[Samba] Version 3.0.10-1.fc3
Rrodre
rodre at rodre.com
Fri May 6 20:39:40 GMT 2005
Hello List,
I have been tring to configure Samba as a Win2k Domain Member.
1) I am successfully able to use 'kinit Administrator at DOMAIN.COM' without
any errors, but when I do a 'klist tickets' it says thre are no tickets in
the cache. But if I do a 'klist' on its own I get:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at INT.BATTEN.CA
Valid starting Expires Service principal
05/05/05 18:32:33 05/06/05 04:32:49 krbtgt/INT.BATTEN.CA at INT.BATTEN.CA
renew until 05/06/05 18:32:33
05/05/05 18:34:24 05/06/05 04:32:49 ad01$@INT.BATTEN.CA
renew until 05/06/05 18:32:33
05/05/05 19:19:10 05/06/05 04:32:49 nas02$@INT.BATTEN.CA
renew until 05/06/05 18:32:33
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
2) I am able To connect to the \\servername\c$ default share using the
'smbclient //servername/c\$ -k' command.
3) I am able to successfully get the Samba machine to register with the AD
using the 'net ads join -U Administrator%password' command.
4) When I try to connect to the samba server by using the win2k AD server
using the "My Network Places" network browser I get:
"[2005/05/05 19:27:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!" in the smb log and:
Pre-authentication failed:
User Name: nas02$
User ID: INTBATTENCA\nas02$
Service Name: krbtgt/INT.BATTEN.CA
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 192.168.31.12
in the win2k security log. But I also get:
Authentication Ticket Granted:
User Name: nas02$
Supplied Realm Name: INT.BATTEN.CA
User ID: INTBATTENCA\nas02$
Service Name: krbtgt
Service ID: INTBATTENCA\krbtgt
Ticket Options: 0x10
Ticket Encryption Type: 0x3
Pre-Authentication Type: 2
Client Address: 192.168.31.12
and:
Service Ticket Granted:
User Name: host/NAS02
User Domain: INT.BATTEN.CA
Service Name: AD01$
Service ID: INTBATTENCA\AD01$
Ticket Options: 0x800000
Ticket Encryption Type: 0x17
Client Address: 192.168.31.12
in the win2k security log.
5) If I tryto connect to the samba share using "Map Network Drive" and the
samba servers hostname using the win2k AD server I get:
smbd/sesssetup.c:reply_spnego_kerberos(250)
Username INT.BATTEN.CA\AD01$ is invalid on this system
in the samba servers smb log
One of the main questions I have is do you still need to use a " passdb
backend" such as ldapsam, or windbind? I was able to get the system setup
using winbind, but I wanted to use the Win2k AD in Native mode (no backward
NT 4 compatability). If it you still need to use a "pass db" backend can
someone please tell me how to configure samba to use the win2k AD's LDAP for
the "passdb backend".
My confs are as follows:
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD01.INT.BATTEN.CA
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
ccache_type = 2
[realms]
AD01.INT.BATTEN.CA = {
kdc = ad01.int.batten.ca:88
admin_server = ad01.int.batten.ca
default_domain = int.batten.ca
}
[domain_realm]
.int.batten.ca = AD01.INT.BATTEN.CA
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
smb.conf:
[global]
workgroup = INTBATTENCA
realm = INT.BATTEN.CA
security = ADS
password server = ad01.int.batten.ca
[win2k]
comment = Win2k Installation
path = /etc/samba/share/win2k
Any help would be greatly appreciated. Thanks in advance.
~Rodre
More information about the samba
mailing list