[Samba] change in AD authentication behaviour since 3.0.24
Robert Cohen
robert.cohen at anu.edu.au
Wed Feb 20 05:33:56 GMT 2008
On 20/2/08 4:11 PM, "Neal A. Lucier" <nlucier at math.purdue.edu> wrote:
> Robert Cohen wrote:
>>
>> BTW I should mention that we're simply not using winbind.
>> The behaviour I'm talking about is when an XP client machine attempts to
>> connect to our server to get a network share.
>>
>> So winbind doesn't enter into the equation.
>>
>
> If you are a member server of a Windows 200x domain, you are using
> winbind and it enters into the equation. I don't know exactly what
> "winbind" is a contraction of, but it always made sense to me to think
> of it as "Windows Bind", as in the ypbind sense. Anyway it's the part
> of Samba that talks to Windows.
Ok, I thought winbind was only relevant if you were using AD as a NSS (name
service source). We have all the users in the name service from LDAP or
NIS+. We're only getting the passwords from AD.
I guess this could be an unusual combination and could be whats causing our
problems...
>
>>>
>>> Just in case theres something in my configuration which is causing the
>>> problem, the relevant bits are.
>>>
>>>> From smb.conf
>>> ; Security/authentication stuff
>>> security = ADS
>>> realm = XX.ANU.EDU.AU
>>> password server = xx03.anu.edu.au
>>> password level = 0
>>> local master = no
>>> domain master = no
>>> encrypt passwords = yes
>>> guest ok = no
>>>
>
> It would be interesting to know what your workgroup setting is as well
> as you idmap settings. The IDMap subsystem was rewritten (to be vastly
> superior IMHO) for 3.0.25.
We don't have any IDMAP settings.
We have workgroup = XX (our domain).
>
>>>> From krb5.conf
>>> [libdefaults]
>>> default_realm = XX.ANU.EDU.AU
>>>
>>> [realms]
>>> XX.ANU.EDU.AU = {
>>> kdc = xx01.anu.edu.au
>>> kdc = xx02.anu.edu.au
>>> kdc = xx03.anu.edu.au
>>> admin_server = xx01.anu.edu.au
>>> }
>>>
>>> [domain_realm]
>>> .xx.anu.edu.au = XX.ANU.EDU.AU
>>> xx.anu.edu.au = XX.ANU.EDU.AU
>>> .anu.edu.au = XX.ANU.EDU.AU
>>> anu.edu.au = XX.ANU.EDU.AU
>>>
>>>
>
> If this is an MIT Kerberos config file, you don't need it if your ADS
> DNS records are correct. MIT Kerberos (as well as Heimdal but I can't
> speak about its config file) have extended themselves to embrace
> Microsoft's ADS DNS entries and can query the values and self-configure
> just fine.
>
> In the "net ads join" step you will need to specify the realm of the
> user, e.g., Administrator at REALM.NAME.COM, but other than that, there is
> no real advantage to configuring a krb5.conf file to Samba. (Unless
> your DNS is all jacked up as I already said.)
>
> As I (and others) have mentioned "winbind use default domain = yes"
> should solve the problem; however, you can use it in conjunction with
> "allow trusted domains = no" if you are only using the single domain. I
> only fully studied the interaction of those 2 directives pre-3.0.25 with
> an interesting idmap config (which the new sub-system made much easier),
> so I'm not sure if "allow trusted domains" will have any real affect here.
Ok, I had a krb5.conf because around 3.0.20 samba AD stopped working if you
didn't have a krb5.conf. net ads join just didn't work if you didn't have
one.
I've only just noticed that it now works again without a krb5.conf
But even without one, it has the same behaviour
And allow trusted domains = no doesn't make any difference.
=======================================
Robert Cohen
Systems & Desktop Services
Division of Information
R.G Menzies Building
Building 2
The Australian National University
Canberra ACT 0200 Australia
T: +61 2 6125 8389
F: +61 2 6125 7699
http://www.anu.edu.au
CRICOS Provider #00120C
=======================================
More information about the samba
mailing list