Authenticating off a Windows 2003 ADS DC with Samba/Winbind[Scanned]
David McCormack
djm at profitmaster.co.uk
Tue Nov 16 20:14:45 UTC 2004
I'm not a fan of posting 'me too' messages but in this case I'm having _exactly_ the same errors.
Hopefully this post will add to the information on this problem. Looking in /var/log/samba/winbind.log I also get the error;
[2004/11/16 19:55:23, 1] libsmb/clikrb5.c:ads_krb5_mk_req(323)
krb5_cc_get_principal failed (No credentials cache found)
[2004/11/16 19:55:23, 0] libads/kerberos.c:ads_kinit_password(136)
kerberos_kinit_password host/DAVEMAC-FC3 at PROFITMASTER.LOCAL <mailto:host/DAVEMAC-FC3 at PROFITMASTER.LOCAL> failed: Client not found in Kerberos database
[2004/11/16 19:55:23, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain PROFITMASTER failed: Client not found in Kerberos database
In nmbd.log is;
[2004/11/16 20:03:48, 0] nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(353)
find_domain_master_name_query_fail:
Unable to find the Domain Master Browser name PROFTIMASTER<1b> for the workgroup PROFTIMASTER.
Unable to sync browse lists in this workgroup.
I was able to get past the wbinfo -t problem by using 'net join -S <AD server> -U administrator%<password>'. It now reports 'checking the trust secret via RPC calls succeeded'
The server that I'm connecting to is a Windows SBS 2003 machine that I've disabled the SMB signing on.
I've also tried reloading the workstation with FC3 and got the same errors libads/ldap.c:ads_join_realm(1640) ads_add_machine_acct (<machinename>): Type or value exists so I guessing that something is up with AD.
I my case I'm using a dual boot machine that also has Windows XP Professional installed - I've not had chance to test a standalone FC3 machine.
David McCormack
________________________________
From: fedora-list-bounces at redhat.com on behalf of Rafiq_Maniar at Dell.com
Sent: Tue 16/11/2004 18:00
To: fedora-list at redhat.com
Subject: RE: Authenticating off a Windows 2003 ADS DC with Samba/Winbind[Scanned]
Ok guys, at least I know that it does work for other people.
Here's the network configuration:
- Windows 2003 Server gx270-rmaniar [192.168.0.100]
- Fedora Core 3 gx280rmaniarFC3 [192.168.0.5]
FYI: A Windows XP box correctly connects to the DC OK.
**********************
Here's what I've done:
- removed the Active Directory service from the W2K3 box and started
from scratch again.
- configured /etc/krb5.conf
- timesynced both the Linux and Windows boxes
- Used kinit Administrator at TEST.COM to login, all OK.
- Can login to smb share using smbclient -k //gx270-rmaniar/C$ so
kerberos ticket is ok.
- configured winbind/smb.conf using the Authentication applet.
- smb/winbind are started ok.
**********************
Here's the problem:
[root at gx280rmaniarFC3 samba]# net ads join -S gx270-rmaniar -U
Administrator
Administrator's password:
[2004/11/16 17:35:12, 0] libads/ldap.c:ads_join_realm(1640)
ads_add_machine_acct (gx280rmaniarfc3): Type or value exists
ads_join_realm: Type or value exists
So it says it exists already, despite the fact that its not shown in the
'Computers' list in AD.
Tried it again, and got:
[root at gx280rmaniarFC3 pam.d]# net ads join -S gx270-rmaniar -U
Administrator
Administrator's password:
[2004/11/16 17:51:26, 0] libads/ldap.c:ads_add_machine_acct(1297)
ads_add_machine_acct: Host account for gx280rmaniarfc3 already exists
- modifying old account
[2004/11/16 17:51:26, 0] libads/ldap.c:ads_join_realm(1640)
ads_add_machine_acct (gx280rmaniarfc3): Type or value exists
ads_join_realm: Type or value exists
The computer now appears in the "Computers" list on the Windows server.
[root at gx280rmaniarFC3 samba]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret
**********************
Here's the relevant info from smb.conf:
workgroup = TEST.COM
security = ads
password server = 192.168.0.100
realm = TEST.COM
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
And someone asked for authconfig --test --kickstart:
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = "127.0.0.1"
LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is enabled
SMB workgroup = "TEST.COM"
SMB servers = "192.168.0.100"
SMB security = "ads"
SMB realm = "TEST.COM"
Winbind template shell = "/bin/bash"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
shadow passwords are enabled
md5 passwords are enabled
pam_krb5 is disabled
krb5 realm = "TEST.COM"
krb5 realm via dns is disabled
krb5 kdc = "192.168.0.100:88,192.168.0.100"
krb5 kdc via dns is disabled
krb5 admin server = ""
pam_ldap is disabled
LDAP+TLS is disabled
LDAP server = "127.0.0.1"
LDAP base DN = "dc=example,dc=com"
pam_smb_auth is disabled
SMB workgroup = "TEST.COM"
SMB servers = "192.168.0.100"
pam_winbind is enabled
SMB workgroup = "TEST.COM"
SMB servers = "192.168.0.100"
SMB security = "ads"
SMB realm = "TEST.COM"
pam_cracklib is enabled (retry=3)
pam_passwdqc is disabled ()
So there you have it. I've googled for the problem with no luck. Any
ideas?
Thanks,
Rafiq
--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 10797 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041116/98e1af32/attachment-0001.bin>
More information about the fedora-list
mailing list