[Samba] problems with kerberos on Solaris 10

Tue, 31 Jul 2007 00:39:33 -0700 


sorry for big posting
direct me please on my errors


samba 3.0.25b
kerberos heimdal 0.8.1-p2


# kinit adminuser
[EMAIL PROTECTED]'s Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: [EMAIL PROTECTED]

  Issued           Expires          Principal
Jul 31 11:22:18  Jul 31 21:22:18  krbtgt/[EMAIL PROTECTED]


# net -d 3 ads join ads -U adminuser
[2007/07/31 11:07:47, 3] param/loadparm.c:lp_load(5024)
  lp_load: refreshing parameters
[2007/07/31 11:07:47, 3] param/loadparm.c:init_globals(1424)
  Initialising global parameters
[2007/07/31 11:07:47, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/usr/local/etc/samba/smb.conf" 
[2007/07/31 11:07:47, 3] param/loadparm.c:do_section(3763)
  Processing section "[global]"
[2007/07/31 11:07:47, 2] lib/interface.c:add_interface(81)
  added interface ip=10.7.5.2 bcast=10.7.5.255 nmask=255.255.255.0
[2007/07/31 11:07:47, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/07/31 11:07:47, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.7.5.20
[2007/07/31 11:07:47, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/07/31 11:07:47, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
adminuser's password:
[2007/07/31 11:07:50, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "10.7.5.20, 10.7.5.20 10.7.5.25"
[2007/07/31 11:07:50, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 10.7.5.20
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/07/31 11:07:50, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED]
[2007/07/31 11:07:50, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2007/07/31 11:07:52, 0] libads/kerberos.c:ads_kinit_password(228)
kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed 
[2007/07/31 11:07:52, 1] utils/net_ads.c:net_ads_join(1470)
  error on ads_startup: Preauthentication failed
Failed to join domain: Logon failure
[2007/07/31 11:07:52, 2] utils/net.c:main(1032)
  return code = -1


===================================
with samba-3.0.24 everething is OK.
===================================

with other kerberos - MIT, native Solaris packages - the same situation


comiling:
CONFIGURE_ARGS=--enable-pie                    \
        --localstatedir=/var                    \
        --with-privatedir=/var/samba            \
        --with-lockdir=/var/samba               \
        --with-piddir=/var/run                  \
        --with-configdir=${PREFIX}/etc/samba    \
        --with-logfilebase=/var/log/samba       \
        --with-readline --with-libiconv         \
        --with-ldap --with-ads --with-krb5      \
        --with-pam --with-pam_smbpass           \
        --with-quotas --without-utmp            \
        --with-libmsrpc --with-libsmbclient     \
        --with-libsmbsharemodes                 \
        --with-acl-support --with-aio-support   \
        --with-sendfile-support --with-winbind  \
        --without-python                        \
        --with-shared-modules=idmap_rid,idmap_ad


smb.conf:
use kerberos keytab = True

# unix shell

template homedir = /export/home/%U
template shell = /bin/sh

winbind nested groups = yes

security = ads
password server = 10.7.5.20
realm = USR.NW.MTS.RU
workgroup = USR

client use spnego = yes
server string =
os level = 10

domain master = no
preferred master = no
domain logons = no

ntlm auth = no
lanman auth = no
client NTLMv2 auth = yes

wins support = no
wins proxy = no

winbind enum groups = yes
winbind enum users = yes
winbind cache time = 3600
winbind use default domain = Yes
winbind nested groups = yes

allow trusted domains =  No
idmap uid = 2000-100000000
idmap gid = 2000-100000000

idmap backend = rid:"USR=2000-100000000"
nt acl support = yes

socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY
use sendfile = Yes
null passwords = Yes
deadtime = 60




kerberos heimdal 0.8.1-p2

krb5.conf
[libdefaults]
        default_keytab_name = FILE:/usr/local/etc/krb5/krb5.conf
        default_realm = USR.NW.MTS.RU
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc
        verify_ap_req_nofail = false

[realms]
        USR.NW.MTS.RU = {
                kdc = dcpsk1.usr.nw.mts.ru:88
                admin_server = dcpsk1.usr.nw.mts.ru:749
                kpasswd_server = dcpsk1.usr.nw.mts.ru:464
                kpasswd_protocol = SET_CHANGE
                default_domain = pskov.mts.ru
        }

[domain_realm]
        usr.nw.mts.ru = USR.NW.MTS.RU
        .usr.nw.mts.ru = USR.NW.MTS.RU
        pskov.mts.ru = USR.NW.MTS.RU
        .pskov.mts.ru = USR.NW.MTS.RU

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {


[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }






--

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to