RE: [Samba] Re: Authentication against AD?

Hi,

I get exactly the same.
'kinit -U[username]%[password] works 100%; 'klist' shows my kerberos
ticket(s); I set up my krb5.conf as per the examples in Samba 3 by
Example-HOWTO; I joined the domain 100% with 'net ads join -U
[username]%[password]', but:

wbinfo -u just gives me "Error looking up domain users."
wbinfo -g gives me a listing of all the ADS groups <-- working 100%?

'getent passwd' gives me a listing of all local users, but no domain /
ADS users
'getent group' gives me the local groups, but no ADS groups (just hangs
a while after local groups and then probably times out)

I only have a small office file & print server (about 12 users), so I
got around this by using local accounts and manually mapping them to the
corresponding domain users (/etc/samba/smbusers - local username =3D
[DOMAIN]/[domain username]) and using 'username map =3D
/etc/samba/smbusers' in smb.conf .

Here is my config:

[global]
realm =3D COMPANY.COM
security =3D ADS
password server =3D kdc.company.com
idmap uid =3D 10000-1000000
idmap gid =3D 10000-1000000
winbind enum users =3D yes
winbind enum groups =3D yes
winbind use default domain =3D yes
winbind separator =3D /

unix password sync =3D yes

workgroup =3D COMPANY-COM
interfaces =3D eth0 lo
bind interfaces only =3D yes
netbios name =3D SERVER

name resolve order =3D wins hosts bcast
dns proxy =3D no

domain logons =3D no
preferred master =3D no
domain master =3D no
local master =3D yes

os level =3D 33

max log size =3D 1024
log level =3D 2
log file =3D /var/log/samba/samba-new.log
syslog =3D 1

guest account =3D smbguest
username level =3D 50
username map =3D /etc/samba/smbusers
encrypt passwords =3D yes
password level =3D 20

client use spnego =3D yes

wins server =3D x.x.x.x

preserve case =3D yes
short preserve case =3D yes
case sensitive =3D no
hide dot files =3D yes
hide unreadable =3D yes
hide special files =3D yes

map to guest =3D never

I also repeatedly get the following in
/var/log/samba/log-wb.COMPANY-COM:

[2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
cli_rpc_open failed on pipe \lsarpc to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer
[2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
cli_rpc_open failed on pipe \NETLOGON to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer

Service smb status gives:

smbd (pid 21371 21233) is running...
nmbd (pid 14018) is running...

Service winbind status gives:

winbindd (pid 8991 8370 8367 8366) is running...

I'm running Samba 3.0.20 on Linux Fedora Core 4

Although we can work, any help to get the proper domain authentication
working would be greatly appreciated.

TIA

Ernest

> Dimitri Yioulos wrote:
> >On Thursday 15 September 2005 3:32 pm, you wrote:
> >></snip>
> >>
> >>Ok I think I have found my problem. I need to find a way to map=20
> >>Samba to an active directory common name:
> >>
> >>%> net ads join -U"Administrator" "cn=3Dusers,dc=3Ddomain,dc=3Dcom" =

> >>(example, I know the syntax is incorrect)
> >>
> >>As far as I can tell it is hard coded in the net ads join routine to

> >>tack on the ou=3Dusers vs. cn=3Dusers, anyone shed some light on =
this?
> >
> >Uh, I must be missing something here. This is a pretty=20
> >straightforward set-up, right? You want to join this Samba box to a

> >Win2k3 server for
> > file- or print-serving purposes? I've always felt that you get a=20
> >basic set-up working first, then start to get fancy.
> >
> >AFAIK:
> >
> >1. kinit Administrator@MYDOMAIN.COM
> >(You'll be prompted for a password. My systems simply return me to a

> >prompt if I'm successful.) 2. net ads join -U=20
> >Administrator@MYDOMAIN.COM (Again, you'll be prompted for a password.

> >Info about the machine joining the AD is returned)
> >
> >Beyond this, someone else will have to help out.
> >
> >Best,
> >
> >Dimitri
>
> Yeah this works, I can get my krb creds:
>
> jason@odin-newb:~> kinit Admin@DOMAIN.COM Password for=20
> Admin@DOMAIN.COM:
> jason@odin-newb:~> klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: Admin@DOMAIN.COM
>
> Valid starting Expires Service principal
> 09/15/05 14:12:30 09/16/05 00:11:16 krbtgt/DOMAIN.COM@DOMAIN.COM
> renew until 09/16/05 14:12:30
>
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
>
> And this works as well:
>
> Admin@DOMAIN.COM's password:
> [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405)
> ads_add_machine_acct: Host account for odin-newb already exists -=20
> modifying old account Using short domain name -- DOMAIN.COM Joined=20
> 'ODIN-NEWB' to realm 'DOMAIN.COM'
>
> But when testing, using wbinfo -u or getent I am getting only the=20
> local passwd accounts.
>
> jason@odin-newb:~> wbinfo -u
> Error looking up domain users
>
> And here is where my accounts need to be authenticted from
>
> LDAP://server.domain.com/CN=3DUsers,DC=3Dserver,DC=3Ddomain,DC=3Dcom
>
> Note the CN=3DUsers, vs. OU=3DUsers, I will go read the RFC to see if =
I=20
> can get more info on this.

So, you're not authenticating against ADS? If you are, are you sure the
winbind daemon is running?

Dimitri
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba