Re: [Samba] Adding FreeBSD Samba Server to windows 2003 ADS
Hi,
It has been a while since I have looked at any of this. However, I do know you
don't want to run a kdc on your FreeBSD server. Windows is the KDC.
You do need to tell FreeBSD what realm you are in , and what the Windows ADS
servers are:
You might wish to try the following in your /etc/krb5.conf file:
# /etc/krb5.conf
[libdefaults]
default_realm= EXAMPLE.COM
forwardable = true
default_tgs_enctypes = rc4-hmac des-cbc-crc
default_tkt_enctypes = rc4-hmac des-cbc-crc
[appdefaults]
default_realm = EXAMPLE.COM
pam = {
forwardable = true
krb4_convert = false
debug= false
}
[realms]
EXAMPLE.COM = {
kdc = ads1.example.com:88
kdc = ads2.example.com:88
admin_server = ads1.example.com:749
kpasswd_server = ads1.example.com:464
kpasswd_protocol = SET_CHANGE
default_domain = example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[logging]
default = FILE:/var/log/krb5lib.log
Also, you might want to try this link:
http://www.kurai.org/~gdunn/samba3-ad/fbsd_samba.html
Eddie
Alberto Moreno wrote:
2006/10/27, Guillermo Gutierrez [EMAIL PROTECTED]:
Thank you for your response.
I have not been successful in trying to do this. I have found a how-to
doing this with winbind and ldap ut coud not get them to work.
-Original Message-
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] On Behalf Of
Alberto Moreno
Sent: Thursday, October 26, 2006 11:51 PM
To: samba@lists.samba.org
Subject: Re: [Samba] Adding FreeBSD Samba Server to windows 2003 ADS
2006/3/29, Guillermo Gutierrez [EMAIL PROTECTED]:
Hi, I am trying to add a FreeBSD 6.0 Samba Server to a windows 2003 ADS
domain and utilize winbind/kerberos for authenticating domain users on
it.
I have already done this with a Gentoo Samba server (which after I
realized how, turned out to be very easy) but it is a lot tougher to do
with
FreeBSD.
Has anyone on the list had any experience with it. The samba in the
FreeBSD ports is version 3.0.14a but I downloaded the source for
3.0.21cso that I can use the latest version.
thanks,
Guillermo Gutierrez
Development Systems Engineer
Market Scan Information Systems Inc.
(818) 575-2000 x2427
[EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
HI Guillermo, im working on this, but i see that this post is from march,
just want to know if you succed with this? Did have some tips about this
situation? Is your system stable? May you show me your settings?
I already installed samba on freebsd 6-1 from ports with ADS support,
tomorrow i will try to add that machine to win2k3 AD domain, but my
doubt
is with the kerberos version that has freebsd by default, can we use that
one..?
We can enable krb5 from rc.conf, but we need all the optios there?
#
# kerberos. Do not run the admin daemons on slave servers
#
kerberos5_server_enable=NO # Run a kerberos 5 master server (or NO).
kerberos5_server=/usr/libexec/kdc # path to kerberos 5 KDC
kerberos5_server_flags= # Additional flags to the kerberos 5 server
kadmind5_server_enable=NO # Run kadmind (or NO)
kadmind5_server=/usr/libexec/kadmind # path to kerberos 5 admin daemon
kpasswdd_server_enable=NO # Run kpasswdd (or NO)
kpasswdd_server=/usr/libexec/kpasswdd # path to kerberos 5 passwd
daemon
Which options i need for this job..?
Im really starting working with samba, but the kerberos stuff is some
confused, thanks for your time!!!
--
LIving the dream...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.17/505 - Release Date:
10/27/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.17/505 - Release Date:
10/27/2006
I read some docs about the same situation with winbind+ldap but went i
try, no success, but let me try with Kerberos and see what happend, i will
inform here in the list, see you man.
LIving the dream...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] sigbus fault ?
