Okay, the jist of this whole thing, I get this infamous (?) problem, I have been trying to search though the archives of samba-general on gmane and also in my archive of this list. I have only seen requests for the magical answer.
Environment: W2K/W2K3 mixed ADS going Native ADS only soon. Samba 3.0.4
compiled from source on a RHEL AS30 machine. MIT Kerberos v1.3.4 also
compiled from source.
Kernel == 2.4.21-15.0.2.ELhugemem #1 SMP Wed Jun 16 22:36:51 EDT 2004
i686 athlon i386 GNU/Linux
Here is the problem in a nutshell:
[EMAIL PROTECTED] root]# net ads join Computers -S mydc1.mynetwork.com
[2004/07/20 15:06:09, 0] libads/ldap.c:ads_join_realm(1336)
ads_add_machine_acct: Insufficient access
ads_join_realm: Insufficient access
and the important pieces of smb.conf:
[global]
workgroup = MYNETWORK
netbios name = ROAR
server string = Lotsa Room
security = ADS
realm = MYNETWORK.COM
auth methods = winbind
password server = mydc1.mynetwork.com
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
syslog = 0
log file = /var/log/samba/log.%m
max log size = 10000
smb ports = 445
disable netbios = Yes
max xmit = 65535
name resolve order = host wins lmhosts bcast
#tried both spnego Yes and No same diff.
use spnego = Yes
# use spnego = No
server signing = auto
deadtime = 10080
socket options = IPTOS_LOWDELAY TCP_NODELAY
logon path =
logon home =
os level = 49
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-40000
idmap gid = 10000-40000
winbind separator = +
winbind nested groups = Yes
winbind cache time = 20
template homedir = /home/%D/%U
invalid users = root
ea support = Yes
hide special files = Yes
hide unreadable = Yes
And here is my klist:
[EMAIL PROTECTED] root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
07/20/04 16:21:53 07/21/04 02:22:01 krbtgt/[EMAIL PROTECTED]
renew until 07/21/04 16:21:53
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Yes, [EMAIL PROTECTED] has rights to create users and machines in the
AD Tree in "Computers"
So, now, given that this is an existing problem in v3.0.4, I have to
show the way I configured and compiled it. I also compiled MIT Kerberos
v1.3.4 the proper way (similar to this). Personally I like integrations.
Here is the configure for samba v3.0.4:
./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
--datadir=/usr/share --includedir=/usr/include \
--libdir=/usr/lib --libexecdir=/usr/libexec \
--localstatedir=/var --sharedstatedir=/usr/com \
--mandir=/usr/share/man --infodir=/usr/share/info
--with-acl-support --with-automount \
--with-codepagedir=/usr/share/samba/codepages --with-fhs \
--with-libsmbclient --with-lockdir=/var/cache/samba --with-pam \
--with-pam_smbpass --with-piddir=/var/run \
--with-privatedir=/etc/samba --with-quotas --with-smbmount \
--with-swatdir=/usr/share/swat --with-syslog --with-utmp \
--with-vfs --without-smbwrapper --with-ads --with-winbind \
--with-krb5
Here is the configure for krb5-1.3.4:
./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc \
--datadir=/usr/share --includedir=/usr/include \
--libdir=/usr/lib --libexecdir=/usr/libexec \
--localstatedir=/var --sharedstatedir=/usr/com \
--mandir=/usr/share/man --infodir=/usr/share/info CC=gcc \
CFLAGS="-O2 -g -pipe -march=i386 -mcpu=i686 -I/usr/include/et \
-fPIC" LDFLAGS= CPPFLAGS="-I/usr/include/et" --enable-shared \
--enable-static --bindir=/usr/kerberos/bin \
--mandir=/usr/kerberos/man --sbindir=/usr/kerberos/sbin \
--datadir=/usr/kerberos/share --localstatedir=/var/kerberos \
--with-krb4 --with-system-et --with-system-ss --without-tcl \
--enable-dns
Now, maybe this could be one of those problems where some one has had a
chance to fix this. Or maybe someone used a workaround, or knows WHY.
All I know, W2K/W2K3 AD driven Kerberos is heavily undocumented. And
provides little in the way of useful logs... telling me what might be
the problem on that end.
Much thanks to anyone that has a good fix or knows where to look or
*SOMETHING*
--
greg, [EMAIL PROTECTED]
The technology that is
Stronger, better, faster: Linux
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
