-
Trying to use Kerberos to authenticate Samba and logins through ADS
I am seeing this in the winbindd.log
[2004/12/17 10:45:39, 1] nsswitch/winbindd.c:main(854)
winbindd version 3.0.7-1.3E.1 started.
Copyright The Samba Team 2000-2004
[2004/12/17 10:45:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No credentials cache found)
[2004/12/17 10:45:40, 0] libads/kerberos.c:ads_kinit_password(136)
kerberos_kinit_password host/SXEC2@QG.COM failed: Client not found in Kerberos database
[2004/12/17 10:45:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain QG failed: Client not found in Kerberos database
nmbd.log
[2004/12/17 10:45:36, 0] nmbd/nmbd.c:main(665)
Netbios nameserver version 3.0.7-1.3E.1 started.
Copyright Andrew Tridgell and the Samba Team 1994-2004
smbd.log
[2004/12/17 10:45:35, 0] smbd/server.c:main(760)
smbd version 3.0.7-1.3E.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
I have attempted this numerous times with different levels of admin privs on the ADS side and get the same results. Kerberos appears to be working fine, I can even log into the Linux server using my ADS username and password.
wbinfo -t shows success, wbinfo -g and -u. wbinfo -m shows all domains but the one I am a member of. wbinfo --sequence shows the following.
[root@sxec2 root]# wbinfo --sequence
Could not show sequence numbers
[root@sxec2 root]# wbinfo --sequence
SXEC2 : 1
BUILTIN : 1
QMED : DISCONNECTED
CORPORATE : 1031468
QG_INKJET : 95434
QUADTECH : 9281
HIGHTECH : 164699
IMAGING : 60025
QUADMED : DISCONNECTED
CUSTOMERS : DISCONNECTED
QG : DISCONNECTED
Here's what I've done so far:
I modified /etc/krb5.conf file to look like the example below.
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = QG.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
QG.COM = {
kdc = 161.49.22.90:88
default_domain = QG.COM
}
[domain_realm]
.qg.com = QG.COM
qg.com = QG.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Open the file /etc/samba/smb.conf and change the following variables in the ‘global’ section with the values given below.
[global]
worksgrup = QG
ads server = x.x.x.x
realm = QG.COM
netbios name = SXEC2
security = ADS
Note: change x.x.x.x to the ip address of the ads server
Now save the file and exit to the terminal.
command to authenticate your machine against the ADS.
kinit administrator@QG.COM
After getting authenticated, i added the machine to ADS. To do so run the following command.
net ads join –S QG.COM
Now I used smbclient with the -k option to connect to the share from ADS.
and help is highly appreciated. THanks in advance
-
Have you done anything like:
idmap gid = 10000-20000
idmap uid = 10000-20000
in smb.conf to map your users and groups.
-
You might want to read through this article on the JL Library:
http://www.justlinux.com/forum/showt...hreadid=118288
I noticed a small difference in the krb5.conf files.
Here's an article I wrote on using winbind:
http://www.justlinux.com/forum/showt...hreadid=118512
These may or may not be of any value to you.
If God hadn't meant for us to use GUI tools, there wouldn't have been a Xerox PARC.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|