View previous topic :: View next topic |
Author |
Message |
senzacionale Guru
Joined: 29 Jun 2004 Posts: 532 Location: Slovenia
|
Posted: Fri Jan 07, 2005 12:20 pm Post subject: |
|
|
kinit Administrator@EXAMPLE.COM
kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials
and i use maalth howto
what i did wrong _________________ Spletno narocanje hrane in dostava hrane na dom na portalu DostavaHrane.si |
|
Back to top |
|
|
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Sat Jan 08, 2005 4:45 pm Post subject: |
|
|
senzacionale wrote: | kinit Administrator@EXAMPLE.COM
kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials
and i use maalth howto
what i did wrong |
It looks like the same error as on page 3:
lord_ph wrote: | i found out the answer to my own question... and to anybody else who is getting the error i had:
Quote: |
kinit(v5): KDC reply did not match expectations while getting initial credentials
|
The solution is really simple... so simple that you'll hit yourself on the head. When doing your kinit, make sure you do the realm in UPPER CASE.
Code: |
kinit lord_ph@EXAMPLE.COM
|
i hope this helps more people than me. |
|
|
Back to top |
|
|
dannycpw n00b
Joined: 21 Jan 2005 Posts: 3
|
Posted: Fri Jan 21, 2005 7:20 am Post subject: |
|
|
According to http://mailman.mit.edu/pipermail/kerberos/2002-May/000835.html
Quote: | You need to change the Administrator password at least once after DC
promotion.
Any account that is present before an "upgrade" requires that the
password be changed so that the DES keys are generated.
The "administrator" account is created prior to DC promotion and because
of this it is just like an "upgrade" even though the domain is new. |
Others, I get error as shown when I do wbinfo -u.
Quote: | # wbinfo -u
Error looking up domain users |
And only build-in group can be shown when I do wbinfo -g.
Quote: | # wbinfo -g
BUILTIN+System Operators
... |
any idea of which part may going wrong (e.g pam, smb.conf)?
yours,
Danny |
|
Back to top |
|
|
solomonHk Apprentice
Joined: 28 Mar 2004 Posts: 226 Location: int main(void) { };
|
Posted: Mon Jan 24, 2005 3:57 pm Post subject: |
|
|
When using net ads join,... I get ADS support not compiled in. I cant resolve to the ADDC, and I am able to authenticate. Any ideas why net ads join fails? |
|
Back to top |
|
|
solomonHk Apprentice
Joined: 28 Mar 2004 Posts: 226 Location: int main(void) { };
|
Posted: Tue Jan 25, 2005 2:38 pm Post subject: |
|
|
On my problem:
Found out gentoo would not emerge samba correctly. It would not, even with modified ebuild, compile in kerberos for ads support.
Building from binaries atm.
[EDIT]
Everything is operational, with computer added to AD. Now, when I try to smbmount, I get:
Code: | 23779: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
SMB connection failed
|
Any Suggestions? |
|
Back to top |
|
|
solomonHk Apprentice
Joined: 28 Mar 2004 Posts: 226 Location: int main(void) { };
|
Posted: Tue Jan 25, 2005 7:55 pm Post subject: |
|
|
Some more helpful things I found along the way:
If you want to map a win machine to a mount on your nix. To see if there is an available share out there use smbclient.
So Code: | smbclient //NETBIOS_NAME/Share |
Just hitting enter will give you anonymous access.
Code: | smbclient //NETBIOS_NAME/Share -U username%password |
where username and password are from the Windows Network give you whatever access that username has.
I found it easier to create a credentials file called .smbpw that looks like this
Code: |
username = johndoe
password = allstars
|
Then all you need to do to smbclient is:
Code: | smbclient //NETBIOS_NAME/SHARE -A ~/.smbpw |
As you can guess the -A make smbclient access the file.
To actually mount the share, make sure smbfs is enabled in your kernel.
Usually under Filesystems > Network Filesystems.
If you created the .smbpw file, to mount the drive all you need to do is create a directory to mount it to:
Then use smbmount
Code: | smbmount //NETBIOS_NAME/SHARE /Share -o "credentials=/.smbpw,uid=username,gid=username,fmask=644,dmask=755" |
And if you want to automatically mount on boot, edit your /etc/fstab to include this:
Code: |
//NETBIOS_NAME/SHARE /Share smbfs credentials=/.smbpw,uid=username,gid=password,fmask=664,dmask=775 0 0 |
Just make sure that all of that is on one line in fstab!
Hope this adds some additional support. |
|
Back to top |
|
|
sirlark Guru
Joined: 25 Oct 2004 Posts: 306 Location: Limerick, Ireland
|
Posted: Mon Jan 31, 2005 10:56 am Post subject: I can't see shares... |
|
|
Hi there,
Thanks for the great HOWTO, only I can't access my shares...
I can see my Samba Server in the list, but when I try to access it, I am asked for a username and password. I've tried my AD username/password combo, my linux username/password combo, my samba username/password combo, and even the windows administrator and linux root logins. No matter which one I try, I get an error message saying I don't have permission to access the share in question.
"\\SYBILL is not accessbible. You may not have permission to access this network resource."
What have I done wrong??
Thanks
James _________________ Adopt an unanswered post today |
|
Back to top |
|
|
solomonHk Apprentice
Joined: 28 Mar 2004 Posts: 226 Location: int main(void) { };
|
Posted: Mon Jan 31, 2005 8:15 pm Post subject: |
|
|
@sirlark
What did you name your shares in the smb.conf?
For example my share is setup as
Code: |
[data]
comment=blah
path=/test
|
In order to access the share, you should have \\NETBOISNAME\SHARENAME. So in my case, it is \\o2_mk_72\data.
I too, get the UID/PID request if I try to connect to just the samba server without the share included. So try that, and see if it works. If it is still unreachable, if you could, post you share section of your smb.conf.
Thanks |
|
Back to top |
|
|
sirlark Guru
Joined: 25 Oct 2004 Posts: 306 Location: Limerick, Ireland
|
Posted: Tue Feb 01, 2005 8:05 am Post subject: |
|
|
Howdy,
Sorry, should have thought to do this before...
Here is an excerpt of my smb.conf
Quote: |
[global]
netbios name = TEST
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = EXAMPLE
os level = 20
winbind enum groups = yes
socket address = 10.0.2.4
password server = *
preferred master = no
winbind separator = +
max log size = 50
log file = /var/log/samba/log.%m
encrypt passwords = yes
dns proxy = no
realm = EXAMPLE.LOCAL
security = ADS
wins server = 10.0.2.2
wins proxy = no
interfaces = 10.0.2.4/24
bind interfaces only = Yes
[myshare]
path = /mnt/baracuda200/mysahre
valid users = root
|
I have replaced my actual config with EXAMPLE/TEST, but othwerwise this is the whole thing. The problem is not that it asks to authenticate when I try to look at the share, but that it won't authenticate ANYTHING. I have tried every conceivable username/password combo that might be involved and I get diddly. I have also tried to access //TEST/MYSHARE directly... but the same thing happens... I've tried from a win2k box, and a win XP pro box, and a Win2003 Server box, if that makes a difference. _________________ Adopt an unanswered post today |
|
Back to top |
|
|
zurd Apprentice
Joined: 17 Dec 2003 Posts: 228 Location: Canada, Montreal
|
Posted: Tue Feb 01, 2005 2:45 pm Post subject: 1 |
|
|
Code: |
[myshare]
path = /mnt/baracuda200/mysahre
valid users = root
|
myshare or mysahre? |
|
Back to top |
|
|
solomonHk Apprentice
Joined: 28 Mar 2004 Posts: 226 Location: int main(void) { };
|
Posted: Tue Feb 01, 2005 3:37 pm Post subject: |
|
|
Code: | [myshare]
path = /mnt/baracuda200/mysahre
valid users = root |
If you want, you can try to see if it will at least connect with a basic configuration: This will mean setting it to read only = no and making the folder public.
Code: | [myshare]
path=/mnt/baracuda200/myshare
ready only = no
browseable = yes
create mode = 0770
public = yes
writable = yes
|
Should work. As zurd stated, if that is indeed your share, is the path correct? That may also cause issues, if it is not mysahre, and when you try to access a non exiting folder for a share over a network, the share tries to access the closest related folder, that being /mnt/baracuda200, since that folder is not setup in the smb.conf as a shared resource, then it will deny access much the same way it will deny access to the entire machine.
If you were wanting access to the entire filesystem, you could share path = /, but that poses serious security issues.
Let me know how things go via thread or PM. |
|
Back to top |
|
|
likid0 n00b
Joined: 01 Sep 2004 Posts: 16
|
Posted: Tue Feb 01, 2005 4:10 pm Post subject: Duh |
|
|
I get this double checking of the domain name:
[1702]<<GeN@BoX>>~]$ S net ads join -U administrador
[2005/02/01 17:07:32, 0] libads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password GENTOOBOX$@DEIMOS-SPACE.COM@DEIMOS-SPACE.COM failed: Preauthentication failed
my config files are just the same.
