[Samba] trouble with winbind
Nico De Wilde
nico at openix.be
Fri Feb 3 15:57:23 GMT 2006
Chris,
The following error is repeated multiple times in your winbind.log:
"Client not found in Kerberos database"
Are you joining these machines as a domain admin or as an account with
domain admin priviliges?
Is your resolving setup correctly?
Are the clocks on your servers synchronized with the DC?
Could you try:
-> kinit ADMINISTRATOR at yourdomain.something
-> net ads join -U ADMINISTRATOR
What output do these two commands generate on your system?
Sample smb.conf for a 'member server' in a 2000/2003 AD domain:
--------------------------------------------------
[global]
server string = somebox
realm = DOM1.JHUAPL.EDU
workgroup = CHOCOWEB
password server = dom1-dc6.dom1.jhuapl.edu
security = ADS
encrypt passwords = true
# winbind configuration
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users=yes
winbind enum groups=yes
-----------------------------------------------------------
Sample krb5.conf
-----------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOM1.JHUAPL.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOM1.JHUAPL.EDU = {
kdc = the.ip.of.your.dc:88
admin_server = the.ip.of.your.dc:749
default_domain = dom1.jhuapl.edu
}
----------------------------------------------------------
Nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns winbind
--------------------------------------------------------------
This should get you going.
Can you provide additional feedback on this?
Thx.
Regards,
Nico
----- Original Message -----
From: "Chris Stone" <chris.stone at jhuapl.edu>
To: "Nico De Wilde" <nico at openix.be>
Sent: Friday, February 03, 2006 4:33 PM
Subject: Re: [Samba] trouble with winbind
> Nico,
>
> I've attached the winbindd log. I manually created the machine
> account, with out the account I can't bind, it's an issue with domain
> privledges. What I don't understand is that I took all of the config
> files, nsswitch, krb5.conf, and others, from a machine that is bound
> and has a working winbind:-(
>
>
> biolinux:/var/log/samba # vi /etc/nsswitch.conf
>
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Legal entries are:
> #
> # compat Use compatibility setup
> # nisplus Use NIS+ (NIS version 3)
> # nis Use NIS (NIS version 2), also called YP
> # dns Use DNS (Domain Name Service)
> # files Use the local files
> # db Use the /var/db databases
> # [NOTFOUND=return] Stop searching if not found so far
> #
> # For more information, please read the nsswitch.conf.5 manual page.
>
> passwd: files winbind
> group: files winbind
> --endsnip
>
>
> Thanks,
> Chris
>
>
--------------------------------------------------------------------------------
>
> On Feb 3, 2006, at 9:50 AM, Nico De Wilde wrote:
>
>> Chris,
>>
>> Can you provide the winbind logs of the machine that does not
>> succeed in joining the domain?
>>
>> Have you checked in your Windows server that machine accounts were
>> created?
>>
>> Is your nsswitch.conf setup properly?
>>
>> Thx,
>>
>> Nico
>> ----- Original Message ----- From: "Chris Stone"
>> <chris.stone at jhuapl.edu>
>> To: <samba at lists.samba.org>
>> Sent: Friday, February 03, 2006 3:10 PM
>> Subject: [Samba] trouble with winbind
>>
>>
>>> Hi,
>>> I'm running samba, V3.0.20b-3.4-SUSE, on suse el9. I've
>>> successfully bound one machine to active directory, I can login
>>> to the local box using domain credentials. However, I can't get a
>>> second machine to the domain, using the exact same procedures.
>>> The machine claims to be bound,
>>> wbinfo -t returns "checking the trust secret via RPC calls
>>> succeeded"
>>> But, when I run wbinfo --sequence, it returns,
>>> APL : DISCONNECTED
>>> BIOLINUX : 1
>>> BUILTIN : 1
>>> JHUAPL : DISCONNECTED
>>> Kerberos is working, I can do a kinit user at JHUAPL.EDU, and get a
>>> ticket. My smb.conf is:
>>> [global]
>>> workgroup = JHUAPL
>>> server string = edna
>>> socket options = TCP_NODELAY SO_SNDBUF=8192
>>> SO_RCVBUF=8192 IPTOS_LOWDELAY
>>> encrypt password = yes
>>> password server = dom1-dc6.dom1.jhuapl.edu
>>> realm = DOM1.JHUAPL.EDU
>>> netbios name = biolinux
>>> security = ads
>>> idmap uid = 10000-40000
>>> idmap gid = 10000-40000
>>> winbind separator = _
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> username map = /etc/samba/smbusers
>>> map to guest = Bad User
>>> template shell = /bin/bash
>>> Can anyone suggest what I might be doing wrong? I've been
>>> googling this for a couple of days, and have run out ideas.
>>> Thank You,
>>> Chris
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/listinfo/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>
>
More information about the samba
mailing list