile i get:
>>
>> [2005/01/29 15:21:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
>> Failed to verify incoming ticket!
>>
>> Painfull as it is I have to admit I don't know enough to get
>> any further.
>>
>> Please advice!!
>>
>>
>
>
More information about the samba
mailing list