Hi all.
Pretty new in Linux side of the world. I'm trying to run Samba 3.x on Fedora-core-1 in
an ADS environment,
with krb5 authentication. Installed Samba 3.0.2rc2 from source, installed the required
libraries for
kerberos MIT, configured smb.conf and krb5.conf.
Run net ads join -U administrator and it worked, i can see the machine account in the
active directory. From
my linux box I can smbclient -U user -L windows2kclient and I get the list of the
shares, while if i do from
my linuxbox smbclient -U adsuser -L localhost i get this error:
[EMAIL PROTECTED] root]# smbclient -U user -L 192.168.100.10
Password:
session setup failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
When I start winbind I get this error:
[2004/02/02 17:51:58, 1] nsswitch/winbindd.c:main(843)
winbindd version 3.0.2rc2 started.
Copyright The Samba Team 2000-2004
[2004/02/02 17:51:58, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain DOMAIN domain.com S-1-5-21-73586283-1897051121-1417001333
[2004/02/02 17:51:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
krb5_cc_get_principal failed (No credentials cache found)
[2004/02/02 17:51:58, 1] nsswitch/winbindd_ads.c:ads_cached_connection(65)
ads_connect for domain DOMAIN failed: Cannot read password
[2004/02/02 17:51:58, 1] nsswitch/winbindd_util.c:init_domain_list(300)
Could not fetch sid for our domain DOMAIN
[2004/02/02 17:51:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
krb5_cc_get_principal failed (No credentials cache found)
[2004/02/02 17:51:58, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(516)
spnego_gen_negTokenTarg failed: No credentials cache found
wbinfo -u and -g doesn't work (Error looking up domain users).
Edited the nsswitch to include winbind, and tryied to use the win2kserver WINS server
or to enable nmbd wins
from smb.conf but no luck. To check krb functionality I did
[EMAIL PROTECTED] root]# kinit adsuser
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED] root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
02/02/04 18:05:16 02/03/04 04:05:20 krbtgt/[EMAIL PROTECTED]
renew until 02/03/04 18:05:16
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
My config files:
#smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = Samba Server
security = ADS
auth methods = winbind
password server = 192.168.100.12
log file = /var/log/samba/log.%m
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
wins support = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = #
winbind use default domain = Yes
hosts allow = 192.168.100.
#krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 36000
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN.COM = {
kdc = 192.168.100.12:88
admin_server = 192.168.100.12:749
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
#nsswitch
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
I went through the samba howto and red a lot of posts and documents around, but still
can't figure out
what's wrong. As far as I can understand it looks like kerb is working (kinit) but
still samba (winbind) is
not able to use it for authentication.
I would really really really appreciate if someone could point me in the right
direction.
Meanwhile......back to samba howto!!
Cheers
Simone
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
Al Garden Center Peraga fioriscono nuove iniziative: ecco i Tour Day Peraga, per
andare alla scoperta del Canavese! INFO 0125 665500
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=1613&d=2-2
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
