[Samba] ADS Authentication

Tom Skeren tms3 at fsklaw.net
Wed Dec 8 18:46:36 GMT 2004


Christoph Scheeder wrote:

> first:
>
> STOP,

Too late, but not a problem.  I was begining to suspect the Free BSD 5.x 
guide I was using was problematic.  I just did a clean install of 5.3, 
and am installing software.  I had already considered getting rid of 
ldap refences.  Should I also get rid of nss_ldap?

Thanks for the fresh pair of eyes looking at this for me.

TMS III

>
> you want your samba-server to be a membersever in ADS, do you?,
>
> then *remove* *all* bits referencing ldap from your smb.conf.
>
> you entrust all user and groupmanagment to ADS via winbindd
> and only via winbindd.
>
> second:
> you have configured winbindd not to give you the domain part
> from ADS by setting:
>
> winbindd use default domain = Yes
>
> set it to no and you will get the domain part for your
> domain users/groups
>
> third:
> don't use "/" as domain-seperator in linux/unix.

Yeah, I thought about that I will switch back to _ as a separator.

> it has special meaning (path-seperator) and using it probably  will give
> you strange problems.
>
> Christoph
>
> Tom Skeren schrieb:
>
>> Edward Wissner wrote:
>>
>>> I have similar issues, but am not using an ldap server, rather a W2k 
>>> Active Directory domain controller.
>>
>>
>>
>> Yes, so am I.  The ldap server listed in ldap.conf is named w2000
>>
>>> And am not interested in lging into the linux server with AD.
>>> Domain users and groups list without the domain ID for me as well.  
>>> I don't know if that is proper as I have never seen a working setup.
>>
>>
>>
>> No...it should be DOMAIN_NAME/user1  DOMAIN_NAME/group1 etc.  The "/" 
>> is specified in smb.conf as winbindd separator.
>>
>>> I see my shares on the samba server from a w2k client, but am 
>>> prompted again for usr/passwd when attempting to open a shared 
>>> directory.  That's when I get a failure.
>>
>>
>>
>> Try mapping a drive by \\ip-addy\share....bet it works.
>>
>>>  
>>> I'm ready to toss it and start over, migrating completely away from 
>>> w2k AD and setting up an ldap directory instead.
>>
>>
>>
>> I can't unfortunately.
>>
>>> Samba works great if I create my users locally.
>>
>>
>>
>> It works pretty well as an NT style PDC, yes, but this project 
>> requires a samba server become a member server in ADS.
>>
>>> ed
>>>     -----Original Message-----
>>>     *From:* Tom Skeren [mailto:tms3 at fsklaw.net]
>>>     *Sent:* Wednesday, December 08, 2004 10:32 AM
>>>     *To:* Edward Wissner; samba
>>>     *Subject:* Re: [Samba] ADS Authentication
>>>
>>>     Edward Wissner wrote:
>>>
>>>> What did you change in your smb.conf file?
>>>>  
>>>>
>>>     Well, I managed to get samba to authenticate, however, continued
>>>     winbindd problems make the setup worthless.  Group searches fail,
>>>     or are incomplete.  Domain users and groups list without domain
>>>     id.  net groupmap fails.  Attempts to re-join via "net ads join"
>>>     fail.
>>>     If your interested, I have copied all the relevant config files 
>>> here:
>>>
>>>     _*smb.conf:*_
>>>
>>>     workgroup = FSK
>>>      realm = FSKLAW.NET
>>>      server string = SSERVER
>>>      netbios name = SSERVER
>>>      security = ADS
>>>      client schannel = Yes
>>>      server schannel = Yes
>>>      passdb backend = ldapsam:ldap://w2000.fsklaw.net
>>>      socket options = TCP_NODELAY
>>>      dns proxy = No
>>>      ldap admin dn = cn=Administrator,cn=users,DC=fsklaw,DC=net
>>>      ldap suffix = DC=fsklaw,DC=net
>>>      idmap uid = 10000-20000
>>>      idmap gid = 10000-20000
>>>      winbind separator = /
>>>      winbind enum users = No
>>>      winbind enum groups = No
>>>      winbind use default domain = Yes
>>>      dos filemode = Yes
>>>      acl compatibility = win2k
>>>             inherit acls = yes
>>>             inherit permissions = yes
>>>
>>>     [FSK]
>>>        path = /home/FSK
>>>        public = yes
>>>        only guest = no
>>>        browseable = yes
>>>        writeable = yes
>>>        printable = no
>>>        create mask = 0777
>>>        force create mode = 0777
>>>        force directory mode = 0777
>>>        directory security mask = 0777
>>>
>>>     _*ldap.conf:
>>>     *_
>>>     host w2000.fsklaw.net
>>>     base dc=fsklaw,dc=net
>>>     ldap_version 3
>>>     URI ldaps:w2000.fsklaw.net
>>>     scope sub
>>>     pam_login_attribute Administrator
>>>     pam_password md5
>>>     idle_timelimit 3600
>>>     nss_base_passwd cn=Users,dc=fsklaw,dc=net?one
>>>     nss_base_group cn=Users,dc=fsklaw,dc=net?one
>>>     ssl on
>>>     TLS_CACERT /etc/CA/fsk.pem
>>>     tls_ciphers TLSv1
>>>     sasl_secprops maxssf=0
>>>     krb5_ccname FILE:/tmp/krb5cc_0
>>>
>>>     _*nsswitch.conf:
>>>     *_
>>>     passwd: files winbind
>>>     shadow: files winbind
>>>     group: files winbind
>>>     hosts: dns winbind ldap files nis
>>>     automount: files winbind ldap nisplus
>>>     aliases: files winbind ldap nisplus
>>>
>>>     _*krb5.conf:*_
>>>
>>>     [logging]
>>>      default = FILE:/var/log/krb5libs.log
>>>      kdc = FILE:/var/log/krb5kdc.log
>>>      admin_server = FILE:/var/log/kadmind.log
>>>
>>>     [libdefaults]
>>>      ticket_lifetime = 24000
>>>      default_realm = FSKLAW.NET
>>>      dns_lookup_realm = false
>>>      dns_lookup_kdc = false
>>>      default_etypes = des-cbc-crc des-cbc-md5
>>>      default_etypes_des = des-cbc-crc des-cbc-md5
>>>      default_keytab-name = FILE:/etc/krb5.keytab
>>>     [realms]
>>>
>>>      FSKLAW.NET = {
>>>       kdc = KERBEROS.FSKLAW.NET
>>>       admin_server = w2000.fsklaw.net
>>>       default_domain= fsklaw.net
>>>      }
>>>
>>>     [domain_realm]
>>>      .fsklaw.net = FSKLAW.NET
>>>      fsklaw.net = FSKLAW.NET
>>>      .FSKLAW.NET = FSKLAW.NET
>>>     .kerberos.server = KERBEROS.FSKLAW.NET
>>>     [kdc]
>>>      profile = /var/kerberos/krb5kdc/kdc.conf
>>>
>>>     [pam]
>>>      debug = false
>>>      ticket_lifetime = 36000
>>>      renew_lifetime = 36000
>>>      forwardable = true
>>>      krb4_convert = false
>>>
>>>     _*pam.d/login:
>>>     *_
>>>     #
>>>     # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des 
>>> Exp $
>>>     #
>>>     # PAM configuration for the "login" service
>>>     #
>>>
>>>     # auth
>>>     auth  required pam_nologin.so  no_warn
>>>     auth  sufficient pam_self.so  no_warn
>>>     auth  include  system
>>>     auth  sufficient /usr/local/lib/pam_winbind.so
>>>     # account
>>>     account  requisite pam_securetty.so
>>>     account  include  system
>>>     account  sufficient /usr/local/lib/pam_winbind.so
>>>
>>>     # session
>>>     session  include  system
>>>
>>>     # password
>>>     password include  system
>>>
>>>> -----Original Message-----
>>>> From: Tom Skeren [mailto:tms3 at fsklaw.net]
>>>> Sent: Tuesday, December 07, 2004 4:04 PM
>>>> To: Jeremy Allison
>>>> Cc: samba
>>>> Subject: Re: [Samba] ADS Authentication
>>>>
>>>>
>>>> Jeremy Allison wrote:
>>>>
>>>> It was an smb.conf issue.  Authentication against ADS is now
>>>> functioning.  Now it's time to wrestle with ACLs.  Thanks for the 
>>>> help.
>>>>
>>>> TMS III
>>>>
>>>>  
>>>>
>>>>> On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>>>>
>>>>>
>>>>>  
>>>>>
>>>>>> I'm about ready to smash my head through a wall...I could use a few
>>>>>>     
>>>>>
>>>>
>>>> answers.
>>>>  
>>>>
>>>>>> 1.  When using security = ads, and completing net ads join, it 
>>>>>> was my
>>>>>> understanding that samba authenticated username/pword against 
>>>>>> ads, and
>>>>>> local posix accounts were nolonger needed, is this true?
>>>>>>
>>>>>>
>>>>>>     
>>>>>
>>>>>
>>>>> Yes, so long as you have nsswitch and pam set up correctly. It sounds
>>>>> like you don't.
>>>>>
>>>>> Jeremy.
>>>>>
>>>>>
>>>>>   
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>  
>>>>
>>>
>>
>
>




More information about the samba mailing list