Dear All,
I have succesfully managed to have my kerberos configured n working without error when i say
kinit Administrator and after entering password it works fine
my krb5.conf --------------
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = BALADIA.LOCAL dns_lookup_kdc = false
dns_lookup_realm = false [realms] BALADIA.LOCAL = { default_domain = baladia.local kdc = 172.16.2.227:88 admin_server = 172.16.2.227:749 kdc = KMUN }
[domain_realm] baladia.local = BALADIA.LOCAL
--------------------------------
klist shows
icket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@BALADIA.LOCAL
Valid starting Expires Service principal 03/26/09 11:33:04 03/26/09 21:33:18 krbtgt/BALADIA.LOCAL@BALADIA.LOCAL renew until 03/27/09 11:33:04
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
------------------------
now i configured /etc/samba/smb.conf but when i try to join the domain
net ads join -U Administrator Administrator's password: [2009/03/26 21:58:05, 0] utils/net_ads.c:ads_startup_int(286) ads_connect: No logon servers Failed to join domain: No logon servers
after googling and tryin various options in /etc/samba/smb.conf file here is the latest smb.conf file ---------------------
[global] #--authconfig--start-line--
# Generated by authconfig on 2009/03/26 12:50:28 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future
workgroup = BALADIA.LOCAL ; password server = kmun.baladia.local password server = 172.16.2.227 realm = KMUN.BALADIA.LOCAL security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind separator = + template shell = /bin/bash winbind use default domain = true winbind offline logon = false encrypt passwords = yes log level = 3 #--authconfig--end-line-- encrypt passwords = yes dns proxy = no server string = Samba Server Version %v os level = 20 client use spnego = no server signing = auto
--------------------------------------
where i could be goin wrong i would be thankful and really apprecite your advice for any setting in my smb.conf file
Is there anything else to check
when i run testparam it gives no errors
thnks and Regards
Fabian
2009/3/26 fabian dacunha fabian@baladia.gov.kw:
Dear All,
I have succesfully managed to have my kerberos configured n working without error when i say
kinit Administrator and after entering password it works fine
my krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = BALADIA.LOCAL dns_lookup_kdc = false
dns_lookup_realm = false [realms] BALADIA.LOCAL = { default_domain = baladia.local kdc = 172.16.2.227:88 admin_server = 172.16.2.227:749 kdc = KMUN }
[domain_realm] baladia.local = BALADIA.LOCAL
klist shows
icket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@BALADIA.LOCAL
Valid starting Expires Service principal 03/26/09 11:33:04 03/26/09 21:33:18 krbtgt/BALADIA.LOCAL@BALADIA.LOCAL renew until 03/27/09 11:33:04
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
now i configured /etc/samba/smb.conf but when i try to join the domain
net ads join -U Administrator Administrator's password: [2009/03/26 21:58:05, 0] utils/net_ads.c:ads_startup_int(286) ads_connect: No logon servers Failed to join domain: No logon servers
after googling and tryin various options in /etc/samba/smb.conf file here is the latest smb.conf file
[global] #--authconfig--start-line--
# Generated by authconfig on 2009/03/26 12:50:28 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future
workgroup = BALADIA.LOCAL ; password server = kmun.baladia.local password server = 172.16.2.227 realm = KMUN.BALADIA.LOCAL security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind separator = + template shell = /bin/bash winbind use default domain = true winbind offline logon = false encrypt passwords = yes log level = 3 #--authconfig--end-line-- encrypt passwords = yes dns proxy = no server string = Samba Server Version %v os level = 20 client use spnego = no server signing = auto
where i could be goin wrong i would be thankful and really apprecite your advice for any setting in my smb.conf file
Is there anything else to check
when i run testparam it gives no errors
thnks and Regards
Fabian
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Can you get to the ADS netlogon share? It is //domainname/netlogon which may be //baladia.local/netlogon/ on your network.
//172.16.2.227/netlogon ?
Further, even connecting WinVista to a domain will sometimes require raw editing of the hosts properties in LDAP. SysInternal's adexplorer.exe or jexplorer (don't use java 1.6) are good at this. Specifically, you will want to make sure dnsHostName and servicePrincipalName (SPN) are correct. If not, these tools with the domain admin privilege will let you edit these ldap entries directly. Use a known good ADS connected node as an example.
There is a list of apps based on python-ldap at http://python-ldap.sourceforge.net/apps.shtml Some of those would provide adexplorer.exe type functionality, but i haven't tried them for editing. Hmmm, now i wonder if they work at all with Samba b/c python hooks were removed in Samba 3.2.0 due to lack of maintenance???
I would like a script that could be run on a Windows ADS server, a ADS domain connected windows client, and linux. The script would generate and verify everything needed to successfully connect. SASL required? Unsecured or Secured auth? kerberos and ldap identifiying info. ldapenum.pl was an attempt at this.
You will want to read the announcement for Samba 3.2 which i am not sure if 3.2 is in the CentOS release repo or not. i ended up using fc9/fc10 for ads joins. EnterpriseSamba.com may still be your best bet for CentOS. http://lists.samba.org/archive/samba-announce/2008/000145.html
On Thu, 2009-03-26 at 22:22 +0300, fabian dacunha wrote:
# Generated by authconfig on 2009/03/26 12:50:28 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future
workgroup = BALADIA.LOCAL ; password server = kmun.baladia.local password server = 172.16.2.227 realm = KMUN.BALADIA.LOCAL security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind separator = + template shell = /bin/bash winbind use default domain = true winbind offline logon = false encrypt passwords = yes log level = 3 #--authconfig--end-line-- encrypt passwords = yes dns proxy = no server string = Samba Server Version %v os level = 20 client use spnego = no server signing = auto
where i could be goin wrong i would be thankful and really apprecite your advice for any setting in my smb.conf file
1. It's usually better to set "password server" to "*". 2. Your realm is wrong; it should be just the domain, baladia.local. 3. Add "netbios name = [your server's hostname]" 4. Add "wins server = [your wins server(s)]" 5. "client use spnego" should likely be "yes" 6. Add "client ntlmv2 auth = yes". 7. Add "smb ports = 445" 8. Add "local master = no" 9. Add "domain master =no" 10. Add "preferred master = no"
I don't know if that's going to solve your problems. "no logon servers" indicates either a deeper problem (e.g. network issue), or simply that you've specified the wrong server to use for checking passwords against.
BTW, I still don't know why you have two "kdc" entries in your krb5.conf file. You only need one.
Regards,
Ranbir
-
fabian dacunha -
Kanwar Ranbir Sandhu -
Rob Townley