[Samba] Linux server & client in Win2k3 AD domain

John H Terpstra jht at Samba.Org
Sun Jan 30 16:20:03 GMT 2005 

On Sunday 30 January 2005 09:08, Jonas Printzén wrote:
> Hi!
>
> Yes, you are right, sorry it was late... 8-)

It always is when troubles strike.

>
> I am running Win2k3 from october release MSDN, with updates.
> Linux is FC3 with lates updates. 

How are the time clocks synchronized?

- John T.

>
> Samba: 3.0.10
> Kerberos: 1.3.6 (MIT i think, rpm is krb5-libs)
> DSN: bind-9.2.4 on linux host,
>     Internal view allow forward update.
>     No backward update. (problem?)
>
> Everything installed as rpm-binaries from FC3-us base/update ...
> ... se below for config details.
>
> wbinfo -u/-g and getent passwd/group works.
> I can login with <domain>+<username> i ssh or su
> locally. But as soon as a windows client is involved
> I have no luck. And i get "Failed to verify ticket"
> in the loggs on linux.
>
> Any help would be appreciated!
> Even alternative suggestions to how to
> integrate auth Win/Linux.
>
> My problem is that my office must be able to
> interact with the HK-forrest.... (or something AD!? ;) )
>
> /Jonas
>
> PS: Config...
>
> smbd -b =>
> ----8<----8<----8<----8<----8<----8<----8<----8<----8<----
>    HAVE_LDAP_H
>    HAVE_LDAP
>    HAVE_LDAP_DOMAIN2HOSTLIST
>    HAVE_LDAP_INIT
>    HAVE_LDAP_INITIALIZE
>    HAVE_LDAP_SET_REBIND_PROC
>    HAVE_LIBLDAP
>    LDAP_SET_REBIND_PROC_ARGS
>    HAVE_KRB5_H
>    HAVE_ADDRTYPE_IN_KRB5_ADDRESS
>    HAVE_KRB5
>    HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
>    HAVE_KRB5_C_ENCTYPE_COMPARE
>    HAVE_KRB5_ENCRYPT_BLOCK
>    HAVE_KRB5_ENCRYPT_DATA
>    HAVE_KRB5_FREE_DATA_CONTENTS
>    HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS
>    HAVE_KRB5_FREE_KTYPES
>    HAVE_KRB5_FREE_UNPARSED_NAME
>    HAVE_KRB5_GET_PERMITTED_ENCTYPES
>    HAVE_KRB5_KEYBLOCK_IN_CREDS
>    HAVE_KRB5_KEYTAB_ENTRY_KEY
>    HAVE_KRB5_KT_FREE_ENTRY
>    HAVE_KRB5_LOCATE_KDC
>    HAVE_KRB5_MK_REQ_EXTENDED
>    HAVE_KRB5_PRINCIPAL2SALT
>    HAVE_KRB5_PRINC_COMPONENT
>    HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
>    HAVE_KRB5_SET_REAL_TIME
>    HAVE_KRB5_STRING_TO_KEY
>    HAVE_KRB5_TKT_ENC_PART2
>    HAVE_KRB5_USE_ENCTYPE
>    HAVE_LIBGSSAPI_KRB5
>    HAVE_LIBKRB5
> ---------------------------------------------------------
>
> /etc/krb5.conf is:
> ----8<----8<----8<----8<----8<----8<----8<----8<----8<----
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = HIQ.PRINTZEN.NET
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>
> [realms]
>  HIQ.PRINTZEN.NET = {
>   kdc = 192.168.1.20
>   default_domain = printzen.net
>  }
>
> [domain_realm]
>  .printzen.net = HIQ.PRINTZEN.NET
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
>
> ---------------------------------------------------------
>
> /etc/samba/smb.conf:
> ----8<----8<----8<----8<----8<----8<----8<----8<----8<----
> [global]
> unix charset = LOCALE
> workgroup = HIQ
> realm = HIQ.PRINTZEN.NET
> server string = Samba 3.0.10
> security = ADS
> username map = /etc/samba/smbusers
> log level = 3
> syslog = 0
> log file = /var/log/samba/%m
> max log size = 50
> printcap name = CUPS
> ldap ssl = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template primary group = "Domain Users"
> template shell = /bin/bash
> winbind separator = +
> printing = cups
>
> [homes]
> comment = Home
> valid users = %S
> read only = No
> browsable = No
>
> [public]
> comment = Virtual
> path = /home/pub
> valid users = %S
> read only = No
> writeable = Yes
> group = users
>
>
> /etc/pam.d/system-auth:
> ----8<----8<----8<----8<----8<----8<----8<----8<----8<----
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pa
> ss
> auth        required      /lib/security/$ISA/pam_deny.so
>
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
>  quiet
> account     [default=bad success=ok user_unknown=ignore] /lib/security/$
> ISA/pam_winbind.so
> account     required      /lib/security/$ISA/pam_permit.so
>
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_auth
> tok md5
> password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
>
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> -----------------------------------------------------------
>
>
> /etc/nsswitch.conf:
> ----8<----8<----8<----8<----8<----8<----8<----8<----8<----
> passwd:     compat winbind
> group:      compat winbind
>
> hosts:      files dns
> networks:   files dns
>
> bootparams: [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> protocols:  files winbind
> rpc:        files
> services:   files winbind
>
> netgroup:   files winbind
>
> publickey:  files
>
> automount:  files winbind
> aliases:    files
>
> shadow:     files winbind
>
> > Hi,
> > you didn't tell us your distribution etc, so this is a bit guesswork.
> >
> > you need a verry recent version of kerberos libraries on your system.
> > If you use MIT-kerberos you need at least version 1.3.4.
> > for heimdal i can't recall the exact version.
> > Please search the list-archives for the minimal required versions.
> > After installing these libraries you'll have to recompile samba against
> > them.
> > Christoph
> >
> > Jonas Printzén schrieb:
> >> Hello folks!
> >>
> >> I am trying to make sure we can use Linux/Win2k3 mix in
> >> my company. After reading up in the documentation I fealt
> >> it sounded so good I would propably get there with little effort...
> >>
> >> Well, halfway there I got fast enough. But that won't do...
> >>
> >> I have successfully joined the AD-Domain from my Linux host.
> >> And I also can authenticate a AD user in the Linux host.
> >> I used nsswitch and pam.d/system-auth with winbind...
> >>
> >> However I can't get to the shared files from a Windows
> >> client. I can browse, with a LOT of waiting, so I can see
> >> the machine and shares. But I can't login and access files.
> >> I tried this both from the Win2k3 AD machine and from my XP
> >> desktop.
> >>
> >> Windows client says the user/password is wrong.
> >> In the /var/log/samba/<machine> logfile i get:
> >>
> >> [2005/01/29 15:21:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> >>   Failed to verify incoming ticket!
> >>
> >> Painfull as it is I have to admit I don't know enough to get
> >> any further.
> >>
> >> Please advice!!

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list