authenticating Centos 5.2 client through AD
 

I have used winbind with kerberos and samba to connect to an AD server
All though I seem to be able to get a ticket ( kinit works) when I run

net ads join -U stavros.ioannidis@DIONIC.COM.GR

I get the following error:
Ignoring unknown parameter "winbind seperator"
Enter stavros.ioannidis@DIONIC.COM.GR's password:
[2008/12/15 19:48:16, 0] passdb/secrets.c:secrets_init(71)
Failed to open /var/lib/samba/secrets.tdb
Failed to join domain: Unable to open secrets database
ANY IDEAS WHY THIS IS HAPPENING.

I am displaying my configuration files

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 36000
default_realm = DIONIC.COM.GR
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DIONIC.COM.GR = {
kdc = DC1.DIONIC.COM.GR
kdc = DC2.DIONIC.COM.GR
admin_server = DC1.DIONIC.COM.GR
default_domain = DIONIC.COM.GR
}
[domain_realm]

.dionic.com.gr = DIONIC.COM.GR
dionic.com.gr = DIONIC.COM.GR



/etc/samba/smb.conf

[global]
security = ads
netbiosname = STARGATE
realm = DIONIC.COM.GR.nl
password server = DC1.DIONIC.COM.GR
workgroup = DIONIC.COM.GR
idmap uid = 500-100000
idmap gid = 500-100000
winbind seperator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
idmap uid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

/etc/ldpa.conf
host 127.0.0.1
base dc=dionic,dc=com,dc=gr
uri ldaps://dc1.dionic.com.gr/
ldap_version 3
binddn cn=stavros_ioannidis,dc=dionic,dc=com,dc=gr
bindpw
rootbinddn cn=stavros.ioannidis,dc=dionic,dc=com,dc=gr
scope sub
pam_password md5
nss_base_passwd dc=dionic,dc=com,dc=gr?sub
nss_base_shadow dc=dionic,dc=com,dc=gr?sub
nss_base_group dc=dionic,dc=com,dc=gr
&(objectCategory=group) (gidnumber=*)
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member

try
net ads join -U DIONIC+stavros.ioannidis

Are samba(smb) running and winbind running?

It still gives me the same errors.

net ads join -U DIONIC+stavros.ioannidis
Enter DIONIC+stavros.ioannidis's password:
[2008/12/17 10:06:50, 0] passdb/secrets.c:secrets_init(71)
Failed to open /var/lib/samba/secrets.tdb
Failed to join domain: Unable to open secrets database

By the way is slapd suppose to run because I can't get it start it.
etc/init.d/slapd start
No configuration directory was found for slapd at /etc/ldap/slapd.d/.
If you have moved the slapd configuration directory please modify
/etc/default/slapd to reflect this. If you chose to not
configure slapd during installation then you need to do so
prior to attempting to start slapd.
Could it be because AD isn't configured to accept anonymous Bind operations?

Samba and winbind are running

sorry was really tired when I read your post..Not sure why you dont have a secrets file. But stop samba/winbind. Restart samba try to join the domain then start winbind.


you should have a secrets.tdb try a search for it.

find /var -name secrets.tdb

Im running CentOS 5.1 and my secrets.tdb is here;

find /var -name secrets.tdb
/var/lib/samba/private/secrets.tdb



I dont have slapd running on my linux box as we are using ldap on the AD server.

authenticating Centos 5.2 through AD
 

Ok I did what you used. First I stoped usind slapd and I am using ldap on the AD side.
Started only samba and it did find the secrets tdb but didn't join because winbind wasn't on.

$ sudo net ads join -U DIONIC+stavros.ioannidis
Enter DIONIC+stavros.ioannidis's password:
Failed to join domain: failed to lookup DC info for domain 'DIONIC.COM.GR' over rpc: Logon failure

started winbind and I run same command

stavros@stavros-laptop:~$ sudo net ads join -U DIONIC+stavros.ioannidis
Enter DIONIC+stavros.ioannidis's password:
Failed to join domain: failed to lookup DC info for domain 'DIONIC.COM.GR' over rpc: Logon failure

but when I run

stavros@stavros-laptop:~$ sudo net adds join stavros.ioannidis@DIONIC.COM.GR
Enter stavros.ioannidis@DIONIC.COM.GR's password:
Failed to join domain: Invalid configuration and configuration modification was not requested

when i run
wbinfo -p
Ping to winbindd failed
could not ping winbindd!
That was because winbind isn't running . If I try to start it it won't start and if i tail -f /var/log/samba/log.winbindd i get the following message:

[2008/12/18 16:19:50, 0] winbindd/winbindd.c:main(1126)
winbindd version 3.2.3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2008
[2008/12/18 16:19:50, 0] winbindd/winbindd_cache.c:initialize_winbindd_cache(2353)
initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2008/12/18 16:19:50, 0] winbindd/winbindd_util.c:init_domain_list(719)
Could not fetch our SID - did we join?
[2008/12/18 16:19:50, 0] winbindd/winbindd.c:main(1268)
unable to initialize domain list

I did stopped apparmor from running because I thought it might interfering with winbind but still winbind won't start.
As well when I run
sudo net rpc getsid
it gives me the message "Unable to find a suitable server". I did check portmap and it is running
As well I tried to change my range in smd.conf from 500-10000 to 10000-20000 but still nothing changed.
My main effort is basically to have all my accounts mantained centrally through AD so I don't have to retain different authentication methods for linux and windows.
By the way when I try to login to my laptop through AD I can't. Of course I have changed my /etc/nsswitch.conf

passwd: compat winbind files
group: copmpat winbind files
shadow: compat files
hosts: files dns wins mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files


As well thank you very much for your support so far.

You're getting past my experience with samba/winbind/AD but I do know that you can join a domain without winbind running, you can't look up any users but it should still join the domain, then you can start winbind to look up users/groups/etc. Does the account you are using have the admin rights to join the domain?


my nsswitch.conf looks like this:

passwd: files winbind
shadow: files winbind
group: files winbind


hosts: files dns wins



not sure what the compat option is used for.

try installing Likewise - It just works

Try using the open version for AD; read the quickstart - then it works. You can download, install and join the AD domain in 15 min.

No they are not paying me, I'm just happy to not messing round with winbindd and all it's idiosyncrasies anymore.

authenticating Centos 5.2 through AD
 

Thanks for the suggestion but I did tried likewise in one of my servers with Centos running but didn't work the way I expected.
None the less I have managed to figure out, a how to for joining an ADS domain by using winbind kerberos and samba.