Beitritt zu einer Windows 2003-Domäne mit Benutzerübernahme

Vorgegangen bin ich nach diesem Howto:
http://www.pro-linux.de/work/server/samba3-domaene.html

Meine confs:

/etc/krb5.conf

[libdefaults]
        default_realm = SEL.LOCAL
        clockskew = 300

[realms]
        SEL.LOCAL = {
                kdc = SSEL0003.SEL.LOCAL
        }

[domain_realm]
        .sel.local = SEL.LOCAL

[logging]
# default = SYSLOG:NOTICE:DAEMON
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                debug = false
        }

/etc/nsswitch.conf

group: files winbind

hosts: files dns
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files

/etc/samba/smb.conf

[global]
        workgroup = SEL
        netbios name = Fileserver
        realm = SEL.LOCAL
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        Winbind enum groups = yes
        Winbind enum users = yes
        winbind separator = /
        security = ADS
        encrypt passwords = yes
        client use spnego = yes

[stage]
   path = /daten/stage
   read only = no
   browseable = yes
   public = yes
   guest ok = no
   writable = yes

Ein Ticket wird mir zugewiesen:

linuxtest:~ # kinit -V Administrator
Password for Administrator(a)SEL.LOCAL:
Authenticated to Kerberos v5
linuxtest:~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator(a)SEL.LOCAL

Valid starting Expires Service principal
07/06/06 09:38:23 07/06/06 19:38:50 krbtgt/SEL.LOCAL(a)SEL.LOCAL
        renew until 07/07/06 09:38:23

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Dann versuche ich den Server in die Domäne aufzunehmen:

net ads join -d 3 -S sel -U Administrator
[2006/07/06 10:14:29, 3] param/loadparm.c:lp_load(4878)
  lp_load: refreshing parameters
[2006/07/06 10:14:29, 3] param/loadparm.c:init_globals(1411)
  Initialising global parameters
[2006/07/06 10:14:29, 3] param/params.c:pm_process(574)
  params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2006/07/06 10:14:29, 3] param/loadparm.c:do_section(3699)
  Processing section "[global]"
[2006/07/06 10:14:29, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.34.85 bcast=192.168.34.255 nmask=255.255.255.0
Administrator's password:
[2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_lmhosts(855)
  resolve_lmhosts: Attempting lmhosts lookup for name SEL<0x1c>
[2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_wins(752)
  resolve_wins: Attempting wins lookup for name SEL<0x1c>
[2006/07/06 10:15:03, 3] libsmb/namequery.c:resolve_wins(755)
  resolve_wins: WINS server resolution selected and no WINS servers listed.
[2006/07/06 10:15:03, 3] libsmb/namequery.c:name_resolve_bcast(694)
  name_resolve_bcast: Attempting broadcast lookup for name SEL<0x1c>
[2006/07/06 10:15:03, 2] libsmb/namequery.c:name_query(492)
  Got a positive name query response from 192.168.34.18 ( 192.168.34.18 )
[2006/07/06 10:15:03, 2] libsmb/namequery.c:name_query(492)
  Got a positive name query response from 192.168.34.13 ( 192.168.34.13 )
[2006/07/06 10:15:04, 3] libads/ldap.c:ads_connect(288)
  Connected to LDAP server 192.168.34.18
[2006/07/06 10:15:04, 3] libads/ldap.c:ads_server_info(2542)
  got ldap server name ssel0003(a)SEL.LOCAL, using bind path: dc=SEL,dc=LOCAL
[2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/07/06 10:15:04, 3] libads/sasl.c:ads_sasl_spnego_bind(219)
  ads_sasl_spnego_bind: got server principal name =ssel0003$@SEL.LOCAL
[2006/07/06 10:15:04, 3] libsmb/clikrb5.c:ads_krb5_mk_req(480)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2006/07/06 10:15:34, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(416)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Thu, 06 Jul 2006 20:15:16 CEST
[2006/07/06 10:15:55, 3] libads/ldap.c:ads_workgroup_name(2690)
  Found alternate name 'SEL' for realm 'SEL.LOCAL'
Using short domain name -- SEL
[2006/07/06 10:16:25, 3]
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(593)
  verify_service_password: get_service_ticket failed: KDC has no support
for encryption type
[2006/07/06 10:16:55, 3]
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(593)
  verify_service_password: get_service_ticket failed: KDC has no support
for encryption type

Und der Eventlog spuckt dies:

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 27
Time: 10:16:48
User: N/A
Computer: SSEL0003
Description:
While processing a TGS request for the target server FILESERVER$, the
account FILESERVER$@SEL.LOCAL did not have a suitable key for generating
a Kerberos ticket (the missing key has an ID of 8). The requested etypes
were 17. The accounts available etypes were 23 -133 -128 3 1.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Was mach ich falsch?

Grüsse Guggi

Michael von Guggenberg schrieb:

Vorgegangen bin ich nach diesem Howto:
http://www.pro-linux.de/work/server/samba3-domaene.html

Meine confs:

/etc/krb5.conf

[libdefaults]
       default_realm = SEL.LOCAL
       clockskew = 300

[realms]
       SEL.LOCAL = {
               kdc = SSEL0003.SEL.LOCAL
       }

[domain_realm]
       .sel.local = SEL.LOCAL

[logging]
# default = SYSLOG:NOTICE:DAEMON
       default = FILE:/var/log/krb5libs.log
       kdc = FILE:/var/log/kdc.log
       kadmind = FILE:/var/log/kadmind.log

[appdefaults]
       pam = {
               ticket_lifetime = 1d
               renew_lifetime = 1d
               forwardable = true
               proxiable = false
               retain_after_close = false
               minimum_uid = 0
               debug = false
       }

/etc/nsswitch.conf

group: files winbind

hosts: files dns
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files

/etc/samba/smb.conf

[global]
       workgroup = SEL
       netbios name = Fileserver
       realm = SEL.LOCAL
       winbind uid = 10000-20000
       winbind gid = 10000-20000
       Winbind enum groups = yes
       Winbind enum users = yes
       winbind separator = /
       security = ADS
       encrypt passwords = yes
       client use spnego = yes

[stage]
  path = /daten/stage
  read only = no
  browseable = yes
  public = yes
  guest ok = no
  writable = yes

Ein Ticket wird mir zugewiesen:

linuxtest:~ # kinit -V Administrator
Password for Administrator(a)SEL.LOCAL:
Authenticated to Kerberos v5
linuxtest:~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator(a)SEL.LOCAL

Valid starting Expires Service principal
07/06/06 09:38:23 07/06/06 19:38:50 krbtgt/SEL.LOCAL(a)SEL.LOCAL
       renew until 07/07/06 09:38:23

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Dann versuche ich den Server in die Domäne aufzunehmen:

net ads join -d 3 -S sel -U Administrator

mit net rpc join hats funktioniert! Der samba tantzt.