SAMBA加入windows2003域 急！

wxb517xz

公司购买了2003的正版，以前samba要如2003的域认证
小弟samba装在redhat9上samba2.2.7 以前入windows2000域一切正常，利用winbind能看到域中所有组和用户。现在我把samba升级为3.0.14a kerberos升级为1.3.1 重新编译了winbind和pam 能入windows2003域且能看到bulite 组用户，但在wbinfo -u 时不能同步域用户。表现为kerberos出错，但据samba文档讲kerberos1.3.1能满足和2003的兼容啊，请大家指点一二，小弟不胜感激   (以下是各配置文件和出错提示)

smb.conf:
         [global]
        workgroup = I-ZQ-LOCAL
        netbios name = SAM01
        server string = Wiki_FStore Server
        #security = domain
        #security = ads
        encrypt passwords = Yes
        obey pam restrictions = Yes
        #password server = 192.168.80.6
        password server = *
        pam password change = Yes
        #passwd program = /usr/bin/passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
        #username map = /etc/samba/smbusers
        unix password sync = Yes
        log file = /var/log/samba/sam.log
        max log size = 30000000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
       #add user script = /usr/sbin/useradd -g smbuser -m %u
        domain master = No
        dns proxy = No
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        template homedir = /home/winnt/%D/%U
        hosts allow = 192.168.
        printing = cups
        #domain controller = 192.168.80.6


       winbind separator = +
       winbind enum users = yes
       winbind enum groups = yes
       template shell = /bin/bash
       nt acl support = yes
       winbind use default domain = yes
       #spnego = yes
       client use spengo = yes
       #idmap uid = 10000-20000
       #idmap gid = 10000-20000
        client schannel = no
        username map = /etc/samba/smbusers
        realm = I-ZQ-LOCAL
        use kerberos keytab = yes


kerberos krb5.conf:
       [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = I-ZQ-LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
I-ZQ-LOCAL = {
  kdc =ZQDC2.I-ZQ.COM:88
  admin_server = ZQDC2.I-ZQ.COM:749
  default_domain = I-ZQ-LOCAL
}

[domain_realm]
.example.com = I-ZQ-LOCAL
example.com = I-ZQ-LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {  
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000  
   forwardable = true
   krb4_convert = true
}           
[root@sam01 init.d]# wbinfo -g
BUILTIN+system operators
BUILTIN+replicators
BUILTIN+guests
BUILTIN+power users
BUILTIN+print operators
BUILTIN+administrators
BUILTIN+account operators
BUILTIN+backup operators
BUILTIN+users
[root@sam01 source]# wbinfo -u
-Error looking up domain users

[root@sam01 sbin]# krb5kdc
krb5kdc: cannot initialize realm I-ZQ-LOCAL - see log file for details

[root@sam01 sbin]# net join rpc I-ZQ-LOCAL -U Administrator
[2005/06/10 22:24:49, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password Administrator@I-ZQ.COM failed: Cannot find KDC for requested realm
[2005/06/10 22:24:49, 0] utils/net_ads.c:ads_startup(191)
  ads_connect: Cannot find KDC for requested realm
Joined domain I-ZQ-LOCAL.

应该是kerberos的问题，但到底怎样解决呢？？郁闷ing~~~

wxb517xz

没人顶啊
唉

wxb517xz

现在主要问题就是kerberos不正确：
[root@sam01 sbin]# kadmin -r
-kadmin: symbol lookup error: /lib/libkrb5.so.3: undefined symbol: add_error_table

q1208c

一定是没看完 samba 的文档, 那上面说, samba 要支持 windows 2003 的 AD, 必须用 MIT 的 kerberos .
找一个试试吧.

我以前试过, 好象是可以, 只是我那次是有别的问题, 后来因为没人要用了, 也就没再试.