Carissa Srugis wrote:
I've been trying to setup Samba to authenticate users against accounts
existing on a Windows 2003 Server without any backwards capability. Ideally, this needs to be done without any changes to the Windows 2003
Server. Users will not be logging into the Samba shares at all. This
is merely for authentication.
OK, well, try getting a kerberos ticket first.
kinit [EMAIL PROTECTED]
If you get a valid ticket, you can just do net ads join -U Administrator, no need for pw.
If no kerberos ticket, then you've got a krb5.conf issue.
Heimdal requires these lines:
default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5
You also might need to have the w2k3 generate a keytab for you. If so you need this line as well.
default_keytab-name = FILE:/etc/krb5.keytab
I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
This is my smb.conf file: [global] realm = WIN2K3.DOMAIN.LOCAL security = ads auth methods = winbind winbind separator = + encrypt passwords = yes workgroup = DOMAIN.LOCAL netbios name = FREEBSD_Machine winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes idmap uid = 10000-20000 idmap gid = 10000-20000 password server = WIN2K3.DOMAIN.LOCAL
So once winbindd is running, I type the following and get these results:
freebsd_machine# net ads join member -I 192.168.0.1 -U administrator administrator's password: *password* [2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793) Packet send failed to 127.255.255.255(137) ERRNO=Permission denied [2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793) Packet send failed to 127.255.255.255(137) ERRNO=Permission denied [2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186) ads_connect: Permission denied
In the winbindd log I've also gotten the following error messages at one point or another:
Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL Packet send failed to 127.255.255.255(137) ERRNO=Permission denied ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied get_trust_pw: could not fetch trust account password for my domain DOMAIN.LOCAL
The odd part is when I try to use wbinfo to verify connections. If I type "wbinfo -g" it will display the correct group listing from the win2k3 server. But nothing else seems to work:
freebsd_machine# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5) Could not check secret
freebsd_machine# wbinfo -u Error looking up domain users
freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL Name : WIN2K3.DOMAIN.LOCAL Alt_Name : DOMAIN.LOCAL SID : S-0-0 Active Directory : No Native : No Primary : Yes Sequence : -1
I'm obviously missing something, but I am at a loss. Any help is greatly appreciated!
Carissa Srugis
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