[libdefaults]
default_realm = DEIMOS.TV
[realms]
DEIMOS.TV = {
kdc = newphobos.deimos.tv
}
any idea why a get that error, the kinit test works fine.
thnx!! _________________ ------------------------------------------------
Windows?, no ThnX. www.powerappz.com |
|
Back to top |
|
|
zurd Apprentice
Joined: 17 Dec 2003 Posts: 228 Location: Canada, Montreal
|
Posted: Tue Feb 01, 2005 8:21 pm Post subject: |
|
|
@ likid0
Code: |
[1702]<<GeN@BoX>>~]$ S net ads join -U administrador
|
Instead, try this and watch for uppercase and typos !
Code: |
net ads join -U Administrator
|
If it's still ain't working and you have another user which has Administrator status and privileges try :
Code: |
net ads join -U your_user
|
|
|
Back to top |
|
|
likid0 n00b
Joined: 01 Sep 2004 Posts: 16
|
Posted: Wed Feb 02, 2005 8:08 am Post subject: |
|
|
yep i use administrador because the server is in spanish, but i also tried with Administrador, and with users with privilages but its the same answer:
ibads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password GENTOOBOX$@DEIMOS-SPACE.COM@DEIMOS-SPACE.COM failed: Client not found in Kerberos database
doest have to put to domain names at the end?
GENTOOBOX$@DEIMOS-SPACE.COM@DEIMOS-SPACE.COM looks strange...
duh
Thnx for da help!! _________________ ------------------------------------------------
Windows?, no ThnX. www.powerappz.com |
|
Back to top |
|
|
solomonHk Apprentice
Joined: 28 Mar 2004 Posts: 226 Location: int main(void) { };
|
Posted: Wed Feb 02, 2005 1:56 pm Post subject: |
|
|
@ likido
Could you post your /etc/samba/smb.conf and your /etc/krb5.conf?
Looks like there might be an error in one of those files. If not it may be in your domainname setup locally. |
|
Back to top |
|
|
likid0 n00b
Joined: 01 Sep 2004 Posts: 16
|
Posted: Wed Feb 02, 2005 5:35 pm Post subject: |
|
|
yeah i got it w0rking OK now, but when i try to acces a share in my linux box from a windows domain computer i get the password prompt, i dont get transparent access, i can do: wbinfo -u and S wbinfo -g they work fine, my config files:
Code: |
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18
19:39:22 azarah Exp $
passwd: compat winbind
shadow: compat
group: compat winbind
more /etc/pam.d/samba
#%PAM-1.0
# pam_smbpass.so authenticates against the smbpasswd file
auth required pam_smbpass.so nodelay
auth sufficient /lib/security/pam_winbind.so try_first_pass
account required /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf
|
any ideas why i get asked for the password??
thnx!!!! _________________ ------------------------------------------------
Windows?, no ThnX. www.powerappz.com |
|
Back to top |
|
|
solomonHk Apprentice
Joined: 28 Mar 2004 Posts: 226 Location: int main(void) { };
|
Posted: Wed Feb 02, 2005 8:51 pm Post subject: |
|
|
@likid0
This may sound redundant, but are you trying to access just the machine, or the actual share.
In other words,
is it \\LINUX_BOX or is it \\LINUX_BOX\NAME_OF_SHARE_IN_SMB.CONF? |
|
Back to top |
|
|
likid0 n00b
Joined: 01 Sep 2004 Posts: 16
|
Posted: Thu Feb 03, 2005 8:12 am Post subject: |
|
|
Im am triying BOth, but the result is the same
winbind is runing ok;
Code: |
ps aux | grep win
root 6724 1.0 0.5 8104 3272 ? Ss 08:11 0:00 winbindd
root 6725 0.0 0.3 7848 2184 ? S 08:11 0:00 winbindd
|
mf mf i can see my linux box in the AD computers OU, but the authentication is not working duh.
What i see isnt w0rking is:
getent passwd
i only get the output of the local unix users no AD users get listed here.
and i also dont get a ticket:
Code: |
$ S kinit Administrador
Password for Administrador@DEIMOS-SPACE.COM:
[0950]<<GeN@BoX>>~]$ S klist tickets
klist: No credentials cache found (ticket cache FILE:tickets)
|
thnx once more. _________________ ------------------------------------------------
Windows?, no ThnX. www.powerappz.com |
|
Back to top |
|
|
lhurgoyf n00b
Joined: 11 Jun 2003 Posts: 34
|
Posted: Fri Feb 04, 2005 8:56 am Post subject: |
|
|
I have set up the Samba server properly by using this document and its working as I expected it would. its in the domain, shares are visible and usable. but now I want to go one step further and allow windows security. According to the Samba site you should enable ACLs on the linux filesystem to allow windows Security. but im wondereing if there maybe is another way to accomplish this maybe by enabling LDAP or so.
