I'm trying to learn how to integrate Linux workstations and servers into a Windows 2000 Active Directory network. I've read and followed the Samba HOWTO, especially the parts about Winbind, and I got my Linux workstation authenticating using pam_krb5 and pam_winbind.
klist would show I got a TGT after logging in. Domain users could login and pam_mkhomedir would properly setup a new home directory for them. wbinfo -u/-g even worked... at least at first. I want to use Kerberos authentication with other services (like in Apache and for e-mail), so I began tinkering to try to get Active Directory authentication working just using Kerberos instead of relying on PAM + Winbind. I tried setting up my /etc/krb5.keytab file, and now I'm afraid my system is a mess. I told Samba to use the system keytab, and now Samba/Winbind related commands fail (net ads commands, wbinfo commands, even pam_winbind). Any suggestions would be appreciated. I just want the tightest integration between Linux & Active Directory that extends to Linux services like ssh, apache, postfix/sasl, etc. I've also been documents my efforts: http://michael.susens-schurter.com/interop/ and on my blog: http://michael.susens-schurter.com/blog/ Thanks in advance, Michael Schurter Relevant system info: Debian Etch, 2.6.17 kernel, Samba 3.023c-4, MIT Kerberos 1.4.4-4 ### relevant smb.conf lines ### workgroup = TREMONT realm = TREMONT.LOCAL security = ADS auth methods = winbind obey pam restrictions = Yes idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind offline logon = true winbind refresh tickets = Yes use kerberos keytab = true ### relevant krb5.conf lines ### [libdefaults] default_realm = TREMONT.LOCAL clock_skew = 300 kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true dns_lookup_kdc = false dns_lookup_realm = false default_tgs_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc default_tkt_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc permitted_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc [realms] TREMONT.LOCAL = { kdc = thsdc1 kdc = thsdc2 admin_server = thsdc1 } [domain_realm] .tremont.local = TREMONT.LOCAL .tremont.com = TREMONT.LOCAL ### sample valid user kerberos ticket (klist) ### 11/22/06 12:55:07 11/22/06 22:55:12 krbtgt/[EMAIL PROTECTED] ### /etc/krb5.keytab (sudo ktutil; rkt /etc/krb5.keytab; list) ### 1 1 host/[EMAIL PROTECTED] 2 0 host/[EMAIL PROTECTED] 3 0 host/[EMAIL PROTECTED] 4 0 host/[EMAIL PROTECTED] 5 0 host/[EMAIL PROTECTED] 6 0 host/[EMAIL PROTECTED] 7 0 host/[EMAIL PROTECTED] 8 0 [EMAIL PROTECTED] 9 0 [EMAIL PROTECTED] 10 0 [EMAIL PROTECTED] ### Note Slot 1 was generated by "ktpass" on the Windows 2000 Server -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
