[Samba] krb5 + winbind + ads (back to ads)
Jeremy Allison
jra at samba.org
Thu Jul 30 09:41:43 MDT 2009
On Wed, Jul 29, 2009 at 10:17:11PM -0300, Herbert G. Fischer wrote:
> Hello again folks,
>
> I give up trying RPC. I'm trying to avoid update samba package of my
> Ubuntu 9.04 server (amd64) so I decided to try ADS again. This way I'm
> using the following versions:
>
> krb5-user 1.6.dfsg.4~beta1-5ubuntu2
> samba* 2:3.3.2-1ubuntu3.1
>
> I'm having problem joining a AD domain. I suspect there is something
> related to how my company's directory was setup and I can't change that.
>
> Here are the information for the AD:
>
> Realm: WIN-NET.DOMAIN.COM.BR
> DNS Domain: domain.com.br
> Servers: server.domain.com.br, server1.domain.com.br
>
> NOTE: DNS servers are not in the MSDNS server. And there is no DNS
> domain related to the realm WIN-NET.DOMAIN.COM.BR, only domain.com.br.
>
> Here is my krb5.conf
>
> ===================
> ========================================================================
> [libdefaults]
> default_realm = WIN-NET.DOMAIN.COM.BR
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> WIN-NET.DOMAIN.COM.BR = {
> kdc = server.domain.com.br
> kdc = server1.domain.com.br
> default_domain = domain.com.br
> kpasswd_server = server.domain.com.br
> admin_server = server.domain.com.br
> }
>
> [domain_realm]
> .domain.com.br = WIN-NET.DOMAIN.COM.BR
> domain.com.br = WIN-NET.DOMAIN.COM.BR
>
> [login]
> krb4_convert = true
> krb4_get_tickets = falsea
>
> [logging]
> default = SYSLOG:err:auth
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> try_first_pass = true
> }
> ===================================================================
>
> With this I'm able to get a ticket using kinit and see it using klist:
>
> root at xxxxxx:~# kinit user
> Password for user at WIN-NET.DOMAIN.COM.BR:
> root at xxxxxx:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: user at WIN-NET.DOMAIN.COM.BR
>
> Valid starting Expires Service principal
> 07/29/09 22:07:43 07/30/09 08:07:49 krbtgt/WIN-NET.DOMAIN.COM.BR at WIN-NET.DOMAIN.COM.BR
> renew until 07/30/09 22:07:43
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> ===================================================================
>
> And my smb.conf
>
> ===================================================================
> [global]
> # server name
> server string = %h
> netbios name = %h
> dns proxy = no
> domain master = no
> local master = no
> preferred master = no
> os level = 0
>
> # charset options
> unix charset = ISO-8859-1
>
> # domain options
> workgroup = WIN-NET
> realm = WIN-NET.DOMAIN.COM.BR
> password server = server.domain.com.br server1.domain.com.br
> security = ads
> name resolve order = wins bcast
> encrypt passwords = true
> client use spnego = yes
> client ntlmv2 auth = yes
> restrict anonymous = 2
>
> # socket and network options
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> interfaces = eth0
> bind interfaces only = yes
>
> # log options
> log level = 1
> #tdb:3 winbind:10 auth:3
> log file = /var/log/samba/log.%m
> max log size = 1024
> syslog = 0
>
> # printer options (disabling)
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # winbind options
> winbind rpc only = yes
> winbind use default domain = yes
> winbind normalize names = yes
> winbind enum users = no
> winbind enum groups = no
> template shell = /bin/bash
> template homedir = /home/%D/%U
>
> # id mapping options
> idmap backend = tdb
> idmap config WIN-NET : backend = tdb
> idmap config WIN-NET : range = 50000-55000
> =======
> ========================================================================
>
> However, when I try to join to the ADS I got different erros, depending
> on the parameters I pass:
>
> root at xxxxxx:~# net ads join -U user
> Enter user's password:
> Failed to join domain: failed to find DC for domain WIN-
> NET.DOMAIN.COM.BR
>
> root at xxxxxx:~# net ads join -U user -S server
> Enter user's password:
> Failed to join domain: failed to lookup DC info for domain 'WIN-
> NET.DOMAIN.COM.BR' over rpc: The network name cannot be found
>
>
> I tested with debugging on 10 and got this information on the latest
> lines:
>
> ===============================================
>
> [2009/07/29 22:15:24, 5] libsmb/nmblib.c:send_udp(824)
> Sending a packet of len 50 to (200.234.203.255) on port 137
> [2009/07/29 22:15:25, 5] libsmb/nmblib.c:send_udp(824)
> Sending a packet of len 50 to (200.234.203.255) on port 137
> [2009/07/29 22:15:25, 5] libsmb/nmblib.c:send_udp(824)
> Sending a packet of len 50 to (200.234.203.255) on port 137
> [2009/07/29 22:15:25, 1] libsmb/cliconnect.c:cli_start_connection(1656)
> cli_start_connection: failed to connect to SERVER<20> (0.0.0.0). Error
> NT_STATUS_BAD_NETWORK_NAME
> [2009/07/29 22:15:25, 1] libnet/libnet_join.c:libnet_Join(1908)
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : NULL
> netbios_domain_name : NULL
> dns_domain_name : NULL
> forest_name : NULL
> dn : NULL
> domain_sid : NULL
> domain_sid : (NULL SID)
> modified_config : 0x00 (0)
> error_string : 'failed to lookup DC info for
> domain 'WIN-NET.DOMAIN.COM.BR' over rpc: The network name cannot be
> found'
> domain_is_ad : 0x00 (0)
> result : WERR_NO_SUCH_SHARE
> [2009/07/29 22:15:25, 10] intl/lang_tdb.c:lang_tdb_init(138)
> lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or
> directory
> [2009/07/29 22:15:25, 2] utils/net.c:main(769)
> return code = -1
It can't find the name. Try hacking it into your
/etc/hosts. You really need to have a working DNS
for this. Can't you point your Ubuntu DNS to the
same servers the Windows domain is using ?
Jeremy.
More information about the samba
mailing list