[Samba] Trying to get ADS authentication working.

Steve samba at braingia.org
Wed Mar 9 03:48:47 GMT 2005 

Hello,

Your domain is called "HQ Servers" with a space in it?  Are you sure 
that the 'net ads' command isn't misinterpreting that name and/or the 
quotes in the command?  Also, did you specify a username (maybe 
'adminName' in your example) for the 'net ads' command?

Are you able to see this computer in Active Directory's Computers or 
another container?

Steve

On Tue, Mar 08, 2005 at 12:34:04PM -0800, Theodore Jencks wrote:
> I have been trying in vain to get ADS domain authentication working.  I
> can't figure out what is wrong and have read the docs and looked through
> the mailing lists.  I'm not sure why better documentation hasn't been
> written on the web site for the ADS feature since it's pretty
> spectacular to be able join a Samba server natively to an AD domain.
> 
> I have successfully joined the samba server to the win 2k3 domain with
> this commands:
> 
> Kinit adminName at HQ.NAVIS.NET
> Net ads join "HQ Servers"
> 
> This seems to work just fine but when I run "wbinfo -t" I get:
> checking the trust secret via RPC calls failed
> error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
> Could not check secret
> 
> I have set the winbind to debug level 10 and when starting winbind I get
> this in the logs:
> 
> [2005/03/08 12:13:33, 5] libsmb/namecache.c:namecache_fetch(201)
>   name hqdc01.hq.navis.net#20 found.
> [2005/03/08 12:13:33, 10] libsmb/namequery.c:name_status_find(188)
>   name_status_find: looking up HQ#1c at 192.168.192.60
> [2005/03/08 12:13:33, 10] lib/gencache.c:gencache_get(285)
>   Cache entry with key = NBT/HQ#1C.20.192.168.192.60 couldn't be found
> [2005/03/08 12:13:33, 5] libsmb/namecache.c:namecache_status_fetch(308)
>   namecache_status_fetch: no entry for NBT/HQ#1C.20.192.168.192.60
> found.
> [2005/03/08 12:13:33, 10] lib/gencache.c:gencache_del(214)
>   Deleting cache entry (key = NBT/HQ#1C.20.192.168.192.60)
> [2005/03/08 12:13:33, 10] lib/util_sock.c:open_socket_in(717)
>   bind succeeded on port 0
> [2005/03/08 12:13:33, 5] libsmb/nmblib.c:send_udp(776)
>   Sending a packet of len 50 to (192.168.192.60) on port 137
> [2005/03/08 12:13:33, 10] lib/util_sock.c:read_udp_socket(230)
>   read_udp_socket: lastip 192.168.192.60 lastport 137 read: 211
> [2005/03/08 12:13:33, 10] libsmb/nmblib.c:parse_nmb(503)
>   parse_nmb: packet id = 24973
> [2005/03/08 12:13:33, 5] libsmb/nmblib.c:read_packet(754)
> 
> Also of interest when I run kinit username at realm I then type my password
> and the command appears to have worked however running klist tickets
> produces:
> klist: No credentials cache found (ticket cache FILE:tickets)
> 
> 
> Please help anyone that has any info on how I might begin diagnosing
> this problem.
> 
> 
> I have the following in my smb.conf file:
> 
> [global]
> workgroup = HQ
> server string = Samba 3.0.11 Test Server
> security = ADS
> encrypt passwords = yes
> load printers = no
> log file = /var/log/samba/%m.log
> max log size = 50
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> local master = no
> domain master = no
> dns proxy = no
> 
> realm = HQ.NAVIS.NET
> password server = hqdc01.hq.navis.net
> winbind cache time = 10
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> client use spnego = yes
> 
> #============================ Share Definitions
> ==============================
> # This one is useful for people to share files
> [share]
>    comment = this is a test share
>    path = /test/share
>    read only = no
>    public = yes
>    writable = yes
>    printable = no
>    browseable = yes
>    valid users = @"Domain Users"
> 
> 
> This is the contents of my krb5.conf:
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = HQ.NAVIS.NET
>  default_tkt_enctypes = des-cbc-md5 des-cbc-crc
>  default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
> 
> [realms]
> HQ.NAVIS.NET = {
>   kdc = hqdc01.hq.navis.net:88
>   admin_server = hqdc01.hq.navis.net:749
>   default_domain = hq.navis.net
>  }
> 
> [domain_realm]
>  .hq.navis.net = HQ.NAVIS.NET
>  hq.navis.net = HQ.NAVIS.NET
> 
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list