[Samba] samba3.0.14a, Windows2003, ADS
Michael Joyner
mjoyner at vbservices.net
Wed May 11 17:46:49 GMT 2005
wbinfo -p is trying to tell you the wrong thing. :)
ps axc | grep winbind
if there is no output your winbind is not running.
what is your platform?
SuSE, RedHat, FreeBSD, Other?
If SuSE, you have to do a chkconfig -a winbind, rcwinbind start
If FreeBSD, there are some rc vars you have to set in /etc/rc.conf, if
you look in /usr/local/etc/rc.d/samba.sh it will show you their names.
For RedHat, there is a similar process as chkconfig, but I don't
remember what it is right off hand.
Danna Dowdy wrote:
> Please forgive the long post but I am at my wits end here! Below are
> the files that I have configured, the results of several commands, and
> some output from log files.... ANY HELP AT ALL??!!
>
> wbinfo -p
> Ping to winbindd failed on fd -1
> could not ping winbindd!
>
> wbinfo -t
> checking the trust secret via RPC calls failed
> error code was (0x0)
> Could not check secret
>
> kinit and klist seem to work
> Ticket cache: FILE:/tmp/krb5cc_503
> Default principal: username at DOMAIN
> Valid starting Expires Service principal
> 05/11/05 12:59:46 05/11/05 22:59:46 krbtgt/DOMAIN at DOMAIN
> Kerberos 4 ticket cache: /tmp/tkt503
> klist: You have no tickets cached
>
> When I run net ads users, I get back all users in Active Directory
>
>
> Configured Samba with this
>
> ./configure -with-ldap -with-ads -with-krb5 -with-pam -with-winbind
>
> smb.conf
> [global]
> realm = DOMAIN
> workgroup=WORKGRP
> password server = CONTROLLER
> security = ADS
> encrypt passwords = yes
>
> # winbind configuration: mapping ADS users to
> # uid's and gid's, enabling the enumeration of users
> # and groups.
> # winbind separator is the character that separates
> # user or group names from the domain name.
>
> winbind separator = @
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users=yes
> winbind enum groups=yes
>
> /etc/krb5.conf
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = DOMAIN
>
>
> [realms]
> DOMAIN = {
> kdc = CONTROLLER
> }
>
> [domain_realm]
> CONTROLLER = DOMAIN
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> pam.d/samba
> Auth required /lib/security/pam_winbind.so
> Account required /lib/security/pam_winbind.so
>
> nsswitch.conf
> passwd: files winbind
> shadow: files
> group: files winbind
>
> winbindd.log
> [2005/05/11 12:34:43, 1] libsmb/clikrb5.c:ads_krb5_mk_req(415)
> ads_krb5_mk_req: krb5_mk_req_extended failed (Ticket expired)
> [2005/05/11 12:34:43, 1]
> libsmb/cliconnect.c:cli_session_setup_kerberos(539)
> spnego_gen_negTokenTarg failed: Ticket expired
> [2005/05/11 12:34:43, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
> ads_connect for domain DOMAIN failed: Cannot read password
> [2005/05/11 12:34:43, 1] nsswitch/winbindd_util.c:init_domain_list(322)
> Could not fetch sid for our domain DOMAIN
> [2005/05/11 12:34:43, 1]
> libsmb/cliconnect.c:cli_session_setup_kerberos(539)
> spnego_gen_negTokenTarg failed: No credentials cache found
>
>
>
More information about the samba
mailing list