[Samba] samba3.0.14a, Windows2003, ADS

Danna Dowdy Danna.Dowdy at noaa.gov
Wed May 11 17:09:57 GMT 2005 

Please forgive the long post but I am at my wits end here!  Below are 
the files that I have configured, the results of several commands, and 
some output from log files.... ANY HELP AT ALL??!!

wbinfo -p
Ping to winbindd failed on fd -1
could not ping winbindd!

wbinfo -t
checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret

kinit and klist seem to work
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: username at DOMAIN
Valid starting     Expires            Service principal
05/11/05 12:59:46  05/11/05 22:59:46  krbtgt/DOMAIN at DOMAIN
Kerberos 4 ticket cache: /tmp/tkt503
klist: You have no tickets cached

When I run net ads users, I get back all users in Active Directory


Configured Samba with this

./configure -with-ldap -with-ads -with-krb5 -with-pam -with-winbind

smb.conf
[global]
realm = DOMAIN
workgroup=WORKGRP
password server = CONTROLLER
security = ADS
encrypt passwords = yes
 
# winbind configuration: mapping ADS users to
# uid's and gid's, enabling the enumeration of users
# and groups.
# winbind separator is the character that separates
# user or group names from the domain name.
 
winbind separator = @
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users=yes
winbind enum groups=yes

/etc/krb5.conf
 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 ticket_lifetime = 24000
 default_realm = DOMAIN
 
 
[realms]
 DOMAIN = {
  kdc = CONTROLLER
 }
 
[domain_realm]
 CONTROLLER = DOMAIN
 
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

pam.d/samba
Auth required /lib/security/pam_winbind.so
Account required /lib/security/pam_winbind.so

nsswitch.conf
passwd:     files winbind
shadow:     files
group:      files winbind

winbindd.log
[2005/05/11 12:34:43, 1] libsmb/clikrb5.c:ads_krb5_mk_req(415)
  ads_krb5_mk_req: krb5_mk_req_extended failed (Ticket expired)
[2005/05/11 12:34:43, 1] 
libsmb/cliconnect.c:cli_session_setup_kerberos(539)
  spnego_gen_negTokenTarg failed: Ticket expired
[2005/05/11 12:34:43, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain DOMAIN failed: Cannot read password
[2005/05/11 12:34:43, 1] nsswitch/winbindd_util.c:init_domain_list(322)
  Could not fetch sid for our domain DOMAIN
[2005/05/11 12:34:43, 1] 
libsmb/cliconnect.c:cli_session_setup_kerberos(539)
  spnego_gen_negTokenTarg failed: No credentials cache found

More information about the samba mailing list