[Samba] Trying to get ADS authentication working.

Theodore Jencks tjencks at navis.com
Wed Mar 9 18:17:51 GMT 2005 

Hey Steve,

 

Thanks for the response however I've gotten a little further along then
I was last time.  If you look in chapter 6 of the how to docs you will
find that this syntax 'Net ads join "HQ Servers"' creates the machine
account in a particular OU called "HQ Servers".

 

I finally tracked down the problem I was having to a Kerberos issue.  I
was getting a funny error on my domain controller the text of which
follows:

 

While processing a TGS request for the target server
host/smbtest.hq.navis.net, the account SMBTEST$@HQ.NAVIS.NET did not
have a suitable key for generating a Kerberos ticket (the missing key
has an ID of 8). The requested etypes were 16.  The accounts available
etypes were 3  1. 

 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

I found a post some place mentioning that the version of Kerberos that
ships with Redhat Linux 9.0 doesn't select the correct etype.  So to
correct this I downloaded the source for version 1.4.  I had to
forcefully remove the old Kerberos packages because of dependencies.
After compiling and installing I recompiled Samba3.0.11 only to have the
compile choke about 3/4 of the way through.  Subsequently I downloaded
the very latest Samba3.0.12pre1 which compiled fine with the new
Kerberos 1.4.

 

Now things seem to be working much better.  I no longer get the error on
my domain controller when requesting a ticket with kinit and wbinfo -t
and all other wbinfo commands run successfully.

 

Now though I'm having another issue.  I'm trying to login to the share
I've created from a Windows XPSP2 workstation with all latest patches
applied.  Here is the config for my share in the smb.conf file:

 

[share]

>    comment = this is a test share

>    path = /test/share

>    read only = no

>    public = yes

>    writable = yes

>    printable = no

>    browseable = yes

>    valid users = @"Domain Users"

 

Now that the Samba server is properly added to the domain and has it's
machine account working I'm not sure why I get a password prompt when I
try and login to this share as I am a member of "Domain Users" can
anyone provide me with some sample configs to get this working right.

 

Thanks in advance,

Theo

 

-----Original Message-----

From: Steve [mailto:samba at braingia.org]

Sent: Tuesday, March 08, 2005 7:49 PM

To: Theodore Jencks

Cc: samba at lists.samba.org

Subject: Re: [Samba] Trying to get ADS authentication working.

 

Hello,

 

Your domain is called "HQ Servers" with a space in it?  Are you sure
that the 'net ads' command isn't misinterpreting that name and/or the
quotes in the command?  Also, did you specify a username (maybe
'adminName' in your example) for the 'net ads' command?

 

Are you able to see this computer in Active Directory's Computers or
another container?

 

Steve

 

On Tue, Mar 08, 2005 at 12:34:04PM -0800, Theodore Jencks wrote:

> I have been trying in vain to get ADS domain authentication working.  

> I can't figure out what is wrong and have read the docs and looked 

> through the mailing lists.  I'm not sure why better documentation 

> hasn't been written on the web site for the ADS feature since it's 

> pretty spectacular to be able join a Samba server natively to an AD
domain.

> 

> I have successfully joined the samba server to the win 2k3 domain with


> this commands:

> 

> Kinit adminName at HQ.NAVIS.NET

> Net ads join "HQ Servers"

> 

> This seems to work just fine but when I run "wbinfo -t" I get:

> checking the trust secret via RPC calls failed error code was 

> NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) Could not check 

> secret

> 

> I have set the winbind to debug level 10 and when starting winbind I 

> get this in the logs:

> 

> [2005/03/08 12:13:33, 5] libsmb/namecache.c:namecache_fetch(201)

>   name hqdc01.hq.navis.net#20 found.

> [2005/03/08 12:13:33, 10] libsmb/namequery.c:name_status_find(188)

>   name_status_find: looking up HQ#1c at 192.168.192.60

> [2005/03/08 12:13:33, 10] lib/gencache.c:gencache_get(285)

>   Cache entry with key = NBT/HQ#1C.20.192.168.192.60 couldn't be found

> [2005/03/08 12:13:33, 5]
libsmb/namecache.c:namecache_status_fetch(308)

>   namecache_status_fetch: no entry for NBT/HQ#1C.20.192.168.192.60 

> found.

> [2005/03/08 12:13:33, 10] lib/gencache.c:gencache_del(214)

>   Deleting cache entry (key = NBT/HQ#1C.20.192.168.192.60)

> [2005/03/08 12:13:33, 10] lib/util_sock.c:open_socket_in(717)

>   bind succeeded on port 0

> [2005/03/08 12:13:33, 5] libsmb/nmblib.c:send_udp(776)

>   Sending a packet of len 50 to (192.168.192.60) on port 137

> [2005/03/08 12:13:33, 10] lib/util_sock.c:read_udp_socket(230)

>   read_udp_socket: lastip 192.168.192.60 lastport 137 read: 211

> [2005/03/08 12:13:33, 10] libsmb/nmblib.c:parse_nmb(503)

>   parse_nmb: packet id = 24973

> [2005/03/08 12:13:33, 5] libsmb/nmblib.c:read_packet(754)

> 

> Also of interest when I run kinit username at realm I then type my 

> password and the command appears to have worked however running klist 

> tickets

> produces:

> klist: No credentials cache found (ticket cache FILE:tickets)

> 

> 

> Please help anyone that has any info on how I might begin diagnosing 

> this problem.

> 

> 

> I have the following in my smb.conf file:

> 

> [global]

> workgroup = HQ

> server string = Samba 3.0.11 Test Server security = ADS encrypt 

> passwords = yes load printers = no log file = /var/log/samba/%m.log 

> max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 

> SO_SNDBUF=8192 local master = no domain master = no dns proxy = no

> 

> realm = HQ.NAVIS.NET

> password server = hqdc01.hq.navis.net

> winbind cache time = 10

> idmap uid = 10000-20000

> idmap gid = 10000-20000

> winbind enum users = yes

> winbind enum groups = yes

> winbind use default domain = yes

> client use spnego = yes

> 

> #============================ Share Definitions 

> ============================== # This one is useful for people to 

> share files [share]

>    comment = this is a test share

>    path = /test/share

>    read only = no

>    public = yes

>    writable = yes

>    printable = no

>    browseable = yes

>    valid users = @"Domain Users"

> 

> 

> This is the contents of my krb5.conf:

> [logging]

>  default = FILE:/var/log/krb5libs.log

>  kdc = FILE:/var/log/krb5kdc.log

>  admin_server = FILE:/var/log/kadmind.log

> 

> [libdefaults]

>  ticket_lifetime = 24000

>  default_realm = HQ.NAVIS.NET

>  default_tkt_enctypes = des-cbc-md5 des-cbc-crc  default_tgs_enctypes 

> = des-cbc-md5 des-cbc-crc  dns_lookup_realm = true  dns_lookup_kdc = 

> true

> 

> [realms]

> HQ.NAVIS.NET = {

>   kdc = hqdc01.hq.navis.net:88

>   admin_server = hqdc01.hq.navis.net:749

>   default_domain = hq.navis.net

>  }

> 

> [domain_realm]

>  .hq.navis.net = HQ.NAVIS.NET

>  hq.navis.net = HQ.NAVIS.NET

> 

> [kdc]

>  profile = /var/kerberos/krb5kdc/kdc.conf

> 

> [appdefaults]

>  pam = {

>    debug = false

>    ticket_lifetime = 36000

>    renew_lifetime = 36000

>    forwardable = true

>    krb4_convert = false

>  }

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list