[Samba] samba + ADS in native mode

Sergey Pororegnik tmp02 at mail.ru
Thu Oct 2 05:59:38 GMT 2008 

Hello, friends.
Before change Active Directory Server mode to "native mode" user authentification dont' work. In native ADS mode i need use kerberos.

OS: RHEL 4 (x86)
Samba: 3.0.10-1.4E
Kerberos: 1.3.4-9
Domain controller: Win 2003 ADS in native mode



# more /etc/samba/smb.conf
[global]
   workgroup = DOMAIN
   server string = FTP Server
   netbios name = SRVFTP
   log file = /var/log/samba/%m.log
   log level = 3 auth:5 passdb:5
   max log size = 500
   security = ADS
   realm = CORP.DOMAIN.COM
   encrypt passwords = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   auth methods = winbind
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind separator = +
   winbind nested groups = yes
   password server = dc1.domain.local
   case sensitive = no




# more /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = CORP.DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 CORP.DOMAIN.COM = {
  kdc = dc1.domain.local:88
  admin_server = dc1.domain.local:749
  default_domain = CORP.DOMAIN.COM
 }

[domain_realm]
 .domain.local = CORP.DOMAIN.COM
 domain.local = CORP.DOMAIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }





# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Username at CORP.DOMAIN.COM

Valid starting     Expires            Service principal
10/02/08 10:20:43  10/02/08 20:20:50  krbtgt/CORP.DOMAIN.COM at CORP.DOMAIN.COM
        renew until 10/02/08 20:20:43
10/02/08 10:24:30  10/02/08 20:20:50  srvdc01$@CORP.DOMAIN.COM
        renew until 10/02/08 20:20:43


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached




# wbinfo -a Username at CORP.DOMAIN.COM
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user Username at CORP.DOMAIN.COM with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user Username at CORP.DOMAIN.COM with challenge/response


# wbinfo -g
and
# wbinfo -u
work correct.

---
Best regards, Sergey Ivanov.

More information about the samba mailing list