[Samba] Managed to make some progress, stuck again.
Simon Renshaw
simon at castortech.com
Tue Apr 18 19:14:02 GMT 2006
Hi,
An update on my work to integrate my Linux server (CentOS 4.3) in AD
2003.
Sorry about the long post :)
Found this page
(http://www.enterprisenetworkingplanet.com/netos/article.php/3487081)
and followed the instructions on it.
First, I made sure that the Samba installation is supporting Kerberos,
LDAP, AD and Windbind. That was OK.
I made sure that /etc/hosts contain the name of the AD server
(castor-srvr1).
Then I edited /etc/krb5.conf to include the following:
[libdefaults]
default_realm = CASTORTECH.COM
[realms]
CASTORTECH.COM = {
kdc = castor-srvr1.castortech.com
}
[domain_realm]
.kerberos.server = CASTORTECH.COM
I got the default realm name when I ran ksetup on the AD server.
I then tried to connect using kinit administrator at CASTORTECH.COM. It
asks for a password and it return an error (krb_error 14 KDC has no
support for encryption type). If I use another user (simon, my account
with domain admin rights), it connects and create a new ticket. To be
sure, I tested with a user that don't exist and got a "krb_error 24
Pre-authentication information was invalid". Any idea why administrator
won't connect?
I modified /etc/samba/smb.conf with the info in chapter 13 on the Samba
book.
The pre-Windows 2000 name of the domain is MONTREAL.
[global]
workgroup = MONTREAL
realm = CASTORTECH.COM
preferred master = no
security = ADS
template shell = /bin/bash
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind use default domain = yes
winbind nested groups = yes
encrypt passwords = yes
log level = 3
server string = Linux
wins server = 192.168.64.20
dns proxy = no
password server = None
username map = /etc/samba/smbusers
[homes]
comment = Home Directories
browseable = no
writeable = yes
[root]
path = /
writeable = yes
guest ok = yes
Password server was at none by default. Do I need to put the AD server
there?
Not sure if the workgroup needs to be the NetBIOS name of the domain
(MONTREAL) or the AD server name.
[root] is the share I created on my Linux box. Missing anything for
that?
If I run testparm with that config:
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[root]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
To join the domain, the site says to run net ads join -U Administrator.
Of course, that didn't work (ads_connect: No such file or directory). I
ran net ads join -U administrator --server=castor-srvr1. And got:
[2006/04/18 13:52:13, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for castor-srvr4 already exists -
modifying old account
Using short domain name -- MONTREAL
Joined 'CASTOR-SRVR4' to realm 'CASTORTECH.COM'
If I open ADUC I can see the server under Computers. So far so good. I
think.
Now I need to configure Winbind. I edited /etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
Then I restarted the services.
I ran a few wbinfo commands to test it.
Wbinfo -g
BUILTIN\System Operators
BUILTIN\Replicators
BUILTIN\Guests
BUILTIN\Power Users
BUILTIN\Print Operators
BUILTIN\Administrators
BUILTIN\Account Operators
BUILTIN\Backup Operators
BUILTIN\Users
Look like BUILTIN is on the Linux box instead of AD.
But wbinfo --domain=MONTREAL -g
Error looking up domain groups
Same thing with -u.
I tried net ads info --server=castor-srvr1
LDAP server: 192.168.64.20
LDAP server name: castor-srvr1
Realm: CASTORTECH.COM
Bind Path: dc=CASTORTECH,dc=COM
LDAP port: 389
Server time: Tue, 18 Apr 2006 14:35:24 GMT
KDC server: 192.168.64.20
Server time offset: 187
Net ads testjoin --server=castor-srvr1
Join is OK
So according to this, the Linux box is in the domain but there is a
problem with Windbind. Or something.
I can't access the Linux box from Windows.
This is where I'm stuck and would appreciate some help.
Thanks!
Simon
More information about the samba
mailing list