[Samba] CentOS 5 client in W2K3 AD Domain, getent only shows
local info
Lemire, David
d.lemire at anassoc.com
Tue Feb 19 14:03:20 GMT 2008
> Try comparing what you did to these articles. They worked very well for
> me on a W2K AD domain.
> To me, they're more easily understood than the official docs.
>
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
They pretty much describe what I'd done to this point, +/- a couple of
details (which I do realize may be important). One question they bring
up for me is this: In describing krb5.conf, I've seen the
[domain_realms] section shown two or three different ways:
[domain_realms]
.kerberos.server = DOMAIN.NET
[domain_realms]
.mydomain.domain = DOMAIN.NET
[domain_realms]
.mydomain.domain = DOMAIN.NET
mydomain.domain = DOMAIN.NET
The example on MIT kerberos site would seem to indicate that the third
one of those is right (see
<http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#domain_005frealm>),
but I've definitely seen both of the others used as example configurations.
The other thing I came across after posting my question to this list was
a entry in Scott Lowe's block about problems w/CentOS 5 and Active
Directory integration
<http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/>.
OTOH, he was having problems getting the machine to join the domain,
whereas my roadblocks are a step or two beyond that. Still, it makes me
wonder if I shouldn't just one or more pieces of this puzzle (starting
w/samba).
I need to double-check my samba build include the DOMAIN2HOSTLIST
component; I can't check at the moment, but IIRC, that might not have
been in the list when I checked before. Would missing that account for
my winbind / getent disparity?
Dave
>
> Lemire, David wrote:
>> I'm trying to integrate a Linux machine into our
>> Win2K3 ADS-based network. The machine must
>> primarily serve as a user workstation (i.e., a
>> Samba Client), although it also needs to serve at
>> least one share for backup purposes. I'd like to
>> emulate the behavior of our WinXP machines in that
>> any user in our small company can login to any
>> computer in the domain based on network
>> username/password.
>>
>> I've been following the information in the
>> "Samba3-By Example" guide (the on-line, PDF
>> version, 28 Jan 2008), section 7.3.4. I've had
>> success joining the network and accessing a share
>> on a server, but then run into a snag where
>> getent doesn't return equivalent information to
>> wbinfo for users and groups. I've done scads of
>> web searching, reading, tinkering with conf files,
>> and have scanned about six months of this list's
>> archive without finding a resolution, although my
>> problem doesn't seem to be uncommon.
>> Before I post conf files with specifics I'd like
>> to ask a couple of basic questions:
>>
>> 1) Need I care that getent won't return equivalent
>> results as wbinfo? The guide describes this is
>> "to validate the full identity resolution is
>> functional as required", so I've been taking it as
>> gospel that I shouldn't tackle PAM until getent
>> works.
>>
>> 2) Active Directory Configuration: Is it a
>> requirement that I either make configuration
>> changes in AD or install Microsoft Services for
>> UNIX to accomplish what I want? The By-Example
>> guide seems to indicate that I don't have to (1st
>> page of 7.3.4), but at least one write-up I've
>> found on-line states that AD mods are necessary
>> (<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-
>> details/>
>> it is from Dec 2005, so could be out-of-date?).
>>
>> 3) My software versions are:
>>
>> * PDC and BDC are running Active Directory on
>> Windows Server 2003 SP2 * Linux machine is running CentOS
>> 5 with current updates * Samba software is 3.0.25b (supplied
>> w/CentOS) * krb5 software is 1.6.1-17 (supplied w/CentOS) * nss is
>> 3,11,7 (supplied w/CentOS) * nss_ldap is 253- 5 (supplied w/CentOS)
>>
>> Do I need to upgrade to newer versions? I've read
>> of problems with Samba 3.0.23c on Red Hat, but
>> nothing I've seen indicates a problem with
>> 3.0.25b. If upgrading is recommended, I'd
>> appreciate a pointer to an appropriate source of
>> RPMs, as these are newest version in the CentOS
>> Repositories, and I'm not too comfortable with building
>> >From source yet.
>>
>> 4) If nsswitch.conf is configured for winbind, do
>> I need to worry at all about LDAP configuration?
>>
>> 5) I've seen mention about letter case being a
>> problem in configuring Kerberos and Samba. On our
>> AD server, the domain appears as "DOMAIN.local",
>> with the letter case as shown, so the FQDN of the
>> server is SERVER.DOMAIN.local. Is this somehow
>> causing me a problem? In the krb5.conf and
>> smb5.conf files, I've identified the realm as
>> DOMAIN.LOCAL.
>>
>> 6) One oddity: when I started working on this,
>> after the machine joined the domain, wbinfo showed
>> results as DOMAIN+username but somewhere along the
>> line that change to just the username. Is that
>> indicative of something I've misconfigured?
>>
>> Thanks for any insight. My gut tells me I'm not
>> far off, but I've exceeded my "solve it myself"
>> frustration level!
>>
>> Dave Lemire
>>
More information about the samba
mailing list