[Samba] ADS & Kerberos Woes

Jason Burgess jason at fenux.net
Thu May 19 21:59:09 GMT 2005


I've been successfully running Samba 3.0 under FreeBSD 5 attached to a 2003
Domain for awhile now.  As of about a week ago, I could no longer get most
users to authenticate to the Samba server.  It happened at roughly the same
time I upgraded to FreeBSD 5.4.

I'm using heimdal 0.6.3, samba 3.0.14 and FreeBSD 5.4.  I had the error
running samba 3.0.11 and 3.0.12 from the FreeBSD ports collection.  I've
since deinstalled those and rebuilt from source manually.  I've also
reinstall the heimdal port from the ports collection.

I've removed the server from the Domain and am now just trying to get it
readded.  Kinit signs me in just fine, but using most of the "net ads"
commands fails.  Smbclient -k fails as well.  I've tried several variations
on my krb5.conf and smb.conf.  Any help would be appreciated.

Running "net ads testjoin" returns:
[2005/05/19 16:53:56, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password SATURN$@FBFGUNS.COM failed: Unknown error
-1765328378
[2005/05/19 16:53:56, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password SATURN$@FBFGUNS.COM failed: Unknown error
-1765328378
[2005/05/19 16:53:56, 0] utils/net_ads.c:ads_startup(191)
  ads_connect: Unknown error -1765328378
Join to domain is not valid

Running "net ads join -Ujb" returns: 
[2005/05/19 16:55:19, 0] utils/net_ads.c:ads_startup(191)
  ads_connect: Unknown error -1765328332

Krb5.conf:
[libdefaults]
        default_realm = FBFGUNS.COM

[realms]
        FBFGUNS.COM = {
                kdc = mercury.fbfguns.com
                default_domain = fbfguns.com
                admin_server = mercury.fbfguns.com
        }
[domain_realm]
        .fbfguns.com = FBFGUNS.COM
        fbfguns.com = FBFGUNS.COM
        .FBFGUNS.COM = FBFGUNS.COM

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

[appdefaults]
        pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
        }

Smb.conf:
[global]
        client use spnego = Yes
        client schannel = Yes
        server schannel = Yes
        dns proxy = No
        allow trusted domains = no
        workgroup = FBF
        realm = FBFGUNS.COM
        interfaces = 172.22.2.1, 127.0.0.1
        security = ADS
        auth methods = winbind
        update encrypted = Yes
        password server = mercury.fbfguns.com
        pam password change = Yes
        unix password sync = Yes
        max log size = 50
        time server = Yes
        server signing = auto
        add user script = /usr/local/sbin/smb-add-user %u
        delete user script = /usr/local/sbin/smb-rm-user %u
        add group script = /usr/local/sbin/smb-add-group %g
        delete group script = /usr/local/sbin/smb-rm-group %g
        add user to group script = /usr/local/sbin/smb-add-user-group %u %g
        delete user from group script = /usr/local/sbin/smb-rm-user-group %u
%g
        add machine script = /usr/local/sbin/smb-add-machine %u
        preferred master = No
        local master = No
        wins server = 172.22.2.2
        ldap admin dn = cn=Administrator,cn=users,DC=fbfguns,DC=com
        ldap suffix = DC=fbfguns,DC=com
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        template homedir = /home/%U
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        winbind enum users = No
        winbind enum groups = No
        force create mode = 0664
        force directory mode = 0775
        admin users = jb, jason, jr
        hide unreadable = Yes
        store dos attributes = Yes
        dos filemode = Yes

Jason Burgess
jason at fenux.net

 





More information about the samba mailing list