Vorgegangen bin ich nach diesem Howto: http://www.pro-linux.de/work/server/samba3-domaene.html
Meine confs:
/etc/krb5.conf
[libdefaults] default_realm = SEL.LOCAL clockskew = 300
[realms] SEL.LOCAL = { kdc = SSEL0003.SEL.LOCAL }
[domain_realm] .sel.local = SEL.LOCAL
[logging] # default = SYSLOG:NOTICE:DAEMON default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log
[appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false }
/etc/nsswitch.conf
group: files winbind
hosts: files dns networks: files dns
services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files nis publickey: files
bootparams: files automount: files nis aliases: files
/etc/samba/smb.conf
[global] workgroup = SEL netbios name = Fileserver realm = SEL.LOCAL winbind uid = 10000-20000 winbind gid = 10000-20000 Winbind enum groups = yes Winbind enum users = yes winbind separator = / security = ADS encrypt passwords = yes client use spnego = yes
[stage] path = /daten/stage read only = no browseable = yes public = yes guest ok = no writable = yes
Ein Ticket wird mir zugewiesen:
linuxtest:~ # kinit -V Administrator Password for Administrator@SEL.LOCAL: Authenticated to Kerberos v5 linuxtest:~ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@SEL.LOCAL
Valid starting Expires Service principal 07/06/06 09:38:23 07/06/06 19:38:50 krbtgt/SEL.LOCAL@SEL.LOCAL renew until 07/07/06 09:38:23
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Dann versuche ich den Server in die Domäne aufzunehmen:
net ads join -d 3 -S sel -U Administrator [2006/07/06 10:14:29, 3] param/loadparm.c:lp_load(4878) lp_load: refreshing parameters [2006/07/06 10:14:29, 3] param/loadparm.c:init_globals(1411) Initialising global parameters [2006/07/06 10:14:29, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2006/07/06 10:14:29, 3] param/loadparm.c:do_section(3699) Processing section "[global]" [2006/07/06 10:14:29, 2] lib/interface.c:add_interface(81) added interface ip=192.168.34.85 bcast=192.168.34.255 nmask=255.255.255.0 Administrator's password: [2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_lmhosts(855) resolve_lmhosts: Attempting lmhosts lookup for name SEL<0x1c> [2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_wins(752) resolve_wins: Attempting wins lookup for name SEL<0x1c> [2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_wins(755) resolve_wins: WINS server resolution selected and no WINS servers listed. [2006/07/06 10:15:03, 3] libsmb/namequery.c:name_resolve_bcast(694) name_resolve_bcast: Attempting broadcast lookup for name SEL<0x1c> [2006/07/06 10:15:03, 2] libsmb/namequery.c:name_query(492) Got a positive name query response from 192.168.34.18 ( 192.168.34.18 ) [2006/07/06 10:15:03, 2] libsmb/namequery.c:name_query(492) Got a positive name query response from 192.168.34.13 ( 192.168.34.13 ) [2006/07/06 10:15:04, 3] libads/ldap.c:ads_connect(288) Connected to LDAP server 192.168.34.18 [2006/07/06 10:15:04, 3] libads/ldap.c:ads_server_info(2542) got ldap server name ssel0003@SEL.LOCAL, using bind path: dc=SEL,dc=LOCAL [2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(219) ads_sasl_spnego_bind: got server principal name =ssel0003$@SEL.LOCAL [2006/07/06 10:15:04, 3] libsmb/clikrb5.c:ads_krb5_mk_req(480) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2006/07/06 10:15:34, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(416) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 06 Jul 2006 20:15:16 CEST [2006/07/06 10:15:55, 3] libads/ldap.c:ads_workgroup_name(2690) Found alternate name 'SEL' for realm 'SEL.LOCAL' Using short domain name -- SEL [2006/07/06 10:16:25, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(593) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2006/07/06 10:16:55, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(593) verify_service_password: get_service_ticket failed: KDC has no support for encryption type
Und der Eventlog spuckt dies:
Event Type: Error Event Source: KDC Event Category: None Event ID: 27 Date: 06.07.2006 Time: 10:16:48 User: N/A Computer: SSEL0003 Description: While processing a TGS request for the target server FILESERVER$, the account FILESERVER$@SEL.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 17. The accounts available etypes were 23 -133 -128 3 1.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Was mach ich falsch?
