RE: [Samba] Need krb5 on Interdomain trust Win2003SP1 - Samba3.0.21?
Hi Geoff,
I've made it. Yes, it is good enough to follow the steps in Ch 12.3.2 ,
anyway, I have attached part of my krb5.conf for you as reference:
-starts
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = w2k3.mydomain.com
admin_server = w2k3.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
---end
Then kinit and klist -e will get what you want.
and now I have a successful interdomain trust between Samba.3.0.21a and
Win2003SP1.
THX guys do shed light on my problem!!
Best Wishes
Simon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Geoffrey Scott
Sent: Wednesday, January 04, 2006 11:10 AM
To: Gerald (Jerry) Carter
Cc: samba@lists.samba.org
Subject: [Samba] Need krb5 on Interdomain trust Win2003SP1 - Samba3.0.21?
SHA1 wrote:
Simon Leung wrote:
Anyway, my question is beside Winbind, do I need to configure krb5 on
Samba (Domain A) when talking to Win2003SP1 on Domain B?
Beginning with 3.0.21 if you are talking to AD in anyways (domain
member server, domain controller with domain trusts, etc...) you
should ensure that you configure with ADS support and correctly
configure /etc/krb5.conf.
Hi Jerry
JHT hasn't got any mention of configuring /etc/krb5.conf in S by example
chapter 7.3.4 but he has in chapter 12.3.2. Other docs say only an empty
config file is needed or non at all depending on whether
you are using Heimdal or MIT kerberos.
How much info if any should be in /etc/krb5.conf? is the chapter 12 example
enough?:
[libdefaults]
default_realm = LONDON.ABMAS.BIZ
[realms]
LONDON.ABMAS.BIZ = {
kdc = w2k3s.london.abmas.biz
}
Sorry to ask a basic question, but if I do an apt-get install samba and
samba-common, will it install all the files needed for ADS domain
membership?
Regards Geoff Scott
Gerald (Jerry) Carter wrote:
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Need krb5 on Interdomain trust Win2003SP1 - Samba3.0.21?
Hi there, I am reading the Samba3-By-Example dated 29Dec2005. I've found that there's no information on telling how to make a successful deployment on interdomain trust, but this is the missing Chapter that I am really looking for. Anyway, my question is beside Winbind, do I need to configure krb5 on Samba (Domain A) when talking to Win2003SP1 on Domain B? Best Wishes and Happy New Year Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Master browser? Confusion!
Hi there, I have samba 3.0.20a running with winbind as DC (security = user) (say DomainA), I have another Windows domain (DomainB). I can see the correct master browser in DomainA from smbclient -L \\localhost -N, can resolve the netbios name by nslookup and ping. Then I setup the trust as stated in the How-To from DomainA net rpc trustdom establish DomainB, then password. I was prompted with this: Could not connect to server DomainB-server Trust to domain DomainB established but I can list users/groups in DomainB by wbinfo -u or -g Ant ideas? THX Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] WinXP SP2 winlogon.exe blue screen to death
Hi there, I have another problem on WinXP SP2 with samba.3.0.20a. Somehow, in a random situation, once user logged onto the workstations, they were prompted with the winlogon.exe Fatal error + blue screen to death then self-reboot. When I checked out the log from windows, it said there's problem on msgina.dll from WinXP SP2. However, another user can successfully logon to the same workstation without any problems. (They have the same privilege and in the same domain group) Here is the log.winbind for the user who successfully logon to the workstation: --Starts [2005/10/06 12:35:26, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460) [0]: request interface version [2005/10/06 12:35:26, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493) [0]: request location of privileged pipe [2005/10/06 12:35:26, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(538) [0]: pam auth crap domain: [CITE] user: bchow [2005/10/06 12:35:26, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460) [0]: request interface version [2005/10/06 12:35:26, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493) [0]: request location of privileged pipe [2005/10/06 12:35:26, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(336) [0]: getpwnam cite\bchow [2005/10/06 12:35:26, 10] sam/idmap_util.c:idmap_sid_to_uid(144) idmap_sid_to_uid: sid = [S-1-5-21-2025429265-2000478354-1801674531-1114] [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:db_get_id_from_sid(315) db_get_id_from_sid [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221) internal_get_id_from_sid: fetching record S-1-5-21-2025429265-2000478354-1801674531-1114 of type 0x1 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228) internal_get_id_from_sid: record S-1-5-21-2025429265-2000478354-1801674531-1114 - UID 10007 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(243) internal_get_id_from_sid: ID_USERID fetching record S-1-5-21-2025429265-2000478354-1801674531-1114 - UID 10007 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190) internal_get_sid_from_id: fetching record UID 10007 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196) internal_get_sid_from_id: fetching record UID 10007 - S-1-5-21-2025429265-2000478354-1801674531-1114 [2005/10/06 12:35:26, 10] sam/idmap_util.c:idmap_sid_to_uid(151) idmap_sid_to_uid: uid = [10007] [2005/10/06 12:35:26, 10] sam/idmap_util.c:idmap_sid_to_gid(173) sid_to_gid: sid = [S-1-5-21-2025429265-2000478354-1801674531-513] [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:db_get_id_from_sid(315) db_get_id_from_sid [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221) internal_get_id_from_sid: fetching record S-1-5-21-2025429265-2000478354-1801674531-513 of type 0x2 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228) internal_get_id_from_sid: record S-1-5-21-2025429265-2000478354-1801674531-513 - GID 10001 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(262) internal_get_id_from_sid: ID_GROUPID fetching record S-1-5-21-2025429265-2000478354-1801674531-513 - GID 10001 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190) internal_get_sid_from_id: fetching record GID 10001 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196) internal_get_sid_from_id: fetching record GID 10001 - S-1-5-21-2025429265-2000478354-1801674531-513 [2005/10/06 12:35:26, 10] sam/idmap_util.c:idmap_sid_to_gid(181) idmap_sid_to_gid: gid = [10001] [2005/10/06 12:35:26, 3] nsswitch/winbindd_group.c:winbindd_getgroups(925) [0]: getgroups CITE\bchow [2005/10/06 12:35:26, 10] sam/idmap_util.c:idmap_sid_to_gid(173) sid_to_gid: sid = [S-1-5-21-2025429265-2000478354-1801674531-1877] [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:db_get_id_from_sid(315) db_get_id_from_sid [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(221) internal_get_id_from_sid: fetching record S-1-5-21-2025429265-2000478354-1801674531-1877 of type 0x2 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(228) internal_get_id_from_sid: record S-1-5-21-2025429265-2000478354-1801674531-1877 - GID 10033 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_id_from_sid(262) internal_get_id_from_sid: ID_GROUPID fetching record S-1-5-21-2025429265-2000478354-1801674531-1877 - GID 10033 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(190) internal_get_sid_from_id: fetching record GID 10033 [2005/10/06 12:35:26, 10] sam/idmap_tdb.c:internal_get_sid_from_id(196) internal_get_sid_from_id: fetching record GID 10033 - S-1-5-21-2025429265-2000478354-1801674531-1877 [2005/10/06 12:35:26, 10] sam/idmap_util.c:idmap_sid_to_gid(181) idmap_sid_to_gid: gid = [10033] [2005/10/06 12:35:26, 10] sam/idmap_util.c:idmap_sid_to_gid(173) sid_to_gid: sid = [S-1-5-21-2025429265-2000478354-1801674531-1876]
[Samba] Attempt #2 :Interdomain Trust
Dear All, I have posted the following HELP recently, and seems like no response afterwards. Anyway, I try to make it short again here: As instrcuted from the Samba3-HOWTO.pdf Ch 18.4.2: [EMAIL PROTECTED] var]# net rpc trustdom establish DomainA Password: Could not connect to server DomainA-PDC Trust to domain DomainA established Then, a workstation (WinXP SP2) had successfully joined DomainB (with Domain A listed on the Log on to). Users in Domain A can login but found an error from the event viewer Event ID:15 Source: AutoEnrollment Type Error: Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. another problem is when Domain A user logon the workstation from Domain B, a blue screen to death was prompted where the error from winlogon.exe (msgina.dll) I hope someone can help. With a BIG THX Simon _ From: Simon Leung [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 14, 2005 2:17 PM To: 'samba@lists.samba.org' Subject: Yelling for help on interdomain Trust (a long one) Hi there, Scenario: Domain A: Win2000Server(PDC)(DC1) + Win2003Server (DC2) Domain B:Samba 3.0.20 (compiled with the patches from http://us1.samba.org/samba/patches/) Where Domain A is the TRUSTED domain whereas Domain B is the TRUSTING domain. And here is part of my smb.conf: -Starts-- # Global parameters [global] ## NETBIOS / Domain Server Settings workgroup = SAMBA netbios name = SAMBA3 server string = Samba-LDAP Server %v PDC security = user preferred master = yes domain master = yes os level = 65 allow trusted domains = yes domain logons = Yes local master = yes encrypt passwords = Yes admin users = @Domain Admins Time server = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ## USER / LDAP Settings ldap port = 389 ldap suffix = dc=mydomain,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Users ldap admin dn = cn=Manager,dc=mydomain,dc=com ldap ssl = no ldap passwd sync = yes passdb backend = ldapsam:ldap://127.0.0.1 admin users = administrator guest account = nobody obey pam restrictions = No #add user script = /usr/local/sbin/smbldap-useradd -m %u add machine script = /usr/local/sbin/smbldap-useradd -w %u #add group script = /usr/local/sbin/smbldap-groupadd -p %g #add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g #set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u ## WINS / DNS settings wins support = yes idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = no winbind cache time = 15 winbind enum users = yes winbind enum groups = yes winbind uid = 1-2 winbind gid = 1-2 winbind trusted domains only = yes template shell = /bin/false name resolve order = wins hosts bcast smb ports = 139 445 hosts allow = IP addresses under my network ## LOGGING utmp = yes syslog = 0 log level = 3 passdb:0 auth:2 winbind:5 panic action = /usr/share/samba/panic-action %d max log size = 50 log file = /var/log/samba/log.%m ## MISC Files/Directories nt acl support = yes map acl inherit = yes dos charset = CP950 unix charset = BIG5 case sensitive = no directory mask = 0750 hide dot files = yes hide unreadable = yes oplocks = Yes level2 oplocks = Yes ## Profile logon script = logon.bat logon path = logon drive = logon home = ## MISC Other mangling method = hash2 deadtime = 10 #client schannel = no #client schannel = auto #server schannel = yes #client signing = auto #server signing = no -END- My journey to setting up the trust: 1. Create Domain A account in Openldap -- smbldap-useradd -I Name of Domain A 2. Create trust on Domain A (DC2) -- added Name of Domain B and assigned password and valid the trust -- No error message 3. establish the trust on Samba -- net rpc trustdom establish DomainA -U administrator, then password My problem: 1. I was prompted with the following error: Could not connect to server DC1 Trust to domain DomainA established 2. joined a workstation (WinXP SP2
RE: [Samba] Re: wbinfo can't list users
