[Samba] Linux server & client in Win2k3 AD domain
John H Terpstra
jht at Samba.Org
Sun Jan 30 16:20:03 GMT 2005
On Sunday 30 January 2005 09:08, Jonas Printzén wrote:
> Hi!
>
> Yes, you are right, sorry it was late... 8-)
It always is when troubles strike.
>
> I am running Win2k3 from october release MSDN, with updates.
> Linux is FC3 with lates updates.
How are the time clocks synchronized?
- John T.
>
> Samba: 3.0.10
> Kerberos: 1.3.6 (MIT i think, rpm is krb5-libs)
> DSN: bind-9.2.4 on linux host,
> Internal view allow forward update.
> No backward update. (problem?)
>
> Everything installed as rpm-binaries from FC3-us base/update ...
> ... se below for config details.
>
> wbinfo -u/-g and getent passwd/group works.
> I can login with <domain>+<username> i ssh or su
> locally. But as soon as a windows client is involved
> I have no luck. And i get "Failed to verify ticket"
> in the loggs on linux.
>
> Any help would be appreciated!
> Even alternative suggestions to how to
> integrate auth Win/Linux.
>
> My problem is that my office must be able to
> interact with the HK-forrest.... (or something AD!? ;) )
>
> /Jonas
>
> PS: Config...
>
> smbd -b =>
> ----8<----8<----8<----8<----8<----8<----8<----8<----8<----
> HAVE_LDAP_H
> HAVE_LDAP
> HAVE_LDAP_DOMAIN2HOSTLIST
> HAVE_LDAP_INIT
> HAVE_LDAP_INITIALIZE
> HAVE_LDAP_SET_REBIND_PROC
> HAVE_LIBLDAP
> LDAP_SET_REBIND_PROC_ARGS
> HAVE_KRB5_H
> HAVE_ADDRTYPE_IN_KRB5_ADDRESS
> HAVE_KRB5
> HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
> HAVE_KRB5_C_ENCTYPE_COMPARE
> HAVE_KRB5_ENCRYPT_BLOCK
> HAVE_KRB5_ENCRYPT_DATA
> HAVE_KRB5_FREE_DATA_CONTENTS
> HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS
> HAVE_KRB5_FREE_KTYPES
> HAVE_KRB5_FREE_UNPARSED_NAME
> HAVE_KRB5_GET_PERMITTED_ENCTYPES
> HAVE_KRB5_KEYBLOCK_IN_CREDS
> HAVE_KRB5_KEYTAB_ENTRY_KEY
> HAVE_KRB5_KT_FREE_ENTRY
> HAVE_KRB5_LOCATE_KDC
> HAVE_KRB5_MK_REQ_EXTENDED
> HAVE_KRB5_PRINCIPAL2SALT
> HAVE_KRB5_PRINC_COMPONENT
> HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
> HAVE_KRB5_SET_REAL_TIME
> HAVE_KRB5_STRING_TO_KEY
> HAVE_KRB5_TKT_ENC_PART2
> HAVE_KRB5_USE_ENCTYPE
> HAVE_LIBGSSAPI_KRB5
> HAVE_LIBKRB5
> ---------------------------------------------------------
>
> /etc/krb5.conf is:
> ----8<----8<----8<----8<----8<----8<----8<----8<----8<----
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = HIQ.PRINTZEN.NET
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> [realms]
> HIQ.PRINTZEN.NET = {
> kdc = 192.168.1.20
> default_domain = printzen.net
> }
>
> [domain_realm]
> .printzen.net = HIQ.PRINTZEN.NET
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> ---------------------------------------------------------
>
> /etc/samba/smb.conf:
> ----8<----8<----8<----8<----8<----8<----8<----8<----8<----
> [global]
> unix charset = LOCALE
> workgroup = HIQ
> realm = HIQ.PRINTZEN.NET
> server string = Samba 3.0.10
> security = ADS
> username map = /etc/samba/smbusers
> log level = 3
> syslog = 0
> log file = /var/log/samba/%m
> max log size = 50
> printcap name = CUPS
> ldap ssl = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template primary group = "Domain Users"
> template shell = /bin/bash
> winbind separator = +
> printing = cups
>
> [homes]
> comment = Home
> valid users = %S
> read only = No
> browsable = No
>
> [public]
> comment = Virtual
> path = /home/pub
> valid users = %S
> read only = No
> writeable = Yes
> group = users
>
>
> /etc/pam.d/system-auth:
> ----8<----8<----8<----8<----8<----8<----8<----8<----8<----
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pa
> ss
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
> account [default=bad success=ok user_unknown=ignore] /lib/security/$
> ISA/pam_winbind.so
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_auth
> tok md5
> password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> -----------------------------------------------------------
>
>
> /etc/nsswitch.conf:
> ----8<----8<----8<----8<----8<----8<----8<----8<----8<----
> passwd: compat winbind
> group: compat winbind
>
> hosts: files dns
> networks: files dns
>
> bootparams: [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> protocols: files winbind
> rpc: files
> services: files winbind
>
> netgroup: files winbind
>
> publickey: files
>
> automount: files winbind
> aliases: files
>
> shadow: files winbind
>
> > Hi,
> > you didn't tell us your distribution etc, so this is a bit guesswork.
> >
> > you need a verry recent version of kerberos libraries on your system.
> > If you use MIT-kerberos you need at least version 1.3.4.
> > for heimdal i can't recall the exact version.
> > Please search the list-archives for the minimal required versions.
> > After installing these libraries you'll have to recompile samba against
> > them.
> > Christoph
> >
> > Jonas Printzén schrieb:
> >> Hello folks!
> >>
> >> I am trying to make sure we can use Linux/Win2k3 mix in
> >> my company. After reading up in the documentation I fealt
> >> it sounded so good I would propably get there with little effort...
> >>
> >> Well, halfway there I got fast enough. But that won't do...
> >>
> >> I have successfully joined the AD-Domain from my Linux host.
> >> And I also can authenticate a AD user in the Linux host.
> >> I used nsswitch and pam.d/system-auth with winbind...
> >>
> >> However I can't get to the shared files from a Windows
> >> client. I can browse, with a LOT of waiting, so I can see
> >> the machine and shares. But I can't login and access files.
> >> I tried this both from the Win2k3 AD machine and from my XP
> >> desktop.
> >>
> >> Windows client says the user/password is wrong.
> >> In the /var/log/samba/<machine> logfile i get:
> >>
> >> [2005/01/29 15:21:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> >> Failed to verify incoming ticket!
> >>
> >> Painfull as it is I have to admit I don't know enough to get
> >> any further.
> >>
> >> Please advice!!
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list