Hi karl, Thanks for your such a detailed reply, I did as you said, and my domain join worked. Thanks again. A little clarification, as I had done this in SLES9, and in there, I was required to install the heimdal-tools,heimdal-libraries etc... Here I am astonished no such packages are required, Neither I have any kerberos installed. The kinit program is located at /usr/lib/jvm/jre/bin/kinit and belongs to the package 'java-1_4_2-sun-1.4.2.06-4' (found that from RPM querry). Anyway, When it seems /usr/lib/jvm/jre/bin/kinit is $PATH, and I can call 'kinit' from command line... and astonishingly it worked this time. Just wondering, is that Suse people are packaging Heimdal libraries within the Samba Packages ?
regards On 8/8/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hi, > when you take the "normal" SUSE 9.3 professional you should have all you > need. for the kerberos part. > In addition take from Samba.org <http://Samba.org> the release 3.0.14arelease > of samba. > then do the following: > - as you have the clocks already in sync, > go on configure the kerberos client. > as standard domain name and standard realm enter your fully qualified > windows domain name in capital letter > e.g XX.YYY.COMPANY.COM <http://XX.YYY.COMPANY.COM> > as KDC server adress enter the IP adress of the maschine holding the ADS > don't tag the AFS settings > in the enhanced property setting, set lifetime of ticket to 1d as well as > renewal time > tag tickets are forwardabkle and proxiale, set clock skew to 300 > that all for kerberos > the NTP Setting should be set to a valid system delivering correct time. > now things should work. > you smb.conf should look like this > [global] > workgroup = <ads domain name> > netbios name = <your local maschine name> > server string = Karls linux desktop > printcap name = cups > printcap cache time = 750 > printer admin = @ntadmin,root,administrator > map to guest = Bad User > cups options = raw > load printers = yes > log file = /var/log/samba/%m.log > max log size = 50 > security = ADS > password server = <full qualified name of your ADS maschine> > encrypt passwords = yes > smb passwd file = /etc/samba/smbpasswd > unix password sync = no > passwd program = /etc/bin/passwd %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > pam password change = yes > obey pam restrictions = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > case sensitive = no > dns proxy = no > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > > winbind use default domain = yes > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > > wins server = <your wins server in the domain> > > template shell = /bin/bash > template homedir = /home/%D/%U %D = domain name , %U=username > realm = <realm as entered in Kerberos client window all in capital > letters> > username map = /etc/samba/smbusers > unix extensions = yes > [homes] > after this restart the processes are the whiole machine. > now you should be able to issue a kinit command. > for testing purposes create a local unix user with exactly the same > username as in the ads without the precedding domain > name and a different password as used in the ADS > try kinit with this user - you should get a prompt asking for the > password - enter the one from the windows domain. > should be successfull. you can cotrol this by the command klist. > after this you can setup the pam to be used for login and so on. > to automatically mount shares during the login phase look in the net for > pam_script. > regards > karl > > ------------------------------ > *From:* Sanjay Upadhyay [mailto:[EMAIL PROTECTED] > *Sent:* Thursday, August 04, 2005 4:27 PM > *To:* [EMAIL PROTECTED]; [email protected] > *Subject:* Re: [Samba] Trouble in Joining Suse 9.3 to Win2k3 Server > > Hi, > From the suggestion as you said, I will need to install kerberos packages, > as on Suse, building is not what I can do, Can you give me some links... to > the required RPMS > I have done the time sync before the kinit process, and they are > absolutely in sync... > > On 8/4/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> > wrote: > > > > Hi, > > You have not to use heimdahl, instead use mit kerberos. > > > > Next point is to check the clocks between systems. > > > > Then it should work > > > > karl > > > > -----Original Message----- > > From: samba-bounces+karl.kirchen= [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] ] On > > Behalf Of Sanjay Upadhyay > > Sent: Thursday, August 04, 2005 3:52 PM > > To: [email protected] > > Subject: [Samba] Trouble in Joining Suse 9.3 to Win2k3 Server > > > > Hi, > > After installing Suse 9.3 Professional, I am unable to join it to AD. > > >From the Docs ( > > http://www.samba.org/samba/docs/man/Samba3-HOWTO/domain-member.html#ads-memb > > > > > > er) > > > > its clear that we need to first get a kerberos ticket... via #>kinit > > [EMAIL PROTECTED] > > > > in Suse9,3, I get this error > > > > susles93WSA:~ # kinit [EMAIL PROTECTED] Password for > > [EMAIL PROTECTED]:dingdong.com <http://dingdong.com> < > > http://dingdong.com> > > Exception: krb_error 24 Pre-authentication information was invalid (24) > > Pre-authentication information was invalid > > KrbException: Pre-authentication information was invalid (24) at > > sun.security.krb5.KrbAsRep.<init>(DashoA12275:67) > > at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315) > > at sun.security.krb5.KrbAsReq.getReply(DashoA12275:276) > > at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:271) > > at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109) > > Caused by: KrbException: Identifier doesn't match expected value (906) > > at > > sun.security.krb5.internal.af.a(DashoA12275:134) > > at sun.security.krb5.internal.at.a(DashoA12275:63) > > at sun.security.krb5.internal.at.<init>(DashoA12275:58) > > at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53) > > > > This is kind of a strange error and the kinit program is located at > > /usr/lib/jvm/jre/bin/kinit and from a RPM querry it belongs to the > > package > > 'java-1_4_2-sun-1.4.2.06-4' > > > > when I querried 'rpm -qa | grep heimdal' there was none, meaning heimdal > > > > libraries were not installed. and neither is it in the ISO images. > > > > Hence I wonder if it is at all possible to join a Suse 9.3 to an AD. > > > > Any suggestion would be very helpfull.. > > > > regards > > -- > > Sanjay Upadhyay > > http://saneax.blogspot.com > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > > -- > Sanjay Upadhyay > http://saneax.blogspot.com > > -- Sanjay Upadhyay http://saneax.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
