[Samba] krb5 + winbind + ads (back to ads)
Herbert G. Fischer
herbert.fischer at locaweb.com.br
Wed Jul 29 19:17:11 MDT 2009
Hello again folks,
I give up trying RPC. I'm trying to avoid update samba package of my
Ubuntu 9.04 server (amd64) so I decided to try ADS again. This way I'm
using the following versions:
krb5-user 1.6.dfsg.4~beta1-5ubuntu2
samba* 2:3.3.2-1ubuntu3.1
I'm having problem joining a AD domain. I suspect there is something
related to how my company's directory was setup and I can't change that.
Here are the information for the AD:
Realm: WIN-NET.DOMAIN.COM.BR
DNS Domain: domain.com.br
Servers: server.domain.com.br, server1.domain.com.br
NOTE: DNS servers are not in the MSDNS server. And there is no DNS
domain related to the realm WIN-NET.DOMAIN.COM.BR, only domain.com.br.
Here is my krb5.conf
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
========================================================================
[libdefaults]
default_realm = WIN-NET.DOMAIN.COM.BR
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
WIN-NET.DOMAIN.COM.BR = {
kdc = server.domain.com.br
kdc = server1.domain.com.br
default_domain = domain.com.br
kpasswd_server = server.domain.com.br
admin_server = server.domain.com.br
}
[domain_realm]
.domain.com.br = WIN-NET.DOMAIN.COM.BR
domain.com.br = WIN-NET.DOMAIN.COM.BR
[login]
krb4_convert = true
krb4_get_tickets = falsea
[logging]
default = SYSLOG:err:auth
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
===================================================================
With this I'm able to get a ticket using kinit and see it using klist:
root at xxxxxx:~# kinit user
Password for user at WIN-NET.DOMAIN.COM.BR:
root at xxxxxx:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user at WIN-NET.DOMAIN.COM.BR
Valid starting Expires Service principal
07/29/09 22:07:43 07/30/09 08:07:49 krbtgt/WIN-NET.DOMAIN.COM.BR at WIN-NET.DOMAIN.COM.BR
renew until 07/30/09 22:07:43
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
===================================================================
And my smb.conf
===================================================================
[global]
# server name
server string = %h
netbios name = %h
dns proxy = no
domain master = no
local master = no
preferred master = no
os level = 0
# charset options
unix charset = ISO-8859-1
# domain options
workgroup = WIN-NET
realm = WIN-NET.DOMAIN.COM.BR
password server = server.domain.com.br server1.domain.com.br
security = ads
name resolve order = wins bcast
encrypt passwords = true
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
# socket and network options
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = eth0
bind interfaces only = yes
# log options
log level = 1
#tdb:3 winbind:10 auth:3
log file = /var/log/samba/log.%m
max log size = 1024
syslog = 0
# printer options (disabling)
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# winbind options
winbind rpc only = yes
winbind use default domain = yes
winbind normalize names = yes
winbind enum users = no
winbind enum groups = no
template shell = /bin/bash
template homedir = /home/%D/%U
# id mapping options
idmap backend = tdb
idmap config WIN-NET : backend = tdb
idmap config WIN-NET : range = 50000-55000
=
=
=
=
=
=
=
========================================================================
However, when I try to join to the ADS I got different erros,
depending on the parameters I pass:
root at xxxxxx:~# net ads join -U user
Enter user's password:
Failed to join domain: failed to find DC for domain WIN-
NET.DOMAIN.COM.BR
root at xxxxxx:~# net ads join -U user -S server
Enter user's password:
Failed to join domain: failed to lookup DC info for domain 'WIN-
NET.DOMAIN.COM.BR' over rpc: The network name cannot be found
I tested with debugging on 10 and got this information on the latest
lines:
===============================================
[2009/07/29 22:15:24, 5] libsmb/nmblib.c:send_udp(824)
Sending a packet of len 50 to (200.234.203.255) on port 137
[2009/07/29 22:15:25, 5] libsmb/nmblib.c:send_udp(824)
Sending a packet of len 50 to (200.234.203.255) on port 137
[2009/07/29 22:15:25, 5] libsmb/nmblib.c:send_udp(824)
Sending a packet of len 50 to (200.234.203.255) on port 137
[2009/07/29 22:15:25, 1] libsmb/cliconnect.c:cli_start_connection(1656)
cli_start_connection: failed to connect to SERVER<20> (0.0.0.0).
Error NT_STATUS_BAD_NETWORK_NAME
[2009/07/29 22:15:25, 1] libnet/libnet_join.c:libnet_Join(1908)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info
for domain 'WIN-NET.DOMAIN.COM.BR' over rpc: The network name cannot
be found'
domain_is_ad : 0x00 (0)
result : WERR_NO_SUCH_SHARE
[2009/07/29 22:15:25, 10] intl/lang_tdb.c:lang_tdb_init(138)
lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or
directory
[2009/07/29 22:15:25, 2] utils/net.c:main(769)
return code = -1
==============================================
Any idea on what is wrong?
Thanks
More information about the samba
mailing list