You really should be replying to the list as well as I may not have the
answer but others monitoring the list might.
The smb.conf would be beneficial for review. Here is a copy of mine...
Of course it is sanitized so modification would need to be made. Also
because you are using an upgraded version of NT to Win2k you may need to
scour the logs to see what is taking place when you authenticate. Those
errors may aid further.
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = server.domain.com
netbios name = server
password server = *
encrypt passwords = true
security = ads
lanman auth = no
ntlm auth = no
os level = 20
allow trusted domains = yes
auth methods = winbind
interfaces = eth0, lo
bind interfaces only = yes
socket options = TCP_NODELAY
hosts allow = xxx.xxx.xxx.xxx/24
hosts deny = 0.0.0.0/0
log level = 40
log file = /var/log/samba/log.%m
max log size = 50
client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no
preferred master = no
local master = no
domain master = no
wins proxy = no
dns proxy = No
obey pam restrictions = yes
template shell = /bin/bash
nt acl support = yes
inherit permissions = yes
create mask = 0022
template homedir = /home/Authenticated Users/%U
winbind uid = 1000-2000000
winbind gid = 500-2000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind offline logon = true
winbind nss info = rfc2307
idmap uid = 1000-2000000
idmap gid = 500-2000000
idmap domains = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1000 - 300000000
On 12/01/10 07:27, Rafa Toucedo wrote:
Finally I send the contents of my krb5.conf
thank you for your time, I remain at your disposal!
Rafael Toucedo
gtalk: [email protected] <mailto:[email protected]>
2010/12/1 Rafa Toucedo <[email protected]
<mailto:[email protected]>>
Hi, I'm using the latest alpha version of Samba (updated
yesterday) and I want to replace a server with Windows 2000 (AD),
the problem is that the server comes from a migration of NT4 and
"tricked" to continue the realm without extension
(dominio.extension) = (domain) for which the samba-tool I have to
launch with. next to the realm to avoid being interpreted as
dominio.extensión.
It runs all on a SuSE SLES 11 (64 bits).
a greeting and thank you very much
PS: I attached the full log.
Before I sent the email "incomplete" because I did it from the
phone and sometimes escapes me the finger ...
Thank you!
2010/12/1 Rafa Toucedo <[email protected]
<mailto:[email protected]>>
Thanks for your answer, but that happened I do, I follow the
manual of the "wiki" Samba 4, do the kinit, I put my password,
etc. etc. I play the part of the "dark side" (the windows
2000) the type of user, etc ...
I understand that the problem is the encryption type which
defined in krb5.conf
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
permited_enctypes = arcfour-hmac-md5
2010/12/1 Jason Gerfen <[email protected]
<mailto:[email protected]>>
You need to first obtain a valid tgt. Use kinit prior to
running net ads join
Jason Gerfen
[email protected] <mailto:[email protected]>
http://phpDHCPAdmin.sourceforge.net
http://www.github.com/jas-
On Dec 1, 2010, at 4:23 AM, "Rafa Toucedo"
<[email protected] <mailto:[email protected]>> wrote:
> Hello, when I try to put my SAMBA4 as DC from a domain
controller in windows
> 2000
>
> /usr/local/samba # bin/samba-tool join (WINDOWS 2000
DOMAIN). DC
> -U(USER)@(WINDOWS 2000 DOMAIN)%(PASSWORD)
--realm=(WINDOWS 2000 DOMAIN). -d5
>
> throws me the following error:
>
> Failed to get CCACHE for GSSAPI client: KDC has no
support for encryption
> type
> Aquiring initiator credentials failed: kinit for
admco...@domd4086 failed
> (KDC has no support for encryption type: KDC has no
support for encryption
> type)
> Failed to start GENSEC client mech gssapi_krb5:
NT_STATUS_UNSUCCESSFUL
>
>
> My krb5.conf is as follows:
>
> [libdefaults]
> default_realm = (WINDOWS 2000 DOMAIN)
> dns_lookup_realm = true
> dns_lookup_kdc = true
> clockskew = 300
> default_keytab_name = FILE:/home/pilote/rafa.keytab
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
>
> [realms]
> (WINDOWS 2000 DOMAIN) = {
> kdc = (HOSTNAME).(WINDOWS 2000 DOMAIN):88
> }
>
> [logging]
> kdc = FILE:/var/log/krb5/krb5kdc.log
> admin_server = FILE:/var/log/krb5/kadmind.log
> default = SYSLOG:NOTICE:DAEMON
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> krb4_convert = false
> proxiable = false
> minimum_uid = 1
> external = sshd
> use_shmem = sshd
> }
>
>
> I'm desperate!
> --
> P Antes de imprimir este e-mail, piense si es necesario
hacerlo. El medio
> ambiente es cosa de todos.
> Think twice before printing this e-mail. Environmental
protection is in our
> hands.
> --
> To unsubscribe from this list go to the following URL
and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
Jas
http://www.github.com/jas-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
