Hi Steven, Thanks for the feedback. I made some changes based on your config files and was still able to add the client to the domain using a local domain admin account. However, I am still unable to connect to the server from a windows machine and authenticate using an account from either domain. Wbinfo -u does not seem to list users from our authentication domain which may be the cause of the problem.
Just to update I am running Debian (Lenny) for the server. Thanks James > -----Original Message----- > From: Steven Schlegel [mailto:[email protected]] > Sent: 14 June 2011 17:37 > To: James Osbourn > Subject: Re: [Samba] Active Directory member server > > Hi James, > > maybe the following configuration (examples) helps you out. > > I have the following packages installed: > rpm -qa | grep -e samba -e krb5* | sort > => > output: > krb5-auth-dialog-0.7-1 > krb5-devel-1.6.1-36.el5 > krb5-libs-1.6.1-36.el5 > krb5-libs-1.6.1-36.el5 > krb5-workstation-1.6.1-36.el5 > ldb-tools-3.4.9-42.el5 > libwbclient0-3.4.9-42.el5 > libwbclient-devel-3.4.9-42.el5 > libsmbclient0-3.4.9-42.el5 > libsmbclient-devel-3.4.9-42.el5 > pam_krb5-2.2.14-10 > pam_krb5-2.2.14-10 > samba3-3.4.9-42.el5 > samba-cifsmount-3.4.9-42.el5 > samba3-client-3.4.9-42.el5 > samba3-doc-3.4.9-42.el5 > samba3-utils-3.4.9-42.el5 > samba3-winbind-3.4.9-42.el5 > > > My krb5.conf looks like this: > > [logging] > default = FILE:/var/log/kerberos/krb5libs.log > kdc = FILE:/var/log/kerberos/krb5kdc.log > admin_server = FILE:/var/log/kerberos/kadmind.log > > [libdefaults] > default_realm = WIREDBRAIN.LCL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 600 > forwardable = true > proxiable = true > default_keytab_name = FILE:/etc/krb5.keytab > > [realms] > WIREDBRAIN.LCL = { > kdc = dchh01.wiredbrain.lcl > master_kdc = dchh01.wiredbrain.lcl > admin_server = dchh01.wiredbrain.lcl > #default_domain = WIREDBRAIN.LCL > } > TRIPEDBRAIN.LCL = { > kdc = rootdc01.tripedbrain.lcl > } > > [domain_realm] > .wiredbrain.lcl = WIREDBRAIN.LCL > wiredbrain.lcl = WIREDBRAIN.LCL > .tripedbrain.lcl = TRIPEDBRAIN.LCL > tripedbrain.lcl = TRIPEDBRAIN.LCL > > [login] > krb4_convert = true > krb4_get_tickets = true > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = true > } > > And my smb.conf looks like this: > > [global] > workgroup = WIREDBRAIN > realm = WIREDBRAIN.LCL > password server = * > preferred master = no > server string = Linux AD Member-Server > security = ads > encrypt passwords = yes > local master = no > log level = 1 > log file = /var/log/samba/%m > max log size = 50 > #printcap name = cups > #printcap = cups > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind nested groups = Yes > winbind separator = "\""\" > winbind refresh tickets = yes > winbind offline logon = true > winbind trusted domains only = no > map untrusted to domain = Yes > allow trusted domains = yes > obey pam restrictions = no > idmap backend = tdb > idmap uid = 10000-600000 > idmap gid = 10000-600000 > passdb backend = tdbsam > ;template primary group = "domain users" > template shell = /bin/bash > winbind nss info = rfc2307 > client use spnego = yes > client ntlmv2 auth = yes > restrict anonymous = 2 > > As you can see I have two domains in my environment, named as > WIREDBRAIN.LCL and TRIPEDBRAIN.LCL. > Between those domains, an interdomain-trust has been created. > > After your configurations you need to initiate the net ads join command: > net ads join -U Administrator > > and if this was successfull you need to create a kerberos keytab: > net ads keytab create > > Now you can test your setup with the following commands: > wbinfo -u -> should give you a list of all users in your domains wbinfo -g -> > same like wbinfo -u (for groups) > > ---- > For my environment, I also need to edit the nsswitch.conf: > passwd: files winbind > shadow: files winbind > group: files winbind > ---- > > Try kinit and smbclient to see if kerberos works and of course with samba. > > Best regards, > > Steven > > > 2011/6/14 James Osbourn <[email protected]>: > > I am trying to setup samba as a Windows front end to a CUPS print > server. We seem to be having some problems getting the server registered > in the domain and for users to be able to connect to the server. Our > problems seems to stem from the fact that we add our machines to one > domain which has a one way trust to a different domain which is where all of > the user account reside and authentication is handled. I was able to get the > net adc join command to work by using the primary domain administrator > credentials. > > > > Any help on getting the correct runes into my smb.conf and krb5.conf > > files greatly appreciated. My krb5.conf file is as follows > > > > [libdefaults] > > default_realm = X.NET > > dns_lookup_realm = false > > dns_lookup_kdc = false > > ticket_lifetime = 24h > > forwardable = yes > > > > [realms] > > A.X.NET = { > > kdc = dc01.a.x.net > > kdc = dc02.a.x.net > > admin_server = dc02.a.x.net > > } > > > > [domain_realm] > > .a.x.net = A.X.NET > > > > My smb.conf file is as follows > > > > [global] > > workgroup = A > > realm = a.x.net > > security = ADS > > encrypt passwords = yes > > > > Many Thanks > > > > James > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
