[Samba] Mac OS X clients not binding to a Samba+LDAP PDC

David Martinez davidmx at gmail.com
Sat Dec 10 02:27:11 GMT 2005 

Yeah, you're right.
I confuse with PDC and AD DC ... maybe that's thee root of all my doubts.

I am going to check the PADL and I'll tell you my experience.

I thought using MacOS's AD plugin will save me some time, but as I see it is
not designed for classical NTLM model.

Thanks to everyone who respond my question

I hope in the future the great guys of samba give us something to peel the
Apple's.



David




On 12/9/05, SAMBA <letz_samba at realmspace.com> wrote:
>
> I think the best solution for the Macintosh would be PADLs stuff.  Check
> out, http://www.padl.com/Contents/OpenSourceSoftware.html.  There's a NSS
> module that will plug into LDAP for unix information.  You'll need to
> configure the appropriate mappings.  Also, there's a PAM module that will
> authenticate using a password hash stored in the LDAP.  Naturally you should
> encrypt the traffic using either SASL, LDAPS, or LDAP StartTLS.  Amongst the
> tools is a caching tool, which will allow the laptop to work offline, much
> like the Windows feature.
>
> For a pure SAMBA 2.0 solution, you would have to configure NSS and PAM to
> use windbindd on the MacOS X.  I am not even sure how to this or what
> Apple's level of support is for a complete SAMBA set of tools and
> configurations.
>
> Another thing, you seem to be confusing PDC with Active Directory DC.  The
> PDC is from the olden days, and uses NTLM for authentication.  An AD DC uses
> Kerberos for authentication.  There's no concept of a PDC in Active
> Directory, as it is a "multi-master" scenario, where every DC is an equal
> citizen.  If one fails, users authenticate to another DC.  There's no
> "primary" like in the historic NT domain, which is a "single-master"
> scenario having a single-point of failure; if the PDC fails, no one
> authenticates until a BDC is promoted to the role of PDC.
>
> - Joaquin Menchaca
>
>
>
> ________________________________________
> From: David Martinez [mailto:davidmx at gmail.com]
> Sent: Thursday, December 08, 2005 8:13 AM
> To: SAMBA
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC
>
> Thanks for your response.
>
> I think I'm not been clear, my environment is:
>
> 1. Fedora Core 4 + openldap 2.2 + samba 3.0: this is the PDC, samba uses
> ldap as a backend for users,computers,groups. That box has NSS, PAM and LDAP
> configured
>
> 2. Windows XP clients are attached to the domain and are working pretty
> good.
>
> 3. I need to join Mac OS X 10.3 clients to the same domain in order to
> have single sign-on. These clients are using samba 2.
>
> * My first test was to use incorporated LDAP authentication with Mac OS X
> (Apps->Utilities -> Directory Access -> Authentication -> Custom Path ), I
> had to change default LDAP attribute mapping and it worked. But this
> solution won't allow my mobile users to sign on once they are out of office
> because last login is not catched (I need a windows-like behavior where AD
> clients can login even when they are not attached to the network).
> * A second test is to use Active Directory Plugin incorporated with
> Panther but it doesn't work. I've been using a sniffer to see whats going on
> on the binding process and I found the Mac client asks for kerberos
> authentication, as long as I have not kerberos in the PDC box the binding
> process fails. The Active Directory Plugin works fine with Win2K AD servers,
> I have used it before... looks like the AD Plugin does not use samba.
>
> As you see I have three options:
>
> * Find a solution to the LDAP authentication catching problem when the Mac
> Clients are not connected to the network.
> * Configure kerberos authentication on the LDAP+SAMBA box and join the Mac
> Clients to the PDC.
> * Forgett all this and spend $15,000 bugs on win server and CALS,
