Stuart Westbury wrote:
Hi Samba gurus,
I have the following problem with a samba member server on a windows 2003 domain. I have managed to join the domain and my trust secret is good, but I can't list users or groups using "wbinfo -u" or "wbinfo -g"
OS version Red Hat Enterprise Linux AS release 3 (Taroon) Samba version samba-3.0.9-1.3E.2 Kerb version krb5-libs-1.2.7-38
You're error is definately a kerberos error code.
The MIT doco for kerberos 1.2 says this:
the only supported encryption types are "des3-hmac-sha1" and "des-cbc-crc".
Samba can handle "des only", but I don't recall if the modifications for this were in samba 3.0.9 or came later. I'm pretty sure they were in there.
If you have access to ldp.exe on the windows DC, check that UF_WORKSTATION_TRUST_ACCOUNT includes UF_USE_DES_KEY_ONLY
In any event, I only had success using des instead of windows default rc4-hmac enctype when I allowed samba to manage the keytab.
use kerberos keytab = yes
When samba manages the keytab file, it adds just about every HOST/host or CIFS/cifs and hostname case variation that might occur.
If you decide to try this, you should be able to generate the keytab entries with
net ads changetrustpw
If it hangs during that process, I've never found a good way to regenerate them other than to delete /etc/krb5.keytab and re-run the command.
There's some caching going on, and I've found rebooting to force usage of the new keys can help after a major key change and things aren't quite working right.
I have also setup (in an attempt to solve this problem) a --set-auth-user. I have tried both admin and non-admin accounts. When I do a tdbdump of the secrets.tdb, I can see it in there and the details are correct, but I get the same result. In the secrets.tdb, my domain is set to just AU, not, AU.DOMAIN.INT. Is this correct? How do I even change it?
Domain is the NT40 stlye windows domain.
My config files are as follows :
krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = AU.DOMAIN.INT
[realms] au.domain.int = { kdc = dc001.AU.DOMAIN.INT:88 kdc = dc002.AU.DOMAIN.INT:88 }
[domain_realms] .au.domain.int = AU.DOMAIN.INT au.domain.int = AU.DOMAIN.INT
I've used DNS to find the kdc [libdefaults] dns_lookup_kdc = true dns_lookup_realm = false default_realm = NT.LDXNET.COM
Without the entry for [realms] with success.
I don't think you can specify "kdc = " twice. Only one would be used.
smb.conf
[global]
workgroup = AU netbios name = aucbcosrv016 realm = AU.DOMAIN.INT server string = Test Samba Server printcap name = /etc/printcap load printers = yes printing = lprng log file = /var/log/samba/%m.log max log size = 0 security = ads winbind enum users = yes winbind gid = 10000-20000 winbind enum groups = yes winbind uid = 10000-20000 winbind cache time = 15 winbind use default domain = yes name resolve order = hosts lmhosts wins bcast password server = aucbcosrv001 aucbcosrv002
In AD, I can't speculate what happens when the password servers are different than the domain controllers dc001 and dc002.
password server = *
finds the password servers for the AD domain. Or you can specify a preference
password server = dc002, dc001, *
would allow for additional DC's to be used for fallback.
encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no
<shares excluded>
nsswitch.conf
passwd: files winbind shadow: files group: files winbind
I use compat instead of files. I forget the reason right now, but files was used in libc5 and the newer usage is compat for full semantics.
passwd: compat winbind shadow: compat group: compat winbind
Does this sound familiar to anyone? I've really hit a wall on this. Any help would be greatly appreciated, and rewarded with lots of praise and that warm fuzzy feeling :)
Thanks, Stuart
Good luck. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
