authenticating Centos 5.2 client through AD
I have used winbind with kerberos and samba to connect to an AD server
All though I seem to be able to get a ticket ( kinit works) when I run net ads join -U stavros.ioannidis@DIONIC.COM.GR I get the following error: Ignoring unknown parameter "winbind seperator" Enter stavros.ioannidis@DIONIC.COM.GR's password: [2008/12/15 19:48:16, 0] passdb/secrets.c:secrets_init(71) Failed to open /var/lib/samba/secrets.tdb Failed to join domain: Unable to open secrets database ANY IDEAS WHY THIS IS HAPPENING. I am displaying my configuration files /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 36000 default_realm = DIONIC.COM.GR default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc [realms] DIONIC.COM.GR = { kdc = DC1.DIONIC.COM.GR kdc = DC2.DIONIC.COM.GR admin_server = DC1.DIONIC.COM.GR default_domain = DIONIC.COM.GR } [domain_realm] .dionic.com.gr = DIONIC.COM.GR dionic.com.gr = DIONIC.COM.GR /etc/samba/smb.conf [global] security = ads netbiosname = STARGATE realm = DIONIC.COM.GR.nl password server = DC1.DIONIC.COM.GR workgroup = DIONIC.COM.GR idmap uid = 500-100000 idmap gid = 500-100000 winbind seperator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes idmap uid = 10000-20000 template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no /etc/ldpa.conf host 127.0.0.1 base dc=dionic,dc=com,dc=gr uri ldaps://dc1.dionic.com.gr/ ldap_version 3 binddn cn=stavros_ioannidis,dc=dionic,dc=com,dc=gr bindpw rootbinddn cn=stavros.ioannidis,dc=dionic,dc=com,dc=gr scope sub pam_password md5 nss_base_passwd dc=dionic,dc=com,dc=gr?sub nss_base_shadow dc=dionic,dc=com,dc=gr?sub nss_base_group dc=dionic,dc=com,dc=gr &(objectCategory=group) (gidnumber=*) nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_objectclass posixGroup Group nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member |
try
net ads join -U DIONIC+stavros.ioannidis Are samba(smb) running and winbind running? |
Quote:
It still gives me the same errors. net ads join -U DIONIC+stavros.ioannidis Enter DIONIC+stavros.ioannidis's password: [2008/12/17 10:06:50, 0] passdb/secrets.c:secrets_init(71) Failed to open /var/lib/samba/secrets.tdb Failed to join domain: Unable to open secrets database By the way is slapd suppose to run because I can't get it start it. etc/init.d/slapd start No configuration directory was found for slapd at /etc/ldap/slapd.d/. If you have moved the slapd configuration directory please modify /etc/default/slapd to reflect this. If you chose to not configure slapd during installation then you need to do so prior to attempting to start slapd. Could it be because AD isn't configured to accept anonymous Bind operations? Samba and winbind are running |
sorry was really tired when I read your post..Not sure why you dont have a secrets file. But stop samba/winbind. Restart samba try to join the domain then start winbind.
you should have a secrets.tdb try a search for it. find /var -name secrets.tdb Im running CentOS 5.1 and my secrets.tdb is here; find /var -name secrets.tdb /var/lib/samba/private/secrets.tdb I dont have slapd running on my linux box as we are using ldap on the AD server. |
authenticating Centos 5.2 through AD
Quote:
Ok I did what you used. First I stoped usind slapd and I am using ldap on the AD side. Started only samba and it did find the secrets tdb but didn't join because winbind wasn't on. $ sudo net ads join -U DIONIC+stavros.ioannidis Enter DIONIC+stavros.ioannidis's password: Failed to join domain: failed to lookup DC info for domain 'DIONIC.COM.GR' over rpc: Logon failure started winbind and I run same command stavros@stavros-laptop:~$ sudo net ads join -U DIONIC+stavros.ioannidis Enter DIONIC+stavros.ioannidis's password: Failed to join domain: failed to lookup DC info for domain 'DIONIC.COM.GR' over rpc: Logon failure but when I run stavros@stavros-laptop:~$ sudo net adds join stavros.ioannidis@DIONIC.COM.GR Enter stavros.ioannidis@DIONIC.COM.GR's password: Failed to join domain: Invalid configuration and configuration modification was not requested when i run wbinfo -p Ping to winbindd failed could not ping winbindd! That was because winbind isn't running . If I try to start it it won't start and if i tail -f /var/log/samba/log.winbindd i get the following message: [2008/12/18 16:19:50, 0] winbindd/winbindd.c:main(1126) winbindd version 3.2.3 started. Copyright Andrew Tridgell and the Samba Team 1992-2008 [2008/12/18 16:19:50, 0] winbindd/winbindd_cache.c:initialize_winbindd_cache(2353) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2008/12/18 16:19:50, 0] winbindd/winbindd_util.c:init_domain_list(719) Could not fetch our SID - did we join? [2008/12/18 16:19:50, 0] winbindd/winbindd.c:main(1268) unable to initialize domain list I did stopped apparmor from running because I thought it might interfering with winbind but still winbind won't start. As well when I run sudo net rpc getsid it gives me the message "Unable to find a suitable server". I did check portmap and it is running As well I tried to change my range in smd.conf from 500-10000 to 10000-20000 but still nothing changed. My main effort is basically to have all my accounts mantained centrally through AD so I don't have to retain different authentication methods for linux and windows. By the way when I try to login to my laptop through AD I can't. Of course I have changed my /etc/nsswitch.conf passwd: compat winbind files group: copmpat winbind files shadow: compat files hosts: files dns wins mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files As well thank you very much for your support so far. |
You're getting past my experience with samba/winbind/AD but I do know that you can join a domain without winbind running, you can't look up any users but it should still join the domain, then you can start winbind to look up users/groups/etc. Does the account you are using have the admin rights to join the domain?
my nsswitch.conf looks like this: passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins not sure what the compat option is used for. |
try installing Likewise - It just works
Try using the open version for AD; read the quickstart - then it works. You can download, install and join the AD domain in 15 min. No they are not paying me, I'm just happy to not messing round with winbindd and all it's idiosyncrasies anymore. |
authenticating Centos 5.2 through AD
Quote:
None the less I have managed to figure out, a how to for joining an ADS domain by using winbind kerberos and samba. |
All times are GMT -5. The time now is 03:23 AM. |