Hi Jerry, This also fix my problem on (DomA): Samba 3.0.20pre2 trusting (DomB): Win2000Server PDC (without SR1) with Win2003 Server SP1as an additional DC. THX guys Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kent Tong Sent: Thursday, July 28, 2005 9:53 AM To: samba@lists.samba.org Subject: [Samba] Re: wbinfo can't list users Gerald (Jerry) Carter jerry at samba.org writes: You've got Windows 2000 SP4 SR1 installed don't you? The only current fix is to either set 'client schannel = no' in smb.conf or to just disable schannel connections oln the SAMR pipe in nsswitch/winbindd_cm.c. Hi Jerry, Thanks a lot! This fix works! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3 Trusting Win200x Server
Hi there, My setup: Domain A(DomA): Win2000ServerSP4 as Domain Controller (PDC) Domain B(DomB): Samba 3.0.14a with openldap 2.1.30 as Role Domain PDC Where Domain B trusting Domain A ( ie. DomA\user can log on to PC from DomB ) Worked fine on pulling user/group info from DomA by Wbinfo -u, wbinfo-g and network sharing was OK. This setup has been using for year without any problem until a Win2k3 server is introduced onto DomA as additional DCs. Problem: All of the users in DomA are no longer be authenicated on the PCs from DomB which saying a incorrect username/password. Wbinfo -u ( wbinfo -g) -- Error looking up domain users wbinfo -t -- checking the trust secret via RPC calls failed error code was (0x0) Could not check secret Wbinfo -m -- DomA is shown wbinfo --sequence --DomA : DISCONNECTED BUILTIN : 1 DomB : 1 From the log: Log.winbindd keeps generating this: [2005/07/25 15:33:05, 5] nsswitch/winbindd_user.c:getpwnam_name2sid_recv(374) Could not lookup name for user SOMEONE Action: Checked with the trust setting on DomA -- OK Checked on DomB -- net rpc trustdom list shows DomA under Trusting domain Remove DomA$ from openldap, delete the trust ( net rpc trustdom del DomA) Re-establish the trust as stated from the How-To, the trust is established but no luck My QUESTION: Please help! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] printing dead
Dear All, I am running Samba3.0.2a Domain. For some unknown reason, the printing ( 3 laserjets running) were mal-function and no-one included the admin account couldn't send out the print job. While I went through the log, I have found the following: (FYI: I am running lprng for the printing) Apr 7 23:00:15 samba3 smbd[12330]: [2004/04/07 23:00:15, 0] tdb/tdbutil.c:tdb_log(724) Apr 7 23:00:15 samba3 smbd[12330]: tdb(/usr/local/samba/var/locks/printing/my-printer.tdb): tdb_oob len 16909640 beyond eof at 40960 Then I renamed those problem .tdb files and restart samba daemon, they back to work. BUT...but they died again when I came back to office this morning. I have double checked that I can print directly through the Redhat desktop but no luck through the samba. Also, I've checked the smb.conf and no modification since last week. So where should I lookup on my system to troubleshoot this? Many THX Simon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Password will expire in 12 days?
Dear All, I have just upgraded my system to 3.0.2 with ldap as the backend. I've found one weird thing after the upgrade is that users are prompted that their passwords will be expired in 12 days as this 12 days never descending to 11..10..! I didn't set any password expiry date to my users before the upgrade..and here is one of the account info from my db: PS. this account info is exactly the same as before the upgrade. # user, Users, localhost.localdomain dn: uid=user,ou=Users,dc=localhost,dc=localdomain objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSAMAccount cn: labguest sn: labguest uid: labguest uidNumber: 1058 gidNumber: 513 homeDirectory: /user loginShell: /bin/false gecos: System User description: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: System User sambaSID: S-1-5-21-3560070872-2796102831-4012217845-3116 sambaLMPassword: 9A8027BFFBF554F3417EAF50CFAC29C3 sambaAcctFlags: [U] sambaNTPassword: 317B01BD180336816A20CF188BEBD7E4 sambaPwdLastSet: 1073635798 sambaPwdMustChange: 1077523798 userPassword:: e1NTSEF9UTJIZXIxU3Znam5XYXgxK0NaWkhyTXVLWEZGbzZKclk= Many Thx and appreciate for any hints Simon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] \ as winbind separator not possible?
