[Samba] samba3.0.14a, Windows2003, ADS

Michael Joyner mjoyner at vbservices.net
Wed May 11 17:46:49 GMT 2005


wbinfo -p is trying to tell you the wrong thing. :)

ps axc | grep winbind

if there is no output your winbind is not running.

what is your platform?

SuSE, RedHat, FreeBSD, Other?

If SuSE, you have to do a chkconfig -a winbind, rcwinbind start

If FreeBSD, there are some rc vars you have to set in /etc/rc.conf, if 
you look in /usr/local/etc/rc.d/samba.sh it will show you their names.

For RedHat, there is a similar process as chkconfig, but I don't 
remember what it is right off hand.


Danna Dowdy wrote:
> Please forgive the long post but I am at my wits end here!  Below are 
> the files that I have configured, the results of several commands, and 
> some output from log files.... ANY HELP AT ALL??!!
> 
> wbinfo -p
> Ping to winbindd failed on fd -1
> could not ping winbindd!
> 
> wbinfo -t
> checking the trust secret via RPC calls failed
> error code was  (0x0)
> Could not check secret
> 
> kinit and klist seem to work
> Ticket cache: FILE:/tmp/krb5cc_503
> Default principal: username at DOMAIN
> Valid starting     Expires            Service principal
> 05/11/05 12:59:46  05/11/05 22:59:46  krbtgt/DOMAIN at DOMAIN
> Kerberos 4 ticket cache: /tmp/tkt503
> klist: You have no tickets cached
> 
> When I run net ads users, I get back all users in Active Directory
> 
> 
> Configured Samba with this
> 
> ./configure -with-ldap -with-ads -with-krb5 -with-pam -with-winbind
> 
> smb.conf
> [global]
> realm = DOMAIN
> workgroup=WORKGRP
> password server = CONTROLLER
> security = ADS
> encrypt passwords = yes
> 
> # winbind configuration: mapping ADS users to
> # uid's and gid's, enabling the enumeration of users
> # and groups.
> # winbind separator is the character that separates
> # user or group names from the domain name.
> 
> winbind separator = @
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users=yes
> winbind enum groups=yes
> 
> /etc/krb5.conf
> 
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = DOMAIN
> 
> 
> [realms]
> DOMAIN = {
>  kdc = CONTROLLER
> }
> 
> [domain_realm]
> CONTROLLER = DOMAIN
> 
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
> pam = {
>   debug = false
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
> }
> 
> pam.d/samba
> Auth required /lib/security/pam_winbind.so
> Account required /lib/security/pam_winbind.so
> 
> nsswitch.conf
> passwd:     files winbind
> shadow:     files
> group:      files winbind
> 
> winbindd.log
> [2005/05/11 12:34:43, 1] libsmb/clikrb5.c:ads_krb5_mk_req(415)
>  ads_krb5_mk_req: krb5_mk_req_extended failed (Ticket expired)
> [2005/05/11 12:34:43, 1] 
> libsmb/cliconnect.c:cli_session_setup_kerberos(539)
>  spnego_gen_negTokenTarg failed: Ticket expired
> [2005/05/11 12:34:43, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
>  ads_connect for domain DOMAIN failed: Cannot read password
> [2005/05/11 12:34:43, 1] nsswitch/winbindd_util.c:init_domain_list(322)
>  Could not fetch sid for our domain DOMAIN
> [2005/05/11 12:34:43, 1] 
> libsmb/cliconnect.c:cli_session_setup_kerberos(539)
>  spnego_gen_negTokenTarg failed: No credentials cache found
> 
> 
> 



More information about the samba mailing list