Any input would be nice so I can set this up and maybe give an update on the document on the first page. _________________ Nederlands linux forum? Flash @ http://www.nedlinux.nl |
|
Back to top |
|
|
likid0 n00b
Joined: 01 Sep 2004 Posts: 16
|
Posted: Fri Feb 04, 2005 12:07 pm Post subject: |
|
|
Just to keep you updated:
getent passwd now w0rks ok i can see the maping of thew users and groups from the AD domain to the linux box, but i still get asked for a password Argg! _________________ ------------------------------------------------
Windows?, no ThnX. www.powerappz.com |
|
Back to top |
|
|
smouge n00b
Joined: 22 Jan 2003 Posts: 66 Location: Oosterhout, the Netherlands
|
Posted: Tue Feb 08, 2005 1:09 pm Post subject: |
|
|
Thanks a lot for the howto! Got it working, after some initital errors:
net ads join -U Administrator
Feb 8 11:50:30 lnx-netmon2 net: get_service_ticket: kerberos_kinit_password LNX-NETMON2$@DWNET.HQ.APPLE.NL@DWNET.HQ.APPLE.NL failed: Preauthentication failed
This error I resolved by setting the ntp server same as the one that the AD server is using, and I did a reboot. After this I could join the AD.
# getent passwd doesn't show the AD users
and logging in from other windows machine kept on asking for username/password
This one is solved by updating the /etc/nsswitch as stated in the howto and restarting samba/winbindd:
Quote: |
You need to edit the file /etc/nsswitch.conf You need to change two lines to look like this (other lines removed to keep this post short as possible):
Code:
passwd: compat winbind
shadow: compat
group: compat winbind
|
_________________ Can't think about anything funny to place here |
|
Back to top |
|
|
exklusve Apprentice
Joined: 23 Aug 2002 Posts: 270 Location: currently ~/
|
Posted: Thu Feb 10, 2005 11:00 pm Post subject: |
|
|
First off thanks for the great how to!
I've got everything working great right of the bat.
But i've run into one problem.
I cant control what group/user can access the share i have created. I dont want to make the share public and writeable to everyone.
Here's my smb.conf
Code: | [global]
netbios name = Intranet
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = MYDOMAIN
os level = 20
winbind enum groups = yes
socket address = 192.168.1.23
password server = 192.168.1.9
preferred master = no
winbind separator = +
max log size = 500
log file = /var/log/samba3/log.%m
encrypt passwords = yes
dns proxy = no
realm = MYDOMAIN.COM
security = ADS
#wins server = 1.2.3.4 <- Change to IP address of your installed WINS server
wins proxy = no
# Shares section
[web]
comment = Web
writeable = yes
path = /var/www/localhost/htdocs/
force user = me
valid users = @MYDOMAIN+"tech"
public = no
|
I can run and
I can browse to the samba server and see the 'web' share, but when I try to access that share I get an Access Denied error. I've even tried a chmod 777 on the dir.
Under the valid users i've tried @tech (tech is the group i want to use) @MYDOMAIN+tech and @MYDOMAIN+"tech" no luck on any of those.
Any help is greatly appreciated!
Thanks!! _________________ eXklusve
You do know that no one gives a shit about your system spec's right? |
|
Back to top |
|
|
sirlark Guru
Joined: 25 Oct 2004 Posts: 306 Location: Limerick, Ireland
|
Posted: Fri Feb 11, 2005 1:55 pm Post subject: |
|
|
Hi there
I'm still having issues with samba and AD. I can join to the domain without problems.
--edit--
hmm, actually since rebooting a while back, it appears that I can't...