Hi Jens, I came across this problem before, my solution is comment the winbind separator =... in smb.conf and restart your winbind daemon. You will find that \ is the default separator of your user info afterwards Cheers Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Altrock, Jens Sent: Tuesday, November 04, 2003 14:31 To: [EMAIL PROTECTED] Subject: [Samba] \ as winbind separator not possible? Hi! I have in the smb.conf a backslash as winbind separator; I used testparm to check my config though and it says that I am only allowed to use one character as winbind separator. Am I doing something wrong?! Jens ### Diese Nachricht wurde von F-Secure Anti-Virus gescannt. This message has been scanned by F-Secure Anti-Virus. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RPC server is unavailable
Hi there, I am working on the trusting relationship between 2 domains with Samba 3 PDC and W2K PDC. When I typed in the trust password on both machines, on my Samba 3, I was prompted for the success output but I've got the following error on verify the trust on my W2K PDC: Information from the primary domain controller for the domain cannot be obtained because: The RPC server is unavailable. Make sure that the PDC is operating properly and then try again And from my Samba, I've got the following error log: Oct 13 12:51:51 sambav3 smbd[2015]: [2003/10/13 12:51:51, 0] auth/auth_domain.c:connect_to_domain_password_server(115) Oct 13 12:51:51 sambav3 smbd[2015]: connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine myW2kPDC. Error was : NT_STATUS_UNSUCCESSFUL. Oct 13 12:51:51 sambav3 smbd[2015]: [2003/10/13 12:51:51, 0] auth/auth_domain.c:domain_client_validate(167) Oct 13 12:51:51 sambav3 smbd[2015]: domain_client_validate: Domain password server not available. What's about? Any solution or the link of the solution is greatly appreciated THX Simon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba.3.0.0 PDC with LDAP as trusting Domain of Win2k PDC
Hi there, I am running the released version of Samba V3 with OpenLDAP-2.1.22 as PDC. I have successfully using the bundled smbldap-tool to create user accounts, machine accounts and my testing PC is able to join the Samba domain. My problem is: I have another Win2k PDC and would like the users from it to be able to logon to the machines in Samba Domain. So I referred the Chapter 16.4.2 from the How-To doc and did the following things: 1. Goto Active Directory Domains and Trusts 2. Add my Samba Domain in the Domains that trust this Domain 3. key in the trust password 4. execute net rpc trustdom establish myW2kDomain from Samba 5. typed in the same password as I put as in Item 3 above 6. I was promted with this message from Samba: utils/net_rpc.c:rpc_trustdom_establish(1919) Success! 7. then in W2k PDC, i was prompted to verify the trust so I accepted it, but here is the problem. In W2kPDC, it said that the Trust cannot be verified at this time due to the following situation:The RPC server is unavailable. The I referred to the message log with the following error: Oct 3 11:04:14 sambav3 smbd[2005]: [2003/10/03 11:04:14,0] connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine myW2kPDC. Error was : NT_STATUS_UNSUCCESSFUL. Oct 3 11:04:14 sambav3 smbd[2005]: [2003/10/03 11:04:14, 0] auth/auth_domain.c:connect_to_domain_password_server(115) Oct 3 11:04:14 sambav3 smbd[2005]: connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine MyW2kPDC. Error was : NT_STATUS_UNSUCCESSFUL. Oct 3 11:04:14 sambav3 smbd[2005]: [2003/10/03 11:04:14, 0] domain_client_validate: Domain password server not available. What did I missed? THX in advanced BTW..here is part of the smb.conf of the settings: [global] workgroup = SAMBA netbios name = SAMBAV3 server string = Samba Server %v security = user allow trusted domains = yes log level = 10 log file = /var/log/samba/log.%m max log size = 50 domain logons = Yes os level = 33 local master = yes domain master = yes preferred master = yes encrypt passwords = Yes unix password sync = yes passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u password server = * ldap server = 127.0.0.1 ldap port = 389 ldap suffix = dc=Mysamba, dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups #ldap idmap suffix = ou=idmap ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) ldap admin dn = cn=Manager,dc=Mysamba,dc=com ldap ssl = no ldap passwd sync = yes passdb backend = ldapsam,guest admin users = administrator hosts allow = ..allowed IP address socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 oplocks = No level2 oplocks = No add machine script = /usr/local/sbin/smbldap-useradd.pl -w %U THX Again Simon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
