RE: Authenticating off a Windows 2003 ADS DC with Samba/Winbind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





-----Original Message-----
From: fedora-list-bounces@xxxxxxxxxx
[mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of
Rafiq_Maniar@xxxxxxxx
Sent: Tuesday, November 16, 2004 1:01 PM
To: fedora-list@xxxxxxxxxx
Subject: RE: Authenticating off a Windows 2003 ADS DC with Samba/Winbind



Ok guys, at least I know that it does work for other people.

Here's the network configuration:
- Windows 2003 Server gx270-rmaniar [192.168.0.100]
- Fedora Core 3 gx280rmaniarFC3 [192.168.0.5]

FYI: A Windows XP box correctly connects to the DC OK.

**********************

Here's what I've done:
- removed the Active Directory service from the W2K3 box and started
from scratch again.
- configured /etc/krb5.conf
- timesynced both the Linux and Windows boxes
- Used kinit Administrator@xxxxxxxx to login, all OK. 
- Can login to smb share using smbclient -k //gx270-rmaniar/C$ so
kerberos ticket is ok.
- configured winbind/smb.conf using the Authentication applet.
- smb/winbind are started ok.

**********************
Here's the problem:
[root@gx280rmaniarFC3 samba]# net ads join -S gx270-rmaniar -U
Administrator
Administrator's password:
[2004/11/16 17:35:12, 0] libads/ldap.c:ads_join_realm(1640)
  ads_add_machine_acct (gx280rmaniarfc3): Type or value exists
ads_join_realm: Type or value exists

So it says it exists already, despite the fact that its not shown in the
'Computers' list in AD.

Tried it again, and got:
[root@gx280rmaniarFC3 pam.d]# net ads join -S gx270-rmaniar -U
Administrator
Administrator's password:
[2004/11/16 17:51:26, 0] libads/ldap.c:ads_add_machine_acct(1297)
  ads_add_machine_acct: Host account for gx280rmaniarfc3 already exists
- modifying old account
[2004/11/16 17:51:26, 0] libads/ldap.c:ads_join_realm(1640)
  ads_add_machine_acct (gx280rmaniarfc3): Type or value exists
ads_join_realm: Type or value exists

The computer now appears in the "Computers" list on the Windows server.


[root@gx280rmaniarFC3 samba]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret


**********************
Here's the relevant info from smb.conf:
   workgroup = TEST.COM
   security = ads
   password server = 192.168.0.100
   realm = TEST.COM
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = no


And someone asked for authconfig --test --kickstart:
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "127.0.0.1"
 LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is enabled
 SMB workgroup = "TEST.COM"
 SMB servers = "192.168.0.100"
 SMB security = "ads"
 SMB realm = "TEST.COM"
 Winbind template shell = "/bin/bash"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
 shadow passwords are enabled
 md5 passwords are enabled
pam_krb5 is disabled
 krb5 realm = "TEST.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "192.168.0.100:88,192.168.0.100"
 krb5 kdc via dns is disabled
 krb5 admin server = ""
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "127.0.0.1"
 LDAP base DN = "dc=example,dc=com"
pam_smb_auth is disabled
 SMB workgroup = "TEST.COM"
 SMB servers = "192.168.0.100"
pam_winbind is enabled
 SMB workgroup = "TEST.COM"
 SMB servers = "192.168.0.100"
 SMB security = "ads"
 SMB realm = "TEST.COM"
pam_cracklib is enabled (retry=3)
pam_passwdqc is disabled ()


So there you have it. I've googled for the problem with no luck. Any
ideas?

Thanks,
Rafiq

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

Rafiq,

One problem I can see right off the bat is that the domain name you have
chosen for your DC is test.com. This has caused problems in the past
using real domain names because DNS tells the stations to look elsewhere
for info. I know it is a hassle to reload Server 2003, especially if
this is on a working machine. But I would suggest that you use a domain
name of test.local so it does not look outside your network for
resolution.


Thanx,
Don Casey
Systems Administrator
World Ramp Inc.
2221 Lee Rd.
Suite 25
Winter Park, Fl 32789
(407)740-5987
(407)740-7250 Fax




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux