Vorgegangen bin ich nach diesem Howto:
http://www.pro-linux.de/work/server/samba3-domaene.html
Meine confs:
/etc/krb5.conf
[libdefaults]
default_realm = SEL.LOCAL
clockskew = 300
[realms]
SEL.LOCAL = {
kdc = SSEL0003.SEL.LOCAL
}
[domain_realm]
.sel.local = SEL.LOCAL
[logging]
# default = SYSLOG:NOTICE:DAEMON
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
/etc/nsswitch.conf
group: files winbind
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
/etc/samba/smb.conf
[global]
workgroup = SEL
netbios name = Fileserver
realm = SEL.LOCAL
winbind uid = 10000-20000
winbind gid = 10000-20000
Winbind enum groups = yes
Winbind enum users = yes
winbind separator = /
security = ADS
encrypt passwords = yes
client use spnego = yes
[stage]
path = /daten/stage
read only = no
browseable = yes
public = yes
guest ok = no
writable = yes
Ein Ticket wird mir zugewiesen:
linuxtest:~ # kinit -V Administrator
Password for Administrator(a)SEL.LOCAL:
Authenticated to Kerberos v5
linuxtest:~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator(a)SEL.LOCAL
Valid starting Expires Service principal
07/06/06 09:38:23 07/06/06 19:38:50 krbtgt/SEL.LOCAL(a)SEL.LOCAL
renew until 07/07/06 09:38:23
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Dann versuche ich den Server in die Domäne aufzunehmen:
net ads join -d 3 -S sel -U Administrator
[2006/07/06 10:14:29, 3] param/loadparm.c:lp_load(4878)
lp_load: refreshing parameters
[2006/07/06 10:14:29, 3] param/loadparm.c:init_globals(1411)
Initialising global parameters
[2006/07/06 10:14:29, 3] param/params.c:pm_process(574)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2006/07/06 10:14:29, 3] param/loadparm.c:do_section(3699)
Processing section "[global]"
[2006/07/06 10:14:29, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.34.85 bcast=192.168.34.255 nmask=255.255.255.0
Administrator's password:
[2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_lmhosts(855)
resolve_lmhosts: Attempting lmhosts lookup for name SEL<0x1c>
[2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_wins(752)
resolve_wins: Attempting wins lookup for name SEL<0x1c>
[2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_wins(755)
resolve_wins: WINS server resolution selected and no WINS servers listed.
[2006/07/06 10:15:03, 3] libsmb/namequery.c:name_resolve_bcast(694)
name_resolve_bcast: Attempting broadcast lookup for name SEL<0x1c>
[2006/07/06 10:15:03, 2] libsmb/namequery.c:name_query(492)
Got a positive name query response from 192.168.34.18 ( 192.168.34.18 )
[2006/07/06 10:15:03, 2] libsmb/namequery.c:name_query(492)
Got a positive name query response from 192.168.34.13 ( 192.168.34.13 )
[2006/07/06 10:15:04, 3] libads/ldap.c:ads_connect(288)
Connected to LDAP server 192.168.34.18
[2006/07/06 10:15:04, 3] libads/ldap.c:ads_server_info(2542)
got ldap server name ssel0003(a)SEL.LOCAL, using bind path: dc=SEL,dc=LOCAL
[2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
ads_sasl_spnego_bind: got server principal name =ssel0003$@SEL.LOCAL
[2006/07/06 10:15:04, 3] libsmb/clikrb5.c:ads_krb5_mk_req(480)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2006/07/06 10:15:34, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(416)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Thu, 06 Jul 2006 20:15:16 CEST
[2006/07/06 10:15:55, 3] libads/ldap.c:ads_workgroup_name(2690)
Found alternate name 'SEL' for realm 'SEL.LOCAL'
Using short domain name -- SEL
[2006/07/06 10:16:25, 3]
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(593)
verify_service_password: get_service_ticket failed: KDC has no support
for encryption type
[2006/07/06 10:16:55, 3]
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(593)
verify_service_password: get_service_ticket failed: KDC has no support
for encryption type
Und der Eventlog spuckt dies:
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 27
Time: 10:16:48
User: N/A
Computer: SSEL0003
Description:
While processing a TGS request for the target server FILESERVER$, the
account FILESERVER$@SEL.LOCAL did not have a suitable key for generating
a Kerberos ticket (the missing key has an ID of 8). The requested etypes
were 17. The accounts available etypes were 23 -133 -128 3 1.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Was mach ich falsch?
Grüsse Guggi