[Samba] SAMBA + ADS + Kerberos Problem...
Michael Fernández M
michael at michael.cl
Wed Jul 30 22:37:14 GMT 2008
Hi, I am trying to join a samba to ADS with kerberos + Winbind....
Everything is right, i mean, when i do the following:
kinit Administrator at DOMAIN.CL
(Ask for the password) and OK.
Then:
debian:/etc/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at DOMAIN.CL
Valid starting Expires Service principal
07/30/08 16:49:17 07/31/08 02:49:21 krbtgt/DOMAIN.CL at DOMAIN.CL
renew until 07/31/08 02:49:17
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Then:
net ads join -Uadministrator%pass
Is correct, the machine is joined to the AD
getent passwd Show the ADS users...
getent group show the ADS groups...
wbinfo -t
checking the trust secret via RPC calls succeeded
with:
smbclient //adspc/c\$ -k
Connect to the adspc without password and show the directories
The Big "BUT" is:
When I connect with a M$ user with smbclient to a local share on the
samba server i got:
smbclient //localhost/eee/ -Uadministrator
session setup failed: NT_STATUS_ACCESS_DENIED
The logs show:
[2008/07/30 17:01:32, 5] rpc_parse/parse_prs.c:prs_ntstatus(767)
001c status : NT_STATUS_ACCESS_DENIED
[2008/07/30 17:01:32, 10] libsmb/credentials.c:creds_client_check(325)
creds_client_check: credentials check OK.
[2008/07/30 17:01:32, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1546)
winbindd_pam_auth: sam_logon returned ACCESS_DENIED. Maybe the trust
account password was changed and we didn't know it. Killing connections
to domain DOMAIN
When i do:
wbinfo -u: Show the ADS user BUT not show the DOMAIN I mean:
Does not show: DOMAIN + ADS_USER only show ADS_USER
The same with wbinfo -g
Other think, every time i reset the machine i lost the ticket for
kerberos. This is not normal.....
The krb5.conf:
[libdefaults]
default_realm = DOMAIN.CL
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN = {
kdc = 191.9.200.1
admin_server = adspc
default_domain = DOMAIN.CL
}
[domain_realm]
.domain.cl = DOMAIN.CL
domain.cl = DOMAIN.CL
[login]
krb4_convert = true
krb4_get_tickets = false
-------------------------------------
* smb.conf:
[global]
security = ADS
netbios name = debian
realm = DOMAIN.CL
#username map = /etc/samba/smbusers
encrypt passwords = yes
password server = 191.9.200.1
workgroup = DOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
ldap ssl = no
log level = 20
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
#domain master = no
* nssswitch.conf
passwd: files winbind
group: files winbind
shadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
The /pam.d/ Files..
* common-account
auth sufficient pam_winbind.so
account required pam_unix.so
* common-auth
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
* common-password
password required pam_unix.so nullok obscure min=4 max=50 md5
* common-session
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Well i hope somebody can help me with this! i tried to gave all the
information.....
THANKS!!!!!!!!!!!!!! a LOT!!
Michael.-
More information about the samba
mailing list