[Samba] Getting users and groups through winbind on FreeBSD

Ashley Moran work at ashleymoran.me.uk
Mon Oct 23 16:51:37 GMT 2006

On 23 Oct 2006, at 17:08, Dominic Marks wrote:

> Ashley,
> No time today to look at your problem, but keep working on it
> as it is usually something silly. We have lots of AD joined
> FreeBSD boxes.

Hi Dom

Do they pull accounts from the AD server when you use pw usershow?   
Or do you need to set users up on the box to access a share they've  
never used before?

> A few things I didn't notice from a brief scan of your info:
> You've done a kinit? I assume you must have. What does klist
> return?

Yep, as root connecting as the Administrator user:

[root at dim ~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: Administrator at JIGSAWHQ.COM

   Issued           Expires          Principal
Oct 23 11:11:30  Oct 23 17:49:41  krbtgt/JIGSAWHQ.COM at JIGSAWHQ.COM
Oct 23 11:12:44  Oct 23 17:49:41  ldap/jigsaw- 
sbs02.jigsawhq.com at JIGSAWHQ.COM

> Is the system is good time sync? Again, this is probably
> implied from your other results but it is good to check.

Yep, I checked that.  They're about two minutes apart, and presumably  
I wouldn't even get tickets if they were way out.

> What does your /etc/krb5.conf look like?

This is my krb5.conf:

   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log

   default_realm = JIGSAWHQ.COM
   ticket_lifetime = 24000
#  dns_lookup_realm = false
#  dns_lookup_kdc = false

# AD domain, DC FQDNs
     kdc = tcp/jigsaw-sbs02.jigsawhq.com:88
#    kdc = tcp/ad2.jigsawhq.com:88
     admin_server = jigsaw-sbs02.jigsawhq.com:749
     default_domain = jigsawhq.com

#Translating all possibles to JIGSAWHQ.COM
.jigsawhq.com = JIGSAWHQ.COM
jigsawhq.com = JIGSAWHQ.COM

#This is used if you have alternative KDC's in you realm (not windows)
#that you are mapping trust accounts to in the windows domain
#see http://www.microsoft.com/windows2000/techinfo/planning/security/ 
#  profile = /var/kerberos/krb5kdc/kdc.conf

   pam = {
     debug = false
     ticket_lifetime = 36000
     renew_lifetime = 36000
     forwardable = true
     krb4_convert = false

I'm using the Heimdal Kerberos that comes with FreeBSD 6.1

Thanks for looking at it.  Any ideas what's up?


More information about the samba mailing list