Grüsse Guggi
Michael von Guggenberg schrieb:
Vorgegangen bin ich nach diesem Howto: http://www.pro-linux.de/work/server/samba3-domaene.html
Meine confs:
/etc/krb5.conf
[libdefaults] default_realm = SEL.LOCAL clockskew = 300
[realms] SEL.LOCAL = { kdc = SSEL0003.SEL.LOCAL }
[domain_realm] .sel.local = SEL.LOCAL
[logging] # default = SYSLOG:NOTICE:DAEMON default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log
[appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false }
/etc/nsswitch.conf
group: files winbind
hosts: files dns networks: files dns
services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files nis publickey: files
bootparams: files automount: files nis aliases: files
/etc/samba/smb.conf
[global] workgroup = SEL netbios name = Fileserver realm = SEL.LOCAL winbind uid = 10000-20000 winbind gid = 10000-20000 Winbind enum groups = yes Winbind enum users = yes winbind separator = / security = ADS encrypt passwords = yes client use spnego = yes
[stage] path = /daten/stage read only = no browseable = yes public = yes guest ok = no writable = yes
Ein Ticket wird mir zugewiesen:
linuxtest:~ # kinit -V Administrator Password for Administrator@SEL.LOCAL: Authenticated to Kerberos v5 linuxtest:~ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@SEL.LOCAL
Valid starting Expires Service principal 07/06/06 09:38:23 07/06/06 19:38:50 krbtgt/SEL.LOCAL@SEL.LOCAL renew until 07/07/06 09:38:23
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Dann versuche ich den Server in die Domäne aufzunehmen:
net ads join -d 3 -S sel -U Administrator
mit net rpc join hats funktioniert! Der samba tantzt.
[2006/07/06 10:14:29, 3] param/loadparm.c:lp_load(4878) lp_load: refreshing parameters [2006/07/06 10:14:29, 3] param/loadparm.c:init_globals(1411) Initialising global parameters [2006/07/06 10:14:29, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2006/07/06 10:14:29, 3] param/loadparm.c:do_section(3699) Processing section "[global]" [2006/07/06 10:14:29, 2] lib/interface.c:add_interface(81) added interface ip=192.168.34.85 bcast=192.168.34.255 nmask=255.255.255.0 Administrator's password: [2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_lmhosts(855) resolve_lmhosts: Attempting lmhosts lookup for name SEL<0x1c> [2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_wins(752) resolve_wins: Attempting wins lookup for name SEL<0x1c> [2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_wins(755) resolve_wins: WINS server resolution selected and no WINS servers listed. [2006/07/06 10:15:03, 3] libsmb/namequery.c:name_resolve_bcast(694) name_resolve_bcast: Attempting broadcast lookup for name SEL<0x1c> [2006/07/06 10:15:03, 2] libsmb/namequery.c:name_query(492) Got a positive name query response from 192.168.34.18 ( 192.168.34.18 ) [2006/07/06 10:15:03, 2] libsmb/namequery.c:name_query(492) Got a positive name query response from 192.168.34.13 ( 192.168.34.13 ) [2006/07/06 10:15:04, 3] libads/ldap.c:ads_connect(288) Connected to LDAP server 192.168.34.18 [2006/07/06 10:15:04, 3] libads/ldap.c:ads_server_info(2542) got ldap server name ssel0003@SEL.LOCAL, using bind path: dc=SEL,dc=LOCAL [2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(219) ads_sasl_spnego_bind: got server principal name =ssel0003$@SEL.LOCAL [2006/07/06 10:15:04, 3] libsmb/clikrb5.c:ads_krb5_mk_req(480) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2006/07/06 10:15:34, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(416) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 06 Jul 2006 20:15:16 CEST [2006/07/06 10:15:55, 3] libads/ldap.c:ads_workgroup_name(2690) Found alternate name 'SEL' for realm 'SEL.LOCAL' Using short domain name -- SEL [2006/07/06 10:16:25, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(593) verify_service_password: get_service_ticket failed: KDC has no support for encryption type [2006/07/06 10:16:55, 3] libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(593) verify_service_password: get_service_ticket failed: KDC has no support for encryption type
Und der Eventlog spuckt dies:
Event Type: Error Event Source: KDC Event Category: None Event ID: 27 Date: 06.07.2006 Time: 10:16:48 User: N/A Computer: SSEL0003 Description: While processing a TGS request for the target server FILESERVER$, the account FILESERVER$@SEL.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 17. The accounts available etypes were 23 -133 -128 3 1.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Was mach ich falsch?
Grüsse Guggi