[Samba] samba + ADS in native mode

Michael Adam ma at sernet.de
Thu Oct 2 20:31:35 GMT 2008


Hi Sergey,

Sergey Pororegnik wrote:
> Hello, friends.
> Before change Active Directory Server mode to "native mode" user authentification dont' work. In native ADS mode i need use kerberos.
> 
> OS: RHEL 4 (x86)
> Samba: 3.0.10-1.4E
> Kerberos: 1.3.4-9
> Domain controller: Win 2003 ADS in native mode

> # wbinfo -a Username at CORP.DOMAIN.COM
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user Username at CORP.DOMAIN.COM with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user Username at CORP.DOMAIN.COM with challenge/response

You have set "winbind use default domain = yes", so what does
"wbinfo -a username" give you? And "wbinfo -a DOMAIN+username"
(where you use your short Domain name not the realm name).

> # wbinfo -g
> and
> # wbinfo -u
> work correct.

So I assume, you have successfully done "net ads join"?

Cheers - Michael

PS: You could also consider upgrading. 3.0.10 is quite old.
AD-Support has evolved a lot since that release.

> # more /etc/samba/smb.conf
> [global]
>    workgroup = DOMAIN
>    server string = FTP Server
>    netbios name = SRVFTP
>    log file = /var/log/samba/%m.log
>    log level = 3 auth:5 passdb:5
>    max log size = 500
>    security = ADS
>    realm = CORP.DOMAIN.COM
>    encrypt passwords = yes
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>    dns proxy = no
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind use default domain = yes
>    auth methods = winbind
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>    winbind separator = +
>    winbind nested groups = yes
>    password server = dc1.domain.local
>    case sensitive = no
> 
> 
> 
> 
> # more /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = CORP.DOMAIN.COM
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
> 
> [realms]
>  CORP.DOMAIN.COM = {
>   kdc = dc1.domain.local:88
>   admin_server = dc1.domain.local:749
>   default_domain = CORP.DOMAIN.COM
>  }
> 
> [domain_realm]
>  .domain.local = CORP.DOMAIN.COM
>  domain.local = CORP.DOMAIN.COM
> 
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> 
> 
> 
> 
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Username at CORP.DOMAIN.COM
> 
> Valid starting     Expires            Service principal
> 10/02/08 10:20:43  10/02/08 20:20:50  krbtgt/CORP.DOMAIN.COM at CORP.DOMAIN.COM
>         renew until 10/02/08 20:20:43
> 10/02/08 10:24:30  10/02/08 20:20:50  srvdc01$@CORP.DOMAIN.COM
>         renew until 10/02/08 20:20:43
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> 
> 

-- 
Michael Adam <ma at sernet.de>  <obnox at samba.org>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20081002/8a485401/attachment.bin


More information about the samba mailing list