Authenticating off a Windows 2003 ADS DC with Samba/Winbind
Don Casey
dcasey at worldramp.net
Tue Nov 16 19:17:16 UTC 2004
-----Original Message-----
From: fedora-list-bounces at redhat.com
[mailto:fedora-list-bounces at redhat.com] On Behalf Of
Rafiq_Maniar at Dell.com
Sent: Tuesday, November 16, 2004 1:01 PM
To: fedora-list at redhat.com
Subject: RE: Authenticating off a Windows 2003 ADS DC with Samba/Winbind
Ok guys, at least I know that it does work for other people.
Here's the network configuration:
- Windows 2003 Server gx270-rmaniar [192.168.0.100]
- Fedora Core 3 gx280rmaniarFC3 [192.168.0.5]
FYI: A Windows XP box correctly connects to the DC OK.
**********************
Here's what I've done:
- removed the Active Directory service from the W2K3 box and started
from scratch again.
- configured /etc/krb5.conf
- timesynced both the Linux and Windows boxes
- Used kinit Administrator at TEST.COM to login, all OK.
- Can login to smb share using smbclient -k //gx270-rmaniar/C$ so
kerberos ticket is ok.
- configured winbind/smb.conf using the Authentication applet.
- smb/winbind are started ok.
**********************
Here's the problem:
[root at gx280rmaniarFC3 samba]# net ads join -S gx270-rmaniar -U
Administrator
Administrator's password:
[2004/11/16 17:35:12, 0] libads/ldap.c:ads_join_realm(1640)
ads_add_machine_acct (gx280rmaniarfc3): Type or value exists
ads_join_realm: Type or value exists
So it says it exists already, despite the fact that its not shown in the
'Computers' list in AD.
Tried it again, and got:
[root at gx280rmaniarFC3 pam.d]# net ads join -S gx270-rmaniar -U
Administrator
Administrator's password:
[2004/11/16 17:51:26, 0] libads/ldap.c:ads_add_machine_acct(1297)
ads_add_machine_acct: Host account for gx280rmaniarfc3 already exists
- modifying old account
[2004/11/16 17:51:26, 0] libads/ldap.c:ads_join_realm(1640)
ads_add_machine_acct (gx280rmaniarfc3): Type or value exists
ads_join_realm: Type or value exists
The computer now appears in the "Computers" list on the Windows server.
[root at gx280rmaniarFC3 samba]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret
**********************
Here's the relevant info from smb.conf:
workgroup = TEST.COM
security = ads
password server = 192.168.0.100
realm = TEST.COM
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
And someone asked for authconfig --test --kickstart:
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = "127.0.0.1"
LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is enabled
SMB workgroup = "TEST.COM"
SMB servers = "192.168.0.100"
SMB security = "ads"
SMB realm = "TEST.COM"
Winbind template shell = "/bin/bash"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
shadow passwords are enabled
md5 passwords are enabled
pam_krb5 is disabled
krb5 realm = "TEST.COM"
krb5 realm via dns is disabled
krb5 kdc = "192.168.0.100:88,192.168.0.100"
krb5 kdc via dns is disabled
krb5 admin server = ""
pam_ldap is disabled
LDAP+TLS is disabled
LDAP server = "127.0.0.1"
LDAP base DN = "dc=example,dc=com"
pam_smb_auth is disabled
SMB workgroup = "TEST.COM"
SMB servers = "192.168.0.100"
pam_winbind is enabled
SMB workgroup = "TEST.COM"
SMB servers = "192.168.0.100"
SMB security = "ads"
SMB realm = "TEST.COM"
pam_cracklib is enabled (retry=3)
pam_passwdqc is disabled ()
So there you have it. I've googled for the problem with no luck. Any
ideas?
Thanks,
Rafiq
--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Rafiq,
One problem I can see right off the bat is that the domain name you have
chosen for your DC is test.com. This has caused problems in the past
using real domain names because DNS tells the stations to look elsewhere
for info. I know it is a hassle to reload Server 2003, especially if
this is on a working machine. But I would suggest that you use a domain
name of test.local so it does not look outside your network for
resolution.
Thanx,
Don Casey
Systems Administrator
World Ramp Inc.
2221 Lee Rd.
Suite 25
Winter Park, Fl 32789
(407)740-5987
(407)740-7250 Fax
More information about the fedora-list
mailing list