1

I'm trying to use fedora and samba as a file server.

Using kerberos i'm trying to make sure no passwords are transmitted over my network.

I'm able to use samba for its file server capabilities, kerberos is also able to get a ticket for authentication or verification, by using this command: sudo kinit foo. I can verify this by using: sudo klist -a.

However every time i use the following command : sudo net join ads -S server -U foo it results in the following error:

kinit succeeded but ads_sasl_spnego_krb5_bind failed: SASL bind in progress

My smb.conf:

  [global]
workgroup=DOMAIN
netbios name=server
realm=DOMAIN.local
server string=Sama Server Versie%v
security=ADS
encrypt passwords=yes
browseable=yes

My krb5.conf

[libdefaults]
# dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = DOMAIN.LOCAL
# default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 DOMAIN.LOCAL = {
#  kdc = kerberos.domain.local
#  admin_server = kerberos.domain.local
kdc=server.DOMAIN.LOCAL
admin_server=server.DOMAIN.LOCAL
 }

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL

Do you guys have a solution or explanation for it?

I was not able to find any clues browsing the web.

ImAtWar
  • 63
  • 1
  • 7
  • What's the error? – byronicle Dec 05 '15 at 00:31
  • This is the error im getting `kinit succeeded but ads_sasl_spnego_krb5_bind failed: SASL bind in progress`. I tried looking at the logs, but i cant seem to find any clue in there, is there something im overlooking? – ImAtWar Dec 05 '15 at 08:58
  • @ImAtWar, is user `foo` a domain admin account? – Diamond Dec 07 '15 at 10:23
  • Yes it is. I can also ping de domain server – ImAtWar Dec 07 '15 at 10:24
  • @ImAtWar, Can you also add `password server = server.domain.local` to smb.conf globa part and try? Make sure the name resolves to the correct ip using dns. – Diamond Dec 07 '15 at 11:29
  • This doesnt help. – ImAtWar Dec 07 '15 at 12:42
  • @ImAtWar, you need to restart samba, winbind after making changes. Do you have `winbind` running? Is your AD behind firewall? Which how-to have you followed? – Diamond Dec 07 '15 at 13:09
  • I did restart samba service. Im not sure i use winbind, actually this is the first i hear about it. The process im doing is just install like so: `sudo yum install samba* samba-server` – ImAtWar Dec 07 '15 at 17:02

2 Answers2

0

As you have mentioned in the comment, you have only done sudo yum install samba* samba-server. It seems very obvious, that you are missing some important steps (and the concept) to configure the Fedora server propelry as a Windows domain member. You have also not mentioned what you exactly trying to achieve, and I am guesssing you want to bring the Fedora server in the windows Domain.

There are different ways to do it and you need to find a proper how-to for your case and follow it.

Here is one you can try that seems very close to your scenario:

Join in Windows Active Directory Domain with Samba Winbind.

And another very nice how-to on Chapter 4. Using Samba, Kerberos, and Winbind from RedHat.

davelupt
  • 125
  • 6
Diamond
  • 8,791
  • 3
  • 22
  • 37
  • I configured firewall, set up samba correctly as i am able to access shares. What i want to do is secure password transfers between samba and AD – ImAtWar Dec 08 '15 at 06:28
  • @ImAtWar, have you checked the links I have mentioned? You are missing some points here. Please check them and see if it works. – Diamond Dec 08 '15 at 10:00
  • Van you tell me what the purpose of `winbind` is? I could not tell anything and the need of everything in the links you gave me. – ImAtWar Dec 09 '15 at 18:35
  • And how come im able to use samba shares without using winbind? – ImAtWar Dec 16 '15 at 05:09
  • After following the guides you sent, i still was not able to connect to domain. SASL bind is still in progress. – ImAtWar Jan 04 '16 at 13:06
0

In the end it was a Windows problem. It seems i configured the Windows wrong.

I assigned a second network adapter the IP which would be used for connecting with samba.

ImAtWar
  • 63
  • 1
  • 7