[Samba] kerberos @ samba4 DC
Jason Gerfen
u0368839 at umail.utah.edu
Wed Dec 1 07:42:05 MST 2010
You really should be replying to the list as well as I may not have the
answer but others monitoring the list might.
The smb.conf would be beneficial for review. Here is a copy of mine...
Of course it is sanitized so modification would need to be made. Also
because you are using an upgraded version of NT to Win2k you may need to
scour the logs to see what is taking place when you authenticate. Those
errors may aid further.
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = server.domain.com
netbios name = server
password server = *
encrypt passwords = true
security = ads
lanman auth = no
ntlm auth = no
os level = 20
allow trusted domains = yes
auth methods = winbind
interfaces = eth0, lo
bind interfaces only = yes
socket options = TCP_NODELAY
hosts allow = xxx.xxx.xxx.xxx/24
hosts deny = 0.0.0.0/0
log level = 40
log file = /var/log/samba/log.%m
max log size = 50
client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no
preferred master = no
local master = no
domain master = no
wins proxy = no
dns proxy = No
obey pam restrictions = yes
template shell = /bin/bash
nt acl support = yes
inherit permissions = yes
create mask = 0022
template homedir = /home/Authenticated Users/%U
winbind uid = 1000-2000000
winbind gid = 500-2000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind offline logon = true
winbind nss info = rfc2307
idmap uid = 1000-2000000
idmap gid = 500-2000000
idmap domains = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1000 - 300000000
On 12/01/10 07:27, Rafa Toucedo wrote:
> Finally I send the contents of my krb5.conf
>
>
> thank you for your time, I remain at your disposal!
>
>
> Rafael Toucedo
> gtalk: rtoucedo at gmail.com <mailto:rtoucedo at gmail.com>
>
> 2010/12/1 Rafa Toucedo <debian.vigo at gmail.com
> <mailto:debian.vigo at gmail.com>>
>
> Hi, I'm using the latest alpha version of Samba (updated
> yesterday) and I want to replace a server with Windows 2000 (AD),
> the problem is that the server comes from a migration of NT4 and
> "tricked" to continue the realm without extension
> (dominio.extension) = (domain) for which the samba-tool I have to
> launch with. next to the realm to avoid being interpreted as
> dominio.extensión.
>
> It runs all on a SuSE SLES 11 (64 bits).
>
> a greeting and thank you very much
>
> PS: I attached the full log.
>
> Before I sent the email "incomplete" because I did it from the
> phone and sometimes escapes me the finger ...
>
>
> Thank you!
>
>
> 2010/12/1 Rafa Toucedo <debian.vigo at gmail.com
> <mailto:debian.vigo at gmail.com>>
>
>
> Thanks for your answer, but that happened I do, I follow the
> manual of the "wiki" Samba 4, do the kinit, I put my password,
> etc. etc. I play the part of the "dark side" (the windows
> 2000) the type of user, etc ...
>
> I understand that the problem is the encryption type which
> defined in krb5.conf
>
>
>
> default_tkt_enctypes = arcfour-hmac-md5
> default_tgs_enctypes = arcfour-hmac-md5
> permited_enctypes = arcfour-hmac-md5
>
>
>
> 2010/12/1 Jason Gerfen <jason.gerfen at utah.edu
> <mailto:jason.gerfen at utah.edu>>
>
> You need to first obtain a valid tgt. Use kinit prior to
> running net ads join
>
> Jason Gerfen
> Jason.Gerfen at gmail.com <mailto:Jason.Gerfen at gmail.com>
> http://phpDHCPAdmin.sourceforge.net
> http://www.github.com/jas-
>
> On Dec 1, 2010, at 4:23 AM, "Rafa Toucedo"
> <debian.vigo at gmail.com <mailto:debian.vigo at gmail.com>> wrote:
>
> > Hello, when I try to put my SAMBA4 as DC from a domain
> controller in windows
> > 2000
> >
> > /usr/local/samba # bin/samba-tool join (WINDOWS 2000
> DOMAIN). DC
> > -U(USER)@(WINDOWS 2000 DOMAIN)%(PASSWORD)
> --realm=(WINDOWS 2000 DOMAIN). -d5
> >
> > throws me the following error:
> >
> > Failed to get CCACHE for GSSAPI client: KDC has no
> support for encryption
> > type
> > Aquiring initiator credentials failed: kinit for
> ADMCONST at DOMD4086 failed
> > (KDC has no support for encryption type: KDC has no
> support for encryption
> > type)
> > Failed to start GENSEC client mech gssapi_krb5:
> NT_STATUS_UNSUCCESSFUL
> >
> >
> > My krb5.conf is as follows:
> >
> > [libdefaults]
> > default_realm = (WINDOWS 2000 DOMAIN)
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > clockskew = 300
> > default_keytab_name = FILE:/home/pilote/rafa.keytab
> > default_tkt_enctypes = des-cbc-crc
> > default_tgs_enctypes = des-cbc-crc
> >
> > [realms]
> > (WINDOWS 2000 DOMAIN) = {
> > kdc = (HOSTNAME).(WINDOWS 2000 DOMAIN):88
> > }
> >
> > [logging]
> > kdc = FILE:/var/log/krb5/krb5kdc.log
> > admin_server = FILE:/var/log/krb5/kadmind.log
> > default = SYSLOG:NOTICE:DAEMON
> >
> > [appdefaults]
> > pam = {
> > debug = false
> > ticket_lifetime = 1d
> > renew_lifetime = 1d
> > forwardable = true
> > krb4_convert = false
> > proxiable = false
> > minimum_uid = 1
> > external = sshd
> > use_shmem = sshd
> > }
> >
> >
> > I'm desperate!
> > --
> > P Antes de imprimir este e-mail, piense si es necesario
> hacerlo. El medio
> > ambiente es cosa de todos.
> > Think twice before printing this e-mail. Environmental
> protection is in our
> > hands.
> > --
> > To unsubscribe from this list go to the following URL
> and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
--
Jas
http://www.github.com/jas-
More information about the samba
mailing list