> reconfigure all WinXP Clients and install Win2k on the linux box.
>
> Does anybody here has ever attached Mac OS X clients to a Samba 3 PDC ??
>
>
> Saludos
> David
>
>
>
>
>
>
> On 12/8/05, SAMBA < letz_samba at realmspace.com> wrote:
> Have you configured NSS and PAM to use winbindd?
>
> Are you trying to use a PDC or Active Directory LDAP/Kerberos?
> - PDC supports NTLM for authentication, which is old school Windows NT.
> - Active Directory supports Kerberos for authentication.
>
> I haven't yet used the AD plug-in.I think that the LDAP schema needs to be
> modified to support UNIX data like gid/uid, shell, etc.There's an AD4Unix
> open source solution that I think can add the compatible schema.The AD
> plug-in also I will reconfigure PAM to use Apple's module, you need to
> configure PAM to use SAMBA's windbindd instead.Also before this, you must
> establish authentication through Kerberos, testing with kinit, and
> configuring Kerberos on the client. You might need to export a keytab that
> corresponds to a Windows service principal name(s) (user account with name
> that represents host client and services offered by host client) using
> ktpass on the Windows domain controller, and import this keybtab securing
> into the client that needs to access Windows domain controller.
>
> As for Mac OS X, I am pretty sure they support the older SAMBA 2.0, which
> does not have support for Active Directory, other than through a PDC
> emulator operations masters on Windows 2000 or Windows Server 2003 domain
> controller.
>
> Also, you say you are using SAMBA 3.0.20.Did you compile this on the
> Macintosh?
>
> - Joaquin
>
> -----Original Message-----
> From: samba-bounces+letz_samba= realmspace.com at lists.samba.org [mailto:
> samba-bounces+letz_samba=realmspace.com at lists.samba.org] On Behalf Of
> David Martinez
> Sent: Tuesday, December 06, 2005 8:25 AM
> To: samba at lists.samba.org
> Subject: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC
>
> Hi there !
>
> This is my first post and I really would like to have this stuff working
> ...
> if not, I should go to Win2k3 server .... please help me to avoid it !!!!
>
> I've been trying to integrate Mac OS X (10.3) clients to my Samba server
> through the Active Directory Plugin with no success. This PDC is currently
>
> working for 90 PC's with XP SP2.
>
>
> My server is well configured from the DNS (or I think so):
>
> nsA 192.168.101.50
> ldapA 192.168.101.50
> pruebas A 192.168.101.50
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV0 100 389
> pruebas.valeeuro.com
> _ldap._tcp.dc._msdcs SRV0 100 389 pruebas.valeeuro.com
> _ldap._tcp.aab455e4-bbb2-408b-a097-bb359f315574.domains._msdcs SRV0 100
> 389 pruebas.valeeuro.com
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs SRV0 100 389
> pruebas.valeeuro.com
> _ldap._tcp.gc._msdcs SRV0 100 389 pruebas.valeeuro.com
> _ldap._tcp.pdc._msdcsSRV0 100 389 pruebas.valeeuro.com
> _gc._tcp.Default-First-Site-Name._sites SRV0 100 389
> pruebas.valeeuro.com
> _ldap._tcp.Default-First-Site-Name._sites SRV0 100 389
> pruebas.valeeuro.com
> _gc._tcp SRV0 100 389 pruebas.valeeuro.com
> _ldap._tcp SRV0 100 389 pruebas.valeeuro.com
>
> When I try to bind the Mac computer to the domain it stops on step 3 and
> sends an error "Invalid username and password"
>
> As I see, the Mac is trying to connect using kerberos authentication,
> which
> I dont know how to configure on the samba+ldap!!
> ¿How do I enable kerberos authentication on my LDAP+SAMBA+Linux server?
>
>
> My configuration:
> samba 3.0.20
> openldap 2.2.23 (openldap is the backend for samba)
> bind 9.3
> linux fedora core 4
>
>
> Thanks in advance !!!
>
>
> Saludos
> David
>
> --
> Saludos
> David
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:https://lists.samba.org/mailman/listinfo/samba
>
>
>
>
> --
> Saludos
> David
>
>


--
Saludos
David

More information about the samba mailing list