Weblog entry #2 for eric
See all weblog entries made by eric.
The server joined the domain well. (# net join ads -U administrator), but winbind can't use AD to return the users or groups in my domain.
I got :# wbinfo -uError looking up domain users
everytime.
Does anybody around here knows what I have to check or to do to make it works ? I am really blocked because here we got mostly windows servers, and I don't want to confine linux ones to web servers. Sharing files is an important need, so I need to be able to authenticate users against our AD domain.
thanks to all...
Comments on this Entry
This is covered in the Samba HOWTO. It isn't easy, you just have to plough through it - no short cuts.
[ Parent | Reply to this comment ]
The only problem I got (but it's essential !) is with winbind.
I have read and looked and searched in the samba 3 howto many times, but I still can't find what is wrong.
I think I will try with another distro to see if the problem is debian based or... i don't know, maybe samba based or it's our windows configuration, architecture, something...
[ Parent | Reply to this comment ]
Well it works in Sarge for our fairly vanilla ADS set up, 2 x W2K ADS servers.
The winbind stuff worked without the need to have the Kerberos stuff configured.
A quick search suggests that the shortname of the server is needed in /etc/hosts, and I suspect you'd have to check "security=ADS", and that the DNS settings for the ADS domain are correct.
Just check the settings carefully, and be aware of all sorts of daft case sensitivity with Kerberos.
[ Parent | Reply to this comment ]
Well it works in Sarge for our fairly vanilla ADS set up, 2 x W2K ADS servers.aie, first problem, i think we have a strong ADS configuration with a big forest and a lot of child domains, and maybe (I hope not) the LDAP 'schema' have been changed.
The winbind stuff worked without the need to have the Kerberos stuff configured.euh ? strange... i thought kerberos was mandatory to login to an AD domain, isn't it ?
A quick search suggests that the shortname of the server is needed in /etc/hosts, and I suspect you'd have to check "security=ADS", and that the DNS settings for the ADS domain are correct.I got the entries in /etc/hosts, but not sure if short or long hostname.
security=ADS is ok
Just check the settings carefully, and be aware of all sorts of daft case sensitivity with Kerberos. I'll check the rest of the stuff you talk about for errors. but this will be Monday now...
Ok, so Monday... the story continue...
ps : excuse my language, i'm a non-native english speaker.
[ Parent | Reply to this comment ]
I think winbind cheats and remembers your admin password in plaintext or something equally hideous. I wasn't impressed.
[ Parent | Reply to this comment ]
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat etcUse wbinfo -t for trust status, if this is not ok, use: smbclient -L localhost -U%, check if you did not accidently become a domain controller. Also check the log-files. And restart winbind as well, not just samba!
[ Parent | Reply to this comment ]
and I got# wbinfo -t
checking the trust secret via RPC calls failed
error code was (0x0)
Could not check secret
and I check, I'm not a domain controller !!!
I looked at the Samba-3 By Example guide, following step by step the configuration for AD membership (chap 10), and everything works ok, until point 11 page 274.
the only difference is, when joining the domain, I got, between the message Using short name... and Joined 'SERVER' ..., I got a lot of :libads/kerberos.c: get_service_ticket (337)
get_service_ticket: kerberos_kinit_password SERVER$@REALM.DOMAIN.TLD@REALM.DOMAIN.TLD failed: Preauthentication failed
error messages !
I am a little bit blocked and I don't like that !
I'm gonna look one more time to the Samba 3 Howto and check another time all my settings...
[ Parent | Reply to this comment ]
winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes security = ADS realm = MY.REALM.COM
[ Parent | Reply to this comment ]
I'm lost........ and a little bit desesperate...
[ Parent | Reply to this comment ]
I lock on the same problem !
Will be happy to get answer from a friendly boy (of girl !!)
Thank you
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
I am running CENTOS 4.2...turns out winbind was dead, I (in my own half dead stupidity) clicked 'start winbind service' in the services menu...didn't notice it said winbindd half dead or some jibberish.
type wbinfo -p it should say '[root@FATHOM samba]# wbinfo -p
Ping to winbindd succeeded on fd 4
Or something similar...the first time I tried I got
[root@FATHOM samba]# wbinfo -p
Ping to winbindd failed on fd -1
could not ping winbindd!
I had the exact same problem and everything works now...since I only found this site while googling I'll probably never hear if you get this fixed :s Hopefully this helps you!
[ Parent | Reply to this comment ]