Hi Folks, I'm trying to run samba on Solaris 9. It works OK when I don't compile in kerberos and ldap, but when with those two compiled in, smbd seems to freeze (nmbd and winbindd are OK). After a bit of investigation I notice something strange in truss: ... /[EMAIL PROTECTED]: - libldap-2.3:ldap_free_urldesc(0x30dfe8, 0x32e048, 0x32dfb8, 0x3 /[EMAIL PROTECTED]: - liblber-2.3:ber_memfree_x(0x32dfd7, 0x0, 0x0, 0x0) /[EMAIL PROTECTED]: - libc:free(0x32dfd7, 0x0, 0x0, 0x0) /[EMAIL PROTECTED]: - libc:_free_unlocked(0x32dfd7, 0x0, 0x0, 0xfee3c000) /1: Incurred fault #5, FLTACCESS %pc = 0xFEDC7D80 /1: siginfo: SIGBUS BUS_ADRALN addr=0x0032DFCF ^^^ /1: Received signal #10, SIGBUS [caught] /1: siginfo: SIGBUS BUS_ADRALN addr=0x0032DFCF /[EMAIL PROTECTED]: - libc:sigaddset(0xffbfd594, 0xa, 0x0, 0x0) /[EMAIL PROTECTED]: - libc:sigvalid(0xa, 0x0, 0x0, 0x0) /[EMAIL PROTECTED]: - libc:sigvalid() = 1 /[EMAIL PROTECTED]: - libc:sigaddset() = 0 /1: sigprocmask(SIG_SETMASK, 0xFFBFD594, 0x) = 0 /[EMAIL PROTECTED]: - libc:___errno(0x0, 0x0, 0x0, 0x0) /[EMAIL PROTECTED]: - libc:___errno() = 0xfee43664 /[EMAIL PROTECTED]: - libc:time(0x0, 0x0, 0x0, 0x0) ... And the same sort of thing in gdb: (gdb) run Starting program: /opt/Samba/samba-3.0.22-with-ADS/sbin/smbd Program received signal SIGSEGV, Segmentation fault. 0xfedc7d80 in _free_unlocked () from /usr/lib/libc.so.1 (gdb) bt #0 0xfedc7d80 in _free_unlocked () from /usr/lib/libc.so.1 #1 0xfedc7d38 in free () from /usr/lib/libc.so.1 #2 0xff32d848 in ldap_free_urldesc (ludp=0x30dfc0) at url.c:1481 #3 0xfebe6ed0 in __s_api_addRefInfo () from /usr/lib/libsldap.so.1 #4 0xfebea200 in proc_search_references () from /usr/lib/libsldap.so.1 #5 0xfebeac94 in search_state_machine () from /usr/lib/libsldap.so.1 #6 0xfebeb4bc in __ns_ldap_list () from /usr/lib/libsldap.so.1 #7 0xfec2ad10 in _nss_ldap_nocb_lookup () from /usr/lib/nss_ldap.so.1 #8 0xfec24868 in getbymember () from /usr/lib/nss_ldap.so.1 #9 0xfedce8f0 in nss_search () from /usr/lib/libc.so.1 #10 0xfee18d30 in _getgroupsbymember () from /usr/lib/libc.so.1 #11 0xfedc3264 in initgroups () from /usr/lib/libc.so.1 #12 0x001ab280 in getgrouplist_internals () #13 0x001ab528 in sys_getgrouplist () #14 0x001ab580 in getgroups_user () #15 0x001ab6cc in pdb_default_enum_group_memberships () #16 0x0018f22c in context_enum_group_memberships () #17 0x0019136c in pdb_enum_group_memberships () #18 0x00202d90 in get_user_groups () #19 0x0020317c in add_user_groups () #20 0x002034b8 in make_server_info_sam () #21 0x0020387c in make_new_server_info_guest () #22 0x00203a30 in init_guest_info () #23 0x0024e0b0 in main () Here is my smb.conf: [global] server string = IT151978 Solaris guest account = eirvine log level = 3 preferred master = No local master = No domain master = No [homes] comment = Home Directories valid users = %S read only = No browseable = No Here is what smbd is linked against: ldd sbin/smbd libthread.so.1 =/usr/lib/libthread.so.1 libldap-2.3.so.0 = /opt/OpenLDAP/openldap/lib/libldap-2.3.so.0 liblber-2.3.so.0 = /opt/OpenLDAP/openldap/lib/liblber-2.3.so.0 libgssapi_krb5.so.2 = /opt/Kerberos/krb5-1.4.3/lib/libgssapi_krb5.so. 2 libkrb5.so.3 = /opt/Kerberos/krb5-1.4.3/lib/libkrb5.so.3 libk5crypto.so.3 = /opt/Kerberos/krb5-1.4.3/lib/libk5crypto.so.3 libkrb5support.so.0 = /opt/Kerberos/krb5-1.4.3/lib/libkrb5support.so. 0 libcom_err.so.3 = /opt/Kerberos/krb5-1.4.3/lib/libcom_err.so.3 libresolv.so.2 =/usr/lib/libresolv.so.2 libsocket.so.1 =/usr/lib/libsocket.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libpam.so.1 = /usr/lib/libpam.so.1 libsendfile.so.1 = /usr/lib/libsendfile.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libiconv.so.2 = /usr/local/lib/libiconv.so.2 libc.so.1 = /usr/lib/libc.so.1 libgen.so.1 = /usr/lib/libgen.so.1 libgcc_s.so.1 = /opt/sfw/gcc-3/lib/libgcc_s.so.1 libmp.so.2 =/usr/lib/libmp.so.2 libcmd.so.1 = /usr/lib/libcmd.so.1 /usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1 Any ideas of what to do next would be very much appreciated! Thanks Eddie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] sigbus fault?
Hi Folks, I'm trying to run samba on Solaris 9. It works OK when I don't compile in kerberos and ldap, but when with those two compiled in, smbd seems to freeze (nmbd and winbindd are OK). After a bit of investigation I notice something strange in truss: ... /[EMAIL PROTECTED]: - libldap-2.3:ldap_free_urldesc(0x30dfe8, 0x32e048, 0x32dfb8, 0x3 /[EMAIL PROTECTED]: - liblber-2.3:ber_memfree_x(0x32dfd7, 0x0, 0x0, 0x0) /[EMAIL PROTECTED]: - libc:free(0x32dfd7, 0x0, 0x0, 0x0) /[EMAIL PROTECTED]: - libc:_free_unlocked(0x32dfd7, 0x0, 0x0, 0xfee3c000) /1: Incurred fault #5, FLTACCESS %pc = 0xFEDC7D80 /1: siginfo: SIGBUS BUS_ADRALN addr=0x0032DFCF ^^^ /1: Received signal #10, SIGBUS [caught] /1: siginfo: SIGBUS BUS_ADRALN addr=0x0032DFCF /[EMAIL PROTECTED]: - libc:sigaddset(0xffbfd594, 0xa, 0x0, 0x0) /[EMAIL PROTECTED]: - libc:sigvalid(0xa, 0x0, 0x0, 0x0) /[EMAIL PROTECTED]: - libc:sigvalid() = 1 /[EMAIL PROTECTED]: - libc:sigaddset() = 0 /1: sigprocmask(SIG_SETMASK, 0xFFBFD594, 0x) = 0 /[EMAIL PROTECTED]: - libc:___errno(0x0, 0x0, 0x0, 0x0) /[EMAIL PROTECTED]: - libc:___errno() = 0xfee43664 /[EMAIL PROTECTED]: - libc:time(0x0, 0x0, 0x0, 0x0) ... And the same sort of thing in gdb: (gdb) run Starting program: /opt/Samba/samba-3.0.22-with-ADS/sbin/smbd Program received signal SIGSEGV, Segmentation fault. 0xfedc7d80 in _free_unlocked () from /usr/lib/libc.so.1 (gdb) bt #0 0xfedc7d80 in _free_unlocked () from /usr/lib/libc.so.1 #1 0xfedc7d38 in free () from /usr/lib/libc.so.1 #2 0xff32d848 in ldap_free_urldesc (ludp=0x30dfc0) at url.c:1481 #3 0xfebe6ed0 in __s_api_addRefInfo () from /usr/lib/libsldap.so.1 #4 0xfebea200 in proc_search_references () from /usr/lib/libsldap.so.1 #5 0xfebeac94 in search_state_machine () from /usr/lib/libsldap.so.1 #6 0xfebeb4bc in __ns_ldap_list () from /usr/lib/libsldap.so.1 #7 0xfec2ad10 in _nss_ldap_nocb_lookup () from /usr/lib/nss_ldap.so.1 #8 0xfec24868 in getbymember () from /usr/lib/nss_ldap.so.1 #9 0xfedce8f0 in nss_search () from /usr/lib/libc.so.1 #10 0xfee18d30 in _getgroupsbymember () from /usr/lib/libc.so.1 #11 0xfedc3264 in initgroups () from /usr/lib/libc.so.1 #12 0x001ab280 in getgrouplist_internals () #13 0x001ab528 in sys_getgrouplist () #14 0x001ab580 in getgroups_user () #15 0x001ab6cc in pdb_default_enum_group_memberships () #16 0x0018f22c in context_enum_group_memberships () #17 0x0019136c in pdb_enum_group_memberships () #18 0x00202d90 in get_user_groups () #19 0x0020317c in add_user_groups () #20 0x002034b8 in make_server_info_sam () #21 0x0020387c in make_new_server_info_guest () #22 0x00203a30 in init_guest_info () #23 0x0024e0b0 in main () Here is my smb.conf (I've removed the ads and kerberos stuff, but it was broken in the same way when it was included): [global] server string = IT151978 Solaris