Re: [Samba] Getting users and groups through winbind on FreeBSD

[Ashley Moran]

On 23 Oct 2006, at 17:08, Dominic Marks wrote:
Ashley,

No time today to look at your problem, but keep working on it
as it is usually something silly. We have lots of AD joined
FreeBSD boxes.

Hi Dom

Do they pull accounts from the AD server when you use pw usershow?   
Or do you need to set users up on the box to access a share they've  
never used before?


A few things I didn't notice from a brief scan of your info:

You've done a kinit? I assume you must have. What does klist
return?

Yep, as root connecting as the Administrator user:

[EMAIL PROTECTED] ~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: [EMAIL PROTECTED]

  Issued           Expires          Principal
Oct 23 11:11:30  Oct 23 17:49:41  krbtgt/[EMAIL PROTECTED]
Oct 23 11:12:44  Oct 23 17:49:41  ldap/jigsaw- 
[EMAIL PROTECTED]


Is the system is good time sync? Again, this is probably
implied from your other results but it is good to check.

Yep, I checked that.  They're about two minutes apart, and presumably  
I wouldn't even get tickets if they were way out.


What does your /etc/krb5.conf look like?

This is my krb5.conf:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = JIGSAWHQ.COM
  ticket_lifetime = 24000
#  dns_lookup_realm = false
#  dns_lookup_kdc = false

# AD domain, DC FQDNs
[realms]
  JIGSAWHQ.COM = {
    kdc = tcp/jigsaw-sbs02.jigsawhq.com:88
#    kdc = tcp/ad2.jigsawhq.com:88
    admin_server = jigsaw-sbs02.jigsawhq.com:749
    default_domain = jigsawhq.com
  }

#Translating all possibles to JIGSAWHQ.COM
[domain_realm]
.jigsawhq.com = JIGSAWHQ.COM
jigsawhq.com = JIGSAWHQ.COM
.JIGSAWHQ.COM = JIGSAWHQ.COM

#This is used if you have alternative KDC's in you realm (not windows)
#that you are mapping trust accounts to in the windows domain
#see http://www.microsoft.com/windows2000/techinfo/planning/security/ 
kerbsteps.asp
#[kdc]
#  profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }


I'm using the Heimdal Kerberos that comes with FreeBSD 6.1

Thanks for looking at it.  Any ideas what's up?

Cheers
Ashley



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba