Re: Unir terminal linux Debian "etch" aDirectorioActivodeWindowsNT2003 con Kerberos 5

Javier Debian - BBca - AR Thu, 26 Oct 2006 12:15:50 -0700

Estimado Marcel:

De todo lo que he estado leyendo en el hilo por mí generado, creo que eresla persona que me podría llegar a dar una punta del ovillo que estoytratando de desenmarañar.Sigo sin poder unirme al Directorio Activo del maldito Windows NT2003, perosí me he podido unir al dominio.

Paso a detallar las salidas de consola que tengo.

Espero que si tienen tiempo de analizarla, me des una ayuda para hacerleentender a los administradores de la red qué es lo que tienen que hacer enqué utilitario de NT2003 para que yo pueda sumarme al dominio, y no tenerlos problemas de acceso a algunos recursos que actualmente tengo.No puedo acceder a los recursos de máquinas con NT2000, NT2003 y XP; con lasWin98 y WinMe no hay problemas. Esto asumo es porque las primeras utilizanADS en forma intensiva, mientras que las segundas sólo pertenecen aldominio.

Desde ya, muchas gracias.


------------------------------------------------------
Mi máquina es BBCAWS91 (Bahía Blanca Work Station 91)
Mi usuario es BBCAU5 (Bahía Blanca User 5).
Mi dominio Windows es NET.
Mi reino Active Directory es EGSML.NET (EGSML es la sigla de la empresa).
El kdc local es EGSMLSV7 (Server 7).
El admin_server (a 700 km de distancia) es EGSMLSV1 (Server 1).

------------------------------------------------------
Obtengo mi ticket kerberos en forma perfecta y sin inconvenientes:

BBCAWS91:~# kinit -A bbcau5
Password for [EMAIL PROTECTED]:
BBCAWS91:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
10/26/06 15:24:54  10/27/06 01:24:59  krbtgt/[EMAIL PROTECTED]
       renew until 10/27/06 15:24:54


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

------------------------------------------------------
Pruebo mi pertenencia al dominio NT:

BBCAWS91:~# net rpc testjoin
Join to 'NET' is OK

------------------------------------------------------
Intento infructuosamente unirme al reino NT2003:

BBCAWS91:~# net ads join --debuglevel=10 -U bbcau5
[2006/10/26 15:26:32, 5] lib/debug.c:debug_dump_status(368)
 INFO: Current debug levels:
   all: True/10
   tdb: False/0
   printdrivers: False/0
   lanman: False/0
   smb: False/0
   rpc_parse: False/0
   rpc_srv: False/0
   rpc_cli: False/0
   passdb: False/0
   sam: False/0
   auth: False/0
   winbind: False/0
   vfs: False/0
   idmap: False/0
   quota: False/0
   acls: False/0
   locking: False/0
   msdfs: False/0
[2006/10/26 15:26:32, 3] param/loadparm.c:lp_load(4207)
 lp_load: refreshing parameters
[2006/10/26 15:26:32, 3] param/loadparm.c:init_globals(1393)
 Initialising global parameters
[2006/10/26 15:26:32, 3] param/params.c:pm_process(574)

params.c:pm_process() - Processing configuration file"/etc/samba/smb.conf"

[2006/10/26 15:26:32, 3] param/loadparm.c:do_section(3662)
 Processing section "[global]"
 doing parameter workgroup = NET
 doing parameter realm = EGSML.NET
 doing parameter server string = %h Debian Linux (etch) (Samba %v)
 doing parameter security = ADS
 doing parameter update encrypted = Yes
 doing parameter obey pam restrictions = Yes
 doing parameter password server = 10.115.1.201 10.1.0.231
 doing parameter passdb backend = tdbsam
 doing parameter passwd program = /usr/bin/passwd %u

doing parameter passwd chat = *Enter\snew\sUNIX\spassword:* %n\n*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

 doing parameter use kerberos keytab = Yes
 doing parameter syslog = 0
 doing parameter log file = /var/log/samba/log.%m
 doing parameter max log size = 1000
 doing parameter announce as = NT Workstation
 doing parameter server signing = auto
 doing parameter domain logons = Yes
 doing parameter os level = 0
 doing parameter preferred master = No
 doing parameter local master = No
 doing parameter domain master = No
 doing parameter dns proxy = No
 doing parameter wins server = 10.1.0.203, 10.1.12.201
 doing parameter ldap ssl = no
 doing parameter panic action = /usr/share/samba/panic-action %d
 doing parameter winbind separator = +
 doing parameter invalid users = root
[2006/10/26 15:26:32, 4] param/loadparm.c:lp_load(4238)
 pm_process() returned Yes
[2006/10/26 15:26:32, 7] param/loadparm.c:lp_servicenumber(4351)
 lp_servicenumber: couldn't find homes
[2006/10/26 15:26:32, 10] param/loadparm.c:set_server_role(4171)
 set_server_role: role = ROLE_DOMAIN_PDC
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(103)
 Attempting to register new charset UCS-2LE
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(111)
 Registered charset UCS-2LE
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(103)
 Attempting to register new charset UTF-16LE
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(111)
 Registered charset UTF-16LE
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(103)
 Attempting to register new charset UCS-2BE
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(111)
 Registered charset UCS-2BE
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(103)
 Attempting to register new charset UTF-16BE
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(111)
 Registered charset UTF-16BE
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(103)
 Attempting to register new charset UTF8
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(111)
 Registered charset UTF8
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(103)
 Attempting to register new charset UTF-8
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(111)
 Registered charset UTF-8
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(103)
 Attempting to register new charset ASCII
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(111)
 Registered charset ASCII
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(103)
 Attempting to register new charset 646
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(111)
 Registered charset 646
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(103)
 Attempting to register new charset ISO-8859-1
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(111)
 Registered charset ISO-8859-1
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(103)
 Attempting to register new charset UCS2-HEX
[2006/10/26 15:26:32, 5] lib/iconv.c:smb_register_charset(111)
 Registered charset UCS2-HEX
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/charcnv.c:charset_name(81)
 Substituting charset 'ISO-8859-1' for LOCALE
[2006/10/26 15:26:32, 5] lib/util.c:init_names(260)
 Netbios name list:-
 my_netbios_names[0]="BBCAWS91"
[2006/10/26 15:26:32, 2] lib/interface.c:add_interface(81)
 added interface ip=10.111.1.111 bcast=10.111.1.255 nmask=255.255.255.0
bbcau5's password:
[2006/10/26 15:27:30, 6] libads/ldap.c:ads_find_dc(217)
 ads_find_dc: looking for realm 'EGSML.NET'
[2006/10/26 15:27:30, 8] libsmb/namequery.c:get_sorted_dc_list(1433)
 get_sorted_dc_list: attempting lookup using [ads]
[2006/10/26 15:27:30, 10] libsmb/namequery.c:remove_duplicate_addrs2(320)
 remove_duplicate_addrs2: looking for duplicate address/port pairs
[2006/10/26 15:27:30, 4] libsmb/namequery.c:get_dc_list(1406)
 get_dc_list: returning 2 ip addresses in an ordered list
[2006/10/26 15:27:30, 4] libsmb/namequery.c:get_dc_list(1407)
 get_dc_list: 10.115.1.201:389 10.1.0.231:389
[2006/10/26 15:27:30, 5] libads/ldap.c:ads_try_connect(126)
 ads_try_connect: trying ldap server '10.115.1.201' port 389
[2006/10/26 15:27:30, 3] libads/ldap.c:ads_connect(288)
 Connected to LDAP server 10.115.1.201
[2006/10/26 15:27:30, 3] libads/ldap.c:ads_server_info(2542)
 got ldap server name [EMAIL PROTECTED], using bind path: dc=EGSML,dc=NET
[2006/10/26 15:27:30, 4] libads/ldap.c:ads_server_info(2548)
 time offset is 0 seconds
[2006/10/26 15:27:30, 4] libads/sasl.c:ads_sasl_bind(455)
 Found SASL mechanism GSS-SPNEGO
[2006/10/26 15:27:30, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
 ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/10/26 15:27:30, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/10/26 15:27:30, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/10/26 15:27:30, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/10/26 15:27:30, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
 ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED]
[2006/10/26 15:27:30, 3] libsmb/clikrb5.c:ads_krb5_mk_req(479)
 ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2006/10/26 15:27:30, 0] libads/kerberos.c:ads_kinit_password(164)

kerberos_kinit_password [EMAIL PROTECTED] failed: Client not found in Kerberosdatabase

[2006/10/26 15:27:30, 0] utils/net_ads.c:ads_startup(191)
 ads_connect: Client not found in Kerberos database
[2006/10/26 15:27:30, 2] utils/net.c:main(878)
 return code = -1

------------------------------------------------------
Detallo mi configuración Kerberos 5:

BBCAWS91:~# less /etc/krb5.conf
[libdefaults]
       default_realm = EGSML.NET

       krb4_config = /etc/krb.conf
       krb4_realms = /etc/krb.realms
       kdc_timesync = 1
       ccache_type = 4
       forwardable = true
       proxiable = true

default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1des-cbc-crc des-cbc-md5default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1des-cbc-crc des-cbc-md5permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1des-cbc-crc des-cbc-md5


[realms]
       EGSML.NET = {
               kdc = 10.115.1.201
               admin_server = 10.1.0.231
               default_domain = EGSML.NET
       }

[domain_realm]
       .egsml.net = EGSML.NET
       egsml.net = EGSML.NET

[login]
       krb4_convert = true
       krb4_get_tickets = false

------------------------------------------------------
Detallo mi configuración samba:

BBCAWS91:~# less /etc/samba/smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2006/10/20 10:51:42

[global]
       workgroup = NET
       realm = EGSML.NET
       server string = %h Debian Linux (etch) (Samba %v)
       security = ADS
       update encrypted = Yes
       obey pam restrictions = Yes
       password server = 10.115.1.201 10.1.0.231
       passdb backend = tdbsam
       passwd program = /usr/bin/passwd %u

passwd chat = *Enter\snew\sUNIX\spassword:* %n\n*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

       use kerberos keytab = Yes
       syslog = 0
       log file = /var/log/samba/log.%m
       max log size = 1000
       announce as = NT Workstation
       server signing = auto
       domain logons = Yes
       os level = 0
       preferred master = No
       local master = No
       domain master = No
       dns proxy = No
       wins server = 10.1.0.203, 10.1.12.201
       ldap ssl = no
       panic action = /usr/share/samba/panic-action %d
       winbind separator = +
       invalid users = root

[homes]
       comment = Home Directories
       create mask = 0700
       directory mask = 0700
       browseable = No

[printers]
       comment = All Printers
       path = /tmp
       create mask = 0700
       printable = Yes
       browseable = No

[print$]
       comment = Printer Drivers
       path = /var/lib/samba/printers



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Unir terminal linux Debian "etch" aDirectorioActivodeWindowsNT2003 con Kerberos 5

Responder a