guest account = eirvine log level = 3 preferred master = No local master = No domain master = No [homes] comment = Home Directories valid users = %S read only = No browseable = No Here is what smbd is linked against: ldd sbin/smbd libthread.so.1 =/usr/lib/libthread.so.1 libldap-2.3.so.0 = /opt/OpenLDAP/openldap/lib/libldap-2.3.so.0 liblber-2.3.so.0 = /opt/OpenLDAP/openldap/lib/liblber-2.3.so.0 libgssapi_krb5.so.2 = /opt/Kerberos/krb5-1.4.3/lib/libgssapi_krb5.so. 2 libkrb5.so.3 = /opt/Kerberos/krb5-1.4.3/lib/libkrb5.so.3 libk5crypto.so.3 = /opt/Kerberos/krb5-1.4.3/lib/libk5crypto.so.3 libkrb5support.so.0 = /opt/Kerberos/krb5-1.4.3/lib/libkrb5support.so. 0 libcom_err.so.3 = /opt/Kerberos/krb5-1.4.3/lib/libcom_err.so.3 libresolv.so.2 =/usr/lib/libresolv.so.2 libsocket.so.1 =/usr/lib/libsocket.so.1 libnsl.so.1 = /usr/lib/libnsl.so.1 libpam.so.1 = /usr/lib/libpam.so.1 libsendfile.so.1 = /usr/lib/libsendfile.so.1 libdl.so.1 =/usr/lib/libdl.so.1 libiconv.so.2 = /usr/local/lib/libiconv.so.2 libc.so.1 = /usr/lib/libc.so.1 libgen.so.1 = /usr/lib/libgen.so.1 libgcc_s.so.1 = /opt/sfw/gcc-3/lib/libgcc_s.so.1 libmp.so.2 =/usr/lib/libmp.so.2 libcmd.so.1 = /usr/lib/libcmd.so.1 /usr/platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1 Any ideas of what to do next would be very much appreciated! Thanks Eddie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3.0.4 with FreeBSD
Hi,
I've had this working before and I thought I'd go and check out what is
wrong.
It seems the samba configure script is borken. Even when you tell it to
link against kerberos in another directory (for me it was
/opt/MIT-Kerberos) it ignores you and just looks in the default place.
You can tell which libraries samba is linked to with the ldd command.
ie: ldd /usr/local/sbin/smbd
running the ldconfig command to put /opt/MIT-Kerberos/lib ahead of
/usr/lib didn't help.
I've got it to work - finally - by installing mit kerberos over the top
of hiemdal kerberos. But it sure wasn't pretty, and is definitely not a
long term solution.
Eddie
I'm having the exact same problem Skif. It has to do with a conflict
between Heimdal Kerberos (installed by default for ssh etcetera) and MIT
Kerberos. If you don't install krb5, then samba-devel port will install
with ads, but it will error out when joining ads. If you don't need to
use ads then get rid of krb5 and remake samba-devel, and it should work.
TMS III
Skif wrote:
samba,
I compile kerberos5
[EMAIL PROTECTED] : cd /usr/ports/security/krb5/
[EMAIL PROTECTED] : make make install make clean rehash
--
This port of MIT Kerberos 5 includes remote login
daemons (telnetd and klogind). These daemons default
to using the system login program (/usr/bin/login).
Please see the file
/usr/local/share/doc/krb5/README.FreeBSD
for more information.
--
=== Compressing manual pages for krb5-1.3.3
/sbin/ldconfig -m /usr/local/lib
=== Registering installation for krb5-1.3.3
...
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/bin/ftp (USES POSSIBLY INSECURE FUNCTIONS: mktemp)
/usr/local/bin/rcp
/usr/local/bin/rlogin
/usr/local/bin/rsh
/usr/local/lib/libgssrpc.so.3
/usr/local/lib/libkrb5.so.3 (USES POSSIBLY INSECURE FUNCTIONS: mktemp)
/usr/local/sbin/ftpd
/usr/local/sbin/gss-server
/usr/local/sbin/kadmind
/usr/local/sbin/klogind
/usr/local/sbin/kpropd
/usr/local/sbin/krb5kdc
/usr/local/sbin/kshd
/usr/local/sbin/sim_server
/usr/local/sbin/sserver
/usr/local/sbin/telnetd
/usr/local/sbin/uuserver
/usr/local/sbin/v5passwdd
If there are vulnerabilities in these programs there may be a
security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://web.mit.edu/kerberos/www/
[EMAIL PROTECTED] :
My next step
[EMAIL PROTECTED] :cd /usr/ports/net/samba3.0.4/
[EMAIL PROTECTED] :make make install
=== ---
=== Run 'make config' to (re)configure the port
=== ---
=== Extracting for samba-3.0.4,1
Checksum OK for samba-3.0.4.tar.gz.
=== Patching for samba-3.0.4,1
=== Applying FreeBSD patches for samba-3.0.4,1
=== samba-3.0.4,1 depends on shared library: popt.0 - found
=== samba-3.0.4,1 depends on shared library: ldap.2 - found
...
checking for AP_OPTS_USE_SUBKEY... yes
checking for the krb5_princ_component macro... no
checking for key in krb5_keytab_entry... yes
checking for keyblock in krb5_keytab_entry... no
configure: error: libkrb5 is needed for Active Directory support
=== Script configure failed unexpectedly.
Please report the problem to [EMAIL PROTECTED] [maintainer] and
attach the
/usr/ports/net/samba3.0.4/work/samba-3.0.4/source/config.log
including
the output of the failure of your make command. Also, it might be a
good idea to provide an overview of all packages installed on your
system (e.g. an `ls /var/db/pkg`).
*** Error code 1
Stop in /usr/ports/net/samba3.0.4.
[EMAIL PROTECTED] :
[EMAIL PROTECTED] :ls /var/db/pkg | grep krb
krb5-1.3.3
[EMAIL PROTECTED] :
[EMAIL PROTECTED] :uname -a
FreeBSD romanof2.owe 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Mon Feb
23 20:45:55 GMT 2004
Makefile:
CONFIGURE_ARGS+=--exec-prefix=${PREFIX} \
--localstatedir=${VARDIR} \
--with-configdir=${SAMBA_CONFDIR} \
--with-libdir=${SAMBA_LIBDIR}/samba \
--with-swatdir=${SAMBA_SWATDIR} \
--with-piddir=${SAMBA_RUNDIR} \
--with-lockdir=${SAMBA_LOCKDIR} \
--with-privatedir=${SAMBA_PRIVATE} \
--with-logfilebase=${SAMBA_LOGDIR} \
--with-manpages-langs=en
CONFIGURE_ARGS+=--with-libiconv=${LOCALBASE}
CONFIGURE_ARGS+=--with-pam --with-readline
--with-sendfile-support \
--with-winbind --without-libsmbclient
--without-python
Re: [Samba] MIT Kerberos with Solaris
Hi Andy, I compiled and installed MIT Kerberos into a different location (say /opt/MIT-Kerberos). I then pointed the samba configure program to that Kerberos, and everything went smoothly. I think I also had to symlink the krb5.keytab and krb5.conf files so that both versions of Kerberos were looking at the same keytab and conf. Eddie ww m-pubsyssamba wrote: As Samba 3.x does not work with the Kerberos included with Solaris (it has no headers) I have to remove it and replace it with MIT kerberos. Does anyone know if Solaris kerberised services will still work normally (without modification) such as kerberised NFS? I briefly tested this and couldn't het it to work, but if someone has a definative answer it might save me a lot of trouble, thanks in advance, Andy. BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
