[Samba] Getting users and groups through winbind on FreeBSD
Ashley Moran
work at ashleymoran.me.uk
Mon Oct 23 16:51:37 GMT 2006
On 23 Oct 2006, at 17:08, Dominic Marks wrote:
> Ashley,
>
> No time today to look at your problem, but keep working on it
> as it is usually something silly. We have lots of AD joined
> FreeBSD boxes.
Hi Dom
Do they pull accounts from the AD server when you use pw usershow?
Or do you need to set users up on the box to access a share they've
never used before?
> A few things I didn't notice from a brief scan of your info:
>
> You've done a kinit? I assume you must have. What does klist
> return?
Yep, as root connecting as the Administrator user:
[root at dim ~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator at JIGSAWHQ.COM
Issued Expires Principal
Oct 23 11:11:30 Oct 23 17:49:41 krbtgt/JIGSAWHQ.COM at JIGSAWHQ.COM
Oct 23 11:12:44 Oct 23 17:49:41 ldap/jigsaw-
sbs02.jigsawhq.com at JIGSAWHQ.COM
> Is the system is good time sync? Again, this is probably
> implied from your other results but it is good to check.
Yep, I checked that. They're about two minutes apart, and presumably
I wouldn't even get tickets if they were way out.
>
> What does your /etc/krb5.conf look like?
This is my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = JIGSAWHQ.COM
ticket_lifetime = 24000
# dns_lookup_realm = false
# dns_lookup_kdc = false
# AD domain, DC FQDNs
[realms]
JIGSAWHQ.COM = {
kdc = tcp/jigsaw-sbs02.jigsawhq.com:88
# kdc = tcp/ad2.jigsawhq.com:88
admin_server = jigsaw-sbs02.jigsawhq.com:749
default_domain = jigsawhq.com
}
#Translating all possibles to JIGSAWHQ.COM
[domain_realm]
.jigsawhq.com = JIGSAWHQ.COM
jigsawhq.com = JIGSAWHQ.COM
.JIGSAWHQ.COM = JIGSAWHQ.COM
#This is used if you have alternative KDC's in you realm (not windows)
#that you are mapping trust accounts to in the windows domain
#see http://www.microsoft.com/windows2000/techinfo/planning/security/
kerbsteps.asp
#[kdc]
# profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
I'm using the Heimdal Kerberos that comes with FreeBSD 6.1
Thanks for looking at it. Any ideas what's up?
Cheers
Ashley
More information about the samba
mailing list