samba
This is a discussion on samba within the AIX Operating System forums, part of the Unix Operating Systems category; --> Hi, I'm trying to add my machine to our ADS. I'm using AIX 5.2 and Samba 3.0.21b Kinit is ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-05-2008, 09:39 AM
| ||||
| ||||
 samba Hi, I'm trying to add my machine to our ADS. I'm using AIX 5.2 and Samba 3.0.21b Kinit is working ok, but when I try "net ads join" the i get the error [2006/02/06 12:20:30, 0] libads/kerberos.c:ads_kinit_password(164) kerberos_kinit_password administrator@DOMAIN.COM failed: Cannot resolve network address for KDC in requested realm [2006/02/06 12:20:30, 0] utils/net_ads.c:ads_startup(191) ads_connect: Cannot resolve network address for KDC in requested realm Can anyone give me some advice in what I'm doing wrong Thx      |
|
01-05-2008, 09:39 AM
| |||
| |||
| Re: samba "kvw" <kvw@awe.be> wrote in message news:43e73250$0$29455$ba620e4c@news.skynet.be... > Hi, > > I'm trying to add my machine to our ADS. I'm using AIX 5.2 and Samba 3.0.21b > Kinit is working ok, but when I try "net ads join" the i get the error > > [2006/02/06 12:20:30, 0] libads/kerberos.c:ads_kinit_password(164) > kerberos_kinit_password administrator@DOMAIN.COM failed: Cannot resolve > network address for KDC in requested realm > [2006/02/06 12:20:30, 0] utils/net_ads.c:ads_startup(191) > ads_connect: Cannot resolve network address for KDC in requested realm > > Can anyone give me some advice in what I'm doing wrong Just from the message text, it seems that the system on which you're doing the "net ads join" cannot resolve/map the Kerberos Domain Controller's hostname to/from an IP address, to join the domain. HTTH -- Regards, Tim Clarke (a.k.a. WBST) Guildford, U.K. |
|
01-05-2008, 09:39 AM
| |||
| |||
| Re: samba I can do a nslookup (ip/hostname) for my domain controllers. They are also in my hosts file. Regards Kris "Tim Clarke" <SpamBlock.MonetaimCom@ntlworld.com> wrote in message news:TlHFf.4551$37.3614@newsfe3-win.ntli.net... > "kvw" <kvw@awe.be> wrote in message > news:43e73250$0$29455$ba620e4c@news.skynet.be... >> Hi, >> >> I'm trying to add my machine to our ADS. I'm using AIX 5.2 and Samba > 3.0.21b >> Kinit is working ok, but when I try "net ads join" the i get the error >> >> [2006/02/06 12:20:30, 0] libads/kerberos.c:ads_kinit_password(164) >> kerberos_kinit_password administrator@DOMAIN.COM failed: Cannot resolve >> network address for KDC in requested realm >> [2006/02/06 12:20:30, 0] utils/net_ads.c:ads_startup(191) >> ads_connect: Cannot resolve network address for KDC in requested realm >> >> Can anyone give me some advice in what I'm doing wrong > > Just from the message text, it seems that the system on which you're doing > the "net ads join" cannot resolve/map the Kerberos Domain Controller's > hostname to/from an IP address, to join the domain. > > HTTH > -- > Regards, > Tim Clarke (a.k.a. WBST) > Guildford, U.K. > |
|
01-05-2008, 09:39 AM
| |||
| |||
| Re: samba Hi /etc/krb5.conf .... [realms] DOMAIN.COM = { default_domain = domain.com kdc = <ip address of AD server>:88 admin_server = <ip address of AD server>:749 } ..... nslookup <ip address of AD server> <IP name server> /etc/resolv.conf nameserver <IP Addres> or /etc/hosts ... kdc <IP address> .... example for AIX 4.3: AIX Setup: Verify your system has all the BOS sub packages from the AIX install CD's. Install rpm package manager (rpm.rte) with installp: installp -qacXgd rpm.rte rpm.rte Install the following rpms (http://www-1.ibm.com/servers/aix/pro.../download.html) If they are all in the same directory, you can do this by doing the following: rpm -ivh --nodeps *.rpm Packages Required: autoconf-2.53-1.aix4.3.noarch.rpm automake-1.5-1.aix4.3.noarch.rpm bash-2.05a-1.aix4.3.ppc.rpm bison-1.34-2.aix4.3.ppc.rpm db-3.3.11-3.aix4.3.ppc.rpm flex-2.5.4a-6.aix4.3.ppc.rpm gawk-3.1.0-2.aix4.3.ppc.rpm gettext-0.10.39-2.aix4.3.ppc.rpm glib-1.2.10-2.aix4.3.ppc.rpm glib-devel-1.2.10-2.aix4.3.ppc.rpm glib2-2.2.1-3.aix4.3.ppc.rpm glib2-devel-2.2.1-3.aix4.3.ppc.rpm gzip-1.2.4a-7.aix4.3.ppc.rpm libtool-1.4.2-1.aix4.3.ppc.rpm m4-1.4-14.aix4.3.ppc.rpm make-3.79.1-3.aix4.3.ppc.rpm openldap-2.0.21-4.aix4.3.ppc.rpm openldap-devel-2.0.21-4.aix4.3.ppc.rpm pkgconfig-0.15.0-1.aix4.3.ppc.rpm rpm-3.0.5-30.aix4.3.ppc.rpm sed-3.02-8.aix4.3.ppc.rpm tar-1.13-4.aix4.3.ppc.rpm Update PATH and LD_LIBRARY_PATH: PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/local/bin:/usr /local/sbin:/usr/local/samba/bin:/usr/local/samba/sbin LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/lib Download binutils and gcc binaries: binutils.2.9.1.tar.gz (http://sunsite.lanet.lv/ftp/unix/aix...s/RISC/4.2/exe c/) gcc.3.3.4.tar.Z (http://aixpdslib.seas.ucla.edu/packages/gcc.html) Download source code for the following: krb5-1.3.5.tar.gz (http://web.mit.edu/kerberos/www/dist/) openldap-2.2.18.tar.gz (http://www.openldap.org/software/download/) samba-3.0.8pre2.tar.gz (http://www.samba.org) Install binutils: gzip -d binutils.2.9.1.tar.gz cp binutils.2.9.1.tar / tar -xvf binutils.2.9.1.tar rm /binutils.2.9.1.tar **Note** Untar the binutils from the / directory so the files are placed into the proper locations. Install gcc: gzip -d gcc.3.3.4.tar.Z cp gcc.3.3.4.tar / tar -xvf gcc.3.3.4.tar rm /gcc.3.3.4.tar **Note** Untar the binutils from the / directory so the files are placed into the proper locations. Build and install Kerberos: gzip -d krb5-1.3.5.tar.gz tar -xvf krb5-1.3.5.tar cd krb5-1.3.5 ./configure --enable-dns --enable-dns-for-kdc --enable-dns-for-realm make make install Build and install OpenLDAP: gzip -d openldap-2.2.18.tar.gz tar -xvf openldap-2.2.18.tar cd openldap-2.2.18 ./configure --disable-slurpd --disable-bdb --disable-slapd --without-threads make make install Build and install Samba: gzip -d samba-3.0.8pre2.tar.gz tar -xvf samba-3.0.8pre2.tar cd samba-3.0.8pre2 ./configure --with-winbind --with-ldap --with-ads --with-krb5=/usr/local make make install Configure Kerberos: Edit /etc/krb5.conf to reflect the following (substitute DOMAIN.COM with your domain): [logging] default = FILE:/var/log/krb5/libs.log kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/admin.log [libdefaults] ticket_lifetime = 24000 default_realm = DOMAIN.COM forwardable = true proxiable = true dns_lookup_realm = false dns_lookup_kdc = false [realms] DOMAIN.COM = { default_domain = domain.com kdc = <ip address of AD server>:88 admin_server = <ip address of AD server>:749 } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false Configure Samba: Edit /usr/local/samba/lib/smb.conf to reflect the following (substitute DOMAIN with your domain): **Note** That the shares are examples and may be different. [global] workgroup = DOMAIN netbios name = HOSTNAME server string = HOSTNAME security = ADS realm = DOMAIN.COM password server = <ip address> wins server = <ip address> client use spnego = yes client signing = yes encrypt passwords = yes printcap name = cups disable spoolss = Yes show add printer wizard = No idmap uid = 15000-20000 idmap gid = 15000-20000 winbind separator = + winbind use default domain = Yes winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash use sendfile = Yes printing = cups ldap suffix = "dc=DOMAIN, dc=com" winbind cache time = 0 #Uncomment to allow these options #log level = 8 #log file = /var/log/samba.log #max log size = 5000000 #debug timestamp = yes browseable = yes obey pam restrictions = yes auth methods = winbind [homes] comment = User Home path = /home/%U force group = %U read only = No browseable = No [alpha] comment = OSCAR Alpha Code (Read/Write) path = /apps/oscar/alpha valid users = @dev, @REDHAT admin users = @dev, @REDHAT read only = No browseable = Yes [beta] comment = OSCAR Beta Code (Read Only) path = /apps/oscar/beta valid users = @dev, @REDHAT admin users = @dev, @REDHAT read only = Yes browseable = Yes [scripts] comment = OSCAR Scripts (Read Only) path = /apps/oscar/scripts valid users = @dev, @REDHAT admin users = @dev, @REDHAT read only = Yes browseable = Yes [logs] comment = OSCAR Logs (Read Only) path = /apps/logs valid users = @dev, @REDHAT admin users = @dev, @REDHAT force user = oscar force group = dev read only = Yes browseable = Yes [archive] comment = OSCAR Archive (Read Only) path = /apps/archive valid users = @dev, @REDHAT admin users = @dev, @REDHAT force user = oscar force group = dev read only = Yes browseable = Yes [apps] comment = OSCAR path = /apps valid users = @dev, @REDHAT admin users = @dev, @REDHAT read only = No browseable = Yes [public] comment = test path = /usr/local/source read only = No browseable = Yes **Note** Do not start Samba yet! Active Directory Integration: Obtain a kerberos ticket from your AD server by issuing the command: kinit Administrator You will then be asked for a password. Put in the Administrator password for your Domain. To verify the ticket was issued do the following: klist The results should appear as follows: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at DOMAIN.COM Valid starting Expires Service principal 11/03/04 14:26:23 11/04/04 00:26:22 krbtgt/DOMAIN.COM at DOMAIN.COM renew until 11/04/04 14:26:23 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Once you have obtained kerberos ticket you can join the computer to the domain: net ads join Now start the Samba and Winbind: /usr/local/samba/sbin/smbd -D /usr/local/samba/sbin/nmbd -D /usr/local/samba/sbin/winbindd Winbind and Active Directory Authentication: First you will need to copy the WINBIND file from where is was created when you compiled Samba to /usr/lib/security: cp /path/to/samba-3.0.8pre2/nsswitch/WINBIND /usr/lib/security Next you will need to add a stanza to the file /usr/lib/security/methods.cfg: WINBIND: program = /usr/lib/security/WINBIND options = authonly Finally you will need to edit /etc/security/users and make sure under the default stanza that SYSTEM is set to WINBIND: default: admin = false login = true su = true daemon = true rlogin = true sugroups = ALL admgroups = ttys = ALL auth1 = SYSTEM auth2 = tpath = nosak umask = 022 expires = 0 SYSTEM = "WINBIND" logintimes = pwdwarntime = 0 account_locked = false loginretries = 0 histexpire = 0 histsize = 0 minage = 0 maxage = 0 maxexpired = -1 minalpha = 0 minother = 0 minlen = 0 mindiff = 0 maxrepeats = 8 dictionlist = pwdchecks = Test your authentication by issuing a telnet to the aix box and login using your Active Directory credentials. Slawomir Ksiazek IBM eServer Certified Specialist pSeries Administration and Support for AIX 5L v.5.2 email:yazoo@hacking.pl |
|
01-05-2008, 09:39 AM
| ||||
| ||||
| Re: samba kvw wrote: > Hi, > > I'm trying to add my machine to our ADS. I'm using AIX 5.2 and Samba 3.0.21b > Kinit is working ok, but when I try "net ads join" the i get the error > > [2006/02/06 12:20:30, 0] libads/kerberos.c:ads_kinit_password(164) > kerberos_kinit_password administrator@DOMAIN.COM failed: Cannot resolve > network address for KDC in requested realm > [2006/02/06 12:20:30, 0] utils/net_ads.c:ads_startup(191) > ads_connect: Cannot resolve network address for KDC in requested realm > > Can anyone give me some advice in what I'm doing wrong > Thx Kerberos and AD is very picky about DNS and servers being correctly specified with fqdn. Make sure your KDC is specified correctly in smb.conf. Note that you also need sufficient privileges to create a machine object in AD. This setup works for me: workgroup = MYWORKGROUP dns proxy = yes ;; disable netbios = yes realm= MYADREALM security = ADS password server= my_KDC.full.domain |
Linear Mode