Quote: |
root@sybill ~ # net ads join EPWORTH
[2005/03/03 16:05:36, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for sybill already exists - modifying old account
Using short domain name -- EPWORTH
[2005/03/03 16:05:39, 0] libads/kerberos.c:get_service_ticket(335)
get_service_ticket: kerberos_kinit_password SYBILL$@EPWORTH.LOCAL@EPWORTH.LOCAL failed: Preauthentication failed
Segmentation fault
|
Firstly: I'm trying to share some directories to selected users, using 'valid users = ...' in smb.conf. This will not work at all unless I include 'smbusermap = ...'. I thought joining to the domain was meant to obviate the use of usermaps.... Including the usermap entry allows the win2k3 administrator account to see the share, but they are requested for a password, which must be the samba password of the root account (the directory being shared is owned by root, and can only be read by root) Trying to share a user's home directory so they can see it from a windows machine doesn't work, although everything is set up exactly as I have for the root share:
- the user has a samba account/password
- the user has a usermap entry from their windows username to their linux username
- the valid users entry on the actual share has their linux username
The user can browse to the share, but when the password is requested nothing works
- tried samba password for the user
- tried windows password for the user
- tried linux password for the user
Something to note is that the user is unable to change their own samba password. The root account has to do it for them. So there seems to be something only root can do that is allowing access to the administrator/root share.
Quote: |
jmcg@sybill ~ $ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Error connecting to 127.0.0.1 (Connection refused)
unable to connect to SMB server on machine 127.0.0.1. Error was : SUCCESS - 0.
Failed to change password for jmcg
|
--edit--
Still haven;t figured out why users can't change their own smb passwords, but suddenly their shared directories started working, for no apparant reason. Apart from having restarted samba several times without config changes, and one reboot... which seems to have 'dejoined' me from the domain.... really weird
--------
Secondly: I am trying to mount an administrative ($) share on another comupter (XP Pro). I can mount administrative shares on other computers on the network, but not any XP machines. I can use smbclient to see available shares on each of the XP machines in question, so the username and password are being validated correctly when using smbclient, but mounting yields
Quote: |
root@sybill ~ # mount -t cifs -o user=administrator //bursar/c$ /mnt/temp/
Password:
mount error 13 = Permission denied
Refer to the mount.cifs( manual page (e.g.man mount.cifs)
|
- I have tried mounting normal shares with the same problem, so it's not the fact that the share is administrative.
- I have tried with the firewall turned on and turned off, no visible difference
- I have read the man page in question (and numerous others) and can't find a description of the error
Can anyone suggest something to try here.. is there some windows registry setting I should be (un)setting?
--edit--
AHA!!!!! finally got it!
So having realised that I no longer appear able to join the domain, I figured trying the following
Quote: |
root@sybill ~ # mount -t cifs -o user=administrator,domain=EPWORTH //bursar/c$ /mnt/temp/
Password:
|
and whaddayaknow ... JACKPOT!
Hope this helps everyone else out there
--------
smb.conf
Quote: |
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2005/02/02 10:29:12
# Global parameters
[global]
workgroup = EPWORTH
realm = EPWORTH.LOCAL
interfaces = 10.0.2.4/24
bind interfaces only = Yes
security = ADS
username map = /etc/samba/smbusers
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
preferred master = No
dns proxy = No
wins server = 10.0.2.2
ldap ssl = no
socket address = 10.0.2.4
idmap uid = 10000-20000
idmap gid = 10000-20000
# winbind separator = +
[backup]
path = /mnt/baracuda200/backup
valid users = root administrator
browseable = yes
read only = no
[jmcg]
path = /home/jmcg
valid users = jmcg jmcguiness
browseable = yes
read only = no
[public]
path = /mnt/baracuda200/public
browseable = yes
read only = no
|
smbusers
Quote: |
# Unix_name = SMB_name1 SMB_name2 ...
# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/smbusers,v 1.4 2004/07/18 03:55:05 dragonheart Exp $
root = administrator
jmcg = jmcguiness
|
_________________ Adopt an unanswered post today
Last edited by sirlark on Thu Mar 03, 2005 2:09 pm; edited 2 times in total |
|
Back to top |
|
|
exklusve Apprentice
Joined: 23 Aug 2002 Posts: 270 Location: currently ~/
|
Posted: Tue Feb 15, 2005 7:11 pm Post subject: |
|
|
bump? _________________ eXklusve
You do know that no one gives a shit about your system spec's right? |
|
Back to top |
|
|
exklusve Apprentice
Joined: 23 Aug 2002 Posts: 270 Location: currently ~/
|
Posted: Tue Feb 15, 2005 7:45 pm Post subject: |
|
|
Ok I think I found the solution to my problem with specifying permissions from Active Directory Groups..
Here's what I put into my smb.conf
Code: | valid users = @"Domain Admins",@"Global IS" |
This allowed all domain admins and the global is group to access the share.
Hope this helps anyone else having problems. _________________ eXklusve
You do know that no one gives a shit about your system spec's right? |
|
Back to top |
|
|
|