[Samba] Re: Authentication against AD?

[Dimitri Yioulos]

On Wednesday 14 September 2005 11:38 am, you wrote:
> >You might want to post your krb5.conf so we can have a look-see.
> >
> >When you start samba, do you also start the winbind daemon?
> >
> >Dimitri
>
> [libdefaults]
> default_realm = REALM.COM
> clockskew = 300
>
> [realms]
> UTAH.EDU = {
> kdc = 192.168.0.5
> default_domain = domain.com
> admin_server = 192.168.0.5
> }
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> [domain_realm]
> .domain.com = REALM.COM
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> }
>
> And I am starting both the winbind daemon with the samba daemon.

You showed me yours, I'll show you mine :-)

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 default_tgs_enctypes = des-cbc-crc

[realms]
 MYDOMAIN.COM = {
  default_domain = mydomain.com
  kdc = 192.168.100.3
  admin_server = 192.168.100.3
 }

[domain_realm]
 .mydomain.com = MYDOMAIN.COM
 mydomain.com = MYDOMAIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Note the default enctypes.  Seems in the way back I was getting errors; adding 
these fixed that.  Others may disagree, and YMMV.

Dimitri