Hi all!
I'm new to this forum... and a newbie in samba + ads configuration.
I have this problem:
I'm trying to config my server (Freebsd 6.2 - Samba 3.0.25a - heimdal - openldap) to act as a native AD client.
For this purpose i' ve used this howto: @things seems to go allright until i' ve typed:
-
and it reutrned (after prompting for password):
-
I don' t know where i'm wrong, becuse if i type
i see all my users in the DC!!
Plz help me... Thanks
theese are my config files:
I'm new to this forum... and a newbie in samba + ads configuration.
I have this problem:
I'm trying to config my server (Freebsd 6.2 - Samba 3.0.25a - heimdal - openldap) to act as a native AD client.
For this purpose i' ve used this howto: @things seems to go allright until i' ve typed:
-
Code:
net ads join-
Code:
libsmb/cliconnect.c:cli_session_setup_spnego(853)
Kinit failed: Client not found in Kerberos database
Failed to join domain: Improperly formed account nameI don' t know where i'm wrong, becuse if i type
Code:
wbinfo -uPlz help me... Thanks
theese are my config files:
Code:
-------------------------smb.conf------------------------
[global]
workgroup = YYYY
realm = YYYY.XXXX.IT
encrypt passwords = yes
server string = Samba Server
security = ADS
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_SNDBUF=8192 SO_RCVBUF=8192
password server = SERVER2003
#winbind_separator = \
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
allow trusted domains= No
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
disable spoolss = Yes
disable netbios = Yes
show add printer wizard = No
preferred master = No
domain master = No
dns proxy = No
read only = No
wins server = SERVER2003.YYYY.XXXX.IT
ldap ssl = No
ldap admin dn = "cn=Administrator,cn=Users,DC=YYYY,DC=XXXX,DC=IT"
idmap backend = idmap_rid:YYYY=10000-30000
idmap uid = 10000-30000
idmap gid = 10000-30000
template shell = /usr/local/bin/bash
winbind use default domain = Yes
client signing = mandatory
server signing = mandatory
smb ports = 445
restrict anonymous = 2
client schannel = yes
server schannel = yes
client ntlmv2 auth = yes
logon path =
-----------------------krb5.conf---------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YYYY.XXXX.IT
[realms]
CEDI.DALFINI.IT = {
kdc = SERVER2003.YYYY.XXXX.IT
default_domain = YYYY.XXXX.IT
admin_server = SERVER2003.YYYY.XXXX.IT
}
[domain_realm]
.yyyy.xxxx.it = YYYY.XXXX.IT
yyyy.xxxx.it = YYYY.XXXX.IT
.YYYY.XXXX.IT = YYYY.XXXX.IT
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
---------------------------ldap.conf------------------------
#
# LDAP Defaults
#
host SERVER2003.YYYY.XXXX.IT
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=YYYY, dc=XXXX, dc=IT
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
ldap_version 3
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldaps://YYYY.XXXX.IT
binddn cn=Administrator,cn=Users,dc=YYYY,dc=XXXX,dc=IT
bindpw BindPassword
# Search scope
scope sub
# User ID attr for AD
pam_login_attribute sAMAccountName
#MD5 passwd hash
pam_password md5
# Break of the connection after one hour idle time
idle_timelimit 3600
# This is mapping made possible by nss_ldap
# Bases for the searches. These should be the OU's
# you create the user accounts in.
# Here we reference the standard default AD user container
# Please change to the container your users reside in
nss_base_passwd cn=Users,dc=CEDI,dc=DALFINI,dc=IT?one
nss_base_group cn=Users,dc=CEDI,dc=DALFINI,dc=IT?one
# The msSFU mappings reference Microsoft's Services for Unix
# Which you may uncomment if you have this installed on your DC
# *Schema mappings for Active Directory*
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
#nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
# SSL is enabled - Comment this line if no MS Enterprise Root CA Cert
ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no" Uncomment this is you have a client cert (you won't MS LDAP
# over SSL does not auth client cert, just a valid AD password)
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
# This again refers to the MS Root CA Cert - comment it if none
TLS_CACERT /lib/server2003.pem
# SSL cipher suite
# See man ciphers for syntax
# comment this if no cert
tls_ciphers TLSv1
# Disable SASL security layers. This is needed for AD.
sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
krb5_ccname FILE:/tmp/krb5cc_0