[Samba] ADS & Kerberos Woes
Jason Burgess
jason at fenux.net
Thu May 19 21:59:09 GMT 2005
I've been successfully running Samba 3.0 under FreeBSD 5 attached to a 2003
Domain for awhile now. As of about a week ago, I could no longer get most
users to authenticate to the Samba server. It happened at roughly the same
time I upgraded to FreeBSD 5.4.
I'm using heimdal 0.6.3, samba 3.0.14 and FreeBSD 5.4. I had the error
running samba 3.0.11 and 3.0.12 from the FreeBSD ports collection. I've
since deinstalled those and rebuilt from source manually. I've also
reinstall the heimdal port from the ports collection.
I've removed the server from the Domain and am now just trying to get it
readded. Kinit signs me in just fine, but using most of the "net ads"
commands fails. Smbclient -k fails as well. I've tried several variations
on my krb5.conf and smb.conf. Any help would be appreciated.
Running "net ads testjoin" returns:
[2005/05/19 16:53:56, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password SATURN$@FBFGUNS.COM failed: Unknown error
-1765328378
[2005/05/19 16:53:56, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password SATURN$@FBFGUNS.COM failed: Unknown error
-1765328378
[2005/05/19 16:53:56, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown error -1765328378
Join to domain is not valid
Running "net ads join -Ujb" returns:
[2005/05/19 16:55:19, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Unknown error -1765328332
Krb5.conf:
[libdefaults]
default_realm = FBFGUNS.COM
[realms]
FBFGUNS.COM = {
kdc = mercury.fbfguns.com
default_domain = fbfguns.com
admin_server = mercury.fbfguns.com
}
[domain_realm]
.fbfguns.com = FBFGUNS.COM
fbfguns.com = FBFGUNS.COM
.FBFGUNS.COM = FBFGUNS.COM
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Smb.conf:
[global]
client use spnego = Yes
client schannel = Yes
server schannel = Yes
dns proxy = No
allow trusted domains = no
workgroup = FBF
realm = FBFGUNS.COM
interfaces = 172.22.2.1, 127.0.0.1
security = ADS
auth methods = winbind
update encrypted = Yes
password server = mercury.fbfguns.com
pam password change = Yes
unix password sync = Yes
max log size = 50
time server = Yes
server signing = auto
add user script = /usr/local/sbin/smb-add-user %u
delete user script = /usr/local/sbin/smb-rm-user %u
add group script = /usr/local/sbin/smb-add-group %g
delete group script = /usr/local/sbin/smb-rm-group %g
add user to group script = /usr/local/sbin/smb-add-user-group %u %g
delete user from group script = /usr/local/sbin/smb-rm-user-group %u
%g
add machine script = /usr/local/sbin/smb-add-machine %u
preferred master = No
local master = No
wins server = 172.22.2.2
ldap admin dn = cn=Administrator,cn=users,DC=fbfguns,DC=com
ldap suffix = DC=fbfguns,DC=com
idmap uid = 15000-20000
idmap gid = 15000-20000
template homedir = /home/%U
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind enum users = No
winbind enum groups = No
force create mode = 0664
force directory mode = 0775
admin users = jb, jason, jr
hide unreadable = Yes
store dos attributes = Yes
dos filemode = Yes
Jason Burgess
jason at fenux.net
More information about the samba
mailing list