[Samba] problems with kerberos on Solaris 10
Alexandr Miasnikov
asp at pskov.mts.ru
Tue Jul 31 07:27:38 GMT 2007
sorry for big posting
direct me please on my errors
samba 3.0.25b
kerberos heimdal 0.8.1-p2
# kinit adminuser
adminuser at USR.NW.MTS.RU's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: adminuser at USR.NW.MTS.RU
Issued Expires Principal
Jul 31 11:22:18 Jul 31 21:22:18 krbtgt/USR.NW.MTS.RU at USR.NW.MTS.RU
# net -d 3 ads join ads -U adminuser
[2007/07/31 11:07:47, 3] param/loadparm.c:lp_load(5024)
lp_load: refreshing parameters
[2007/07/31 11:07:47, 3] param/loadparm.c:init_globals(1424)
Initialising global parameters
[2007/07/31 11:07:47, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file
"/usr/local/etc/samba/smb.conf"
[2007/07/31 11:07:47, 3] param/loadparm.c:do_section(3763)
Processing section "[global]"
[2007/07/31 11:07:47, 2] lib/interface.c:add_interface(81)
added interface ip=10.7.5.2 bcast=10.7.5.255 nmask=255.255.255.0
[2007/07/31 11:07:47, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/07/31 11:07:47, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.7.5.20
[2007/07/31 11:07:47, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/07/31 11:07:47, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
adminuser's password:
[2007/07/31 11:07:50, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/07/31 11:07:50, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.7.5.20
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
ads_sasl_spnego_bind: got server principal name = dcpsk1$@USR.NW.MTS.RU
[2007/07/31 11:07:50, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2007/07/31 11:07:52, 0] libads/kerberos.c:ads_kinit_password(228)
kerberos_kinit_password adminuser at USR.NW.MTS.RU failed:
Preauthentication failed
[2007/07/31 11:07:52, 1] utils/net_ads.c:net_ads_join(1470)
error on ads_startup: Preauthentication failed
Failed to join domain: Logon failure
[2007/07/31 11:07:52, 2] utils/net.c:main(1032)
return code = -1
===================================
with samba-3.0.24 everething is OK.
===================================
with other kerberos - MIT, native Solaris packages - the same situation
comiling:
CONFIGURE_ARGS=--enable-pie \
--localstatedir=/var \
--with-privatedir=/var/samba \
--with-lockdir=/var/samba \
--with-piddir=/var/run \
--with-configdir=${PREFIX}/etc/samba \
--with-logfilebase=/var/log/samba \
--with-readline --with-libiconv \
--with-ldap --with-ads --with-krb5 \
--with-pam --with-pam_smbpass \
--with-quotas --without-utmp \
--with-libmsrpc --with-libsmbclient \
--with-libsmbsharemodes \
--with-acl-support --with-aio-support \
--with-sendfile-support --with-winbind \
--without-python \
--with-shared-modules=idmap_rid,idmap_ad
smb.conf:
use kerberos keytab = True
# unix shell
template homedir = /export/home/%U
template shell = /bin/sh
winbind nested groups = yes
security = ads
password server = 10.7.5.20
realm = USR.NW.MTS.RU
workgroup = USR
client use spnego = yes
server string =
os level = 10
domain master = no
preferred master = no
domain logons = no
ntlm auth = no
lanman auth = no
client NTLMv2 auth = yes
wins support = no
wins proxy = no
winbind enum groups = yes
winbind enum users = yes
winbind cache time = 3600
winbind use default domain = Yes
winbind nested groups = yes
allow trusted domains = No
idmap uid = 2000-100000000
idmap gid = 2000-100000000
idmap backend = rid:"USR=2000-100000000"
nt acl support = yes
socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY
use sendfile = Yes
null passwords = Yes
deadtime = 60
kerberos heimdal 0.8.1-p2
krb5.conf
[libdefaults]
default_keytab_name = FILE:/usr/local/etc/krb5/krb5.conf
default_realm = USR.NW.MTS.RU
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
verify_ap_req_nofail = false
[realms]
USR.NW.MTS.RU = {
kdc = dcpsk1.usr.nw.mts.ru:88
admin_server = dcpsk1.usr.nw.mts.ru:749
kpasswd_server = dcpsk1.usr.nw.mts.ru:464
kpasswd_protocol = SET_CHANGE
default_domain = pskov.mts.ru
}
[domain_realm]
usr.nw.mts.ru = USR.NW.MTS.RU
.usr.nw.mts.ru = USR.NW.MTS.RU
pskov.mts.ru = USR.NW.MTS.RU
.pskov.mts.ru = USR.NW.MTS.RU
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
--
More information about the samba
mailing list