Samba3.5.4 authentication questions
MICHAEL BROWN
mbrown at mesainc.com
Fri Dec 3 14:43:01 MST 2010
Sure thing.
This config is based off of AD users/groups that have POSIX type attributes assigned within AD. All posix lookups from my AD servers on the Linux servers
perform perfect for user and group using getent. The nsswitch is also configured to do posix lookup from AD. All of the SAMBA share directories that are
physically on the server get the user/group information from AD and are assigned as such physically per file/folder. Lookups perform good for this from AD as
well. As you may notice, I do not use winbind to auto assign numbers for user/group mappings because I keep this data static within AD so that it is consistent
through-out the organization.
SMB.CONF::
#======================= Global Settings =====================================
[global]
time server = yes
oplocks = no
level2 oplocks = no
#max protocol = smb2
veto oplock files = /*.DBF/*.dbf/*.MDX/*.mdx/*.ITB/*.itb/*.MDB/*.mdb/*.xls/*.XLS/*.soa/*.SOA
# 1. Server Naming Options:
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
preferred master = no
map untrusted to domain = no
allow trusted domains = yes
local master = no
domain master = no
security = ADS
name resolve order = lmhosts host wins bcast
password level = 0
username level = 0
password server = SERVER1.MYDOMAIN.COM SERVER2.MYDOMAIN.COM SERVER3.MYDOMAIN.COM
encrypt passwords = yes
socket options = TCP_NODELAY
# netbios name is the name you will see in "Network Neighbourhood",
# but defaults to your hostname
# server string is the equivalent of the NT Description field
server string = SMBSERVER
netbios name = SMBSERVER
wins server = 192.168.1.138
dns proxy = yes
# 8. File Naming Options:
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
preserve case = yes
; short preserve case = no
# Default case is normally upper case for all DOS files
default case = lower
#============================ Share Definitions ==============================
#
#============================ User's Home Directory
[home]
comment = Your Personal Drive
oplocks = False
level2 oplocks = False
path = /home/%u
public = no
browseable = yes
writable = yes
create mode = 0700
[myshare]
oplocks = False
level2 oplocks = False
comment = Share Area
path = /home/myshare
public = no
read only = no
writable = yes
create mode = 0770
directory mode = 0770
force group = MYGROUP
valid users = @MYGROUP
admin users = @MYGROUP
LDAP.CONF::
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
host server1.mydomain.com server2.mydomain.com server3.mydomain.com
# The distinguished name of the search base.
base dc=mydomain,dc=com
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=bind,cn=users,dc=mydomain,dc=com
# The credentials to bind with.
# Optional: default is no credential.
bindpw mypassword
port 636
# The search scope.
scope sub
#scope one
#scope base
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=mydomain,dc=com?sub
nss_base_shadow ou=People,dc=mydomain,dc=com?sub
nss_base_group ou=Group,dc=mydomain,dc=com?sub
nss_base_hosts ou=Computer,dc=mydomain,dc=com?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute gecos name
nss_map_attribute userPassword userPassword
nss_map_attribute homeDirectory homeDirectory
nss_map_attribute uniqueMember msSFUPosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAccountName
pam_member_attribute PosixMember
pam_filter objectclass=user
pam_password ad
ssl on
TLS_CACERT /etc/myservercert.pem
TLS_REQCERT never
sasl_secprops maxssf=0
#Don't try forever if the LDAP server is not reacheable
bind_policy soft
KRB5.CONF::
[libdefaults]
default_realm = MYDOMAIN.COM
clockskew = 300
[domain_realm]
.mydomain.com = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = server1.mydomain.com
default_domain = mydomain.com
admin_server = server1.mydomain.com
kpasswd_server = server1.mydomain.com
}
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
try_first_pass = true
}
>>> On Friday, December 03, 2010 at 3:06 PM, in message
<673E6032983AF84185CE49D109B4F40A521BC4 at TK5EX14MBXC101.redmond.corp.microsoft.co
>, "Matt Ficken (Insight Global)" <v-mafick at microsoft.com> wrote:
> Have you set the 'workgroup' and 'realm' parameters in the [global] section
> of the samba configuration?
>
> Could you share a copy of your samba configuration here (minus any
> confidential info)?
>
> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org
> [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of MICHAEL BROWN
> Sent: Friday, December 03, 2010 12:27 PM
> To: samba-technical at lists.samba.org
> Subject: Samba3.5.4 authentication questions
>
> Greetings all.
> We are using SAMBA 3.5.4 servers running on SLES 9 and 10 joined to Windows
> 2008 active directory servers.
>
> Some things I am noticing are a little odd.
>
> *) If I map a network drive using the FQDN of a SAMBA server, it works fine.
> Example server and share:
>
> \\myserver.mydomain.com\myshare
>
> On the same machine that mapped the FQDN above, if I try to go to "run" and
> type in:
>
> \\myserver\myshare
>
> I get prompted for credentials.
>
> What can I be missing to alert SAMBA that this "NETBIOS" name is the same
> server, kerberos key, etc., that I have
> just mapped previously using the FQDN? All server resolution, short, FQDN,
> is resolvable via DNS and NETBIOS.
>
>
> *) We have users that have shortcuts to shares on their desktop. We map the
> share names via "NET USE". Later through the day,
> the user clicks on the share, they get prompted for credentials. The
> machine's time is correct and the same as the server's time so
> I know it is not a time issue with keys.
>
>
> *) Last thing is that it seems the NSCD process and SAMBA hate each other in
> that no users can authenticate after "X"
> amount of time of NSCD running. If I stop NSCD, it allows authentication.
> No group/user additions or changes were made.
> I have added a CRON job to stop that process every 1 min. and it seems to
> work OK but I was just wondering why I have to do this?
>
>
> I *really* wished you guys would have not removed the ability for SAMBA to
> authenticate a user based off of the machine's name
> and username. I know this is Windows behavior but Windows is not always
> right =)
>
> Thanks!
>
> NOTICE - This communication may contain confidential and privileged
> information that is for the sole use of the intended recipient. Any viewing,
> copying or distribution of, or reliance on this message by unintended
> recipients is strictly prohibited. If you have received this message in
> error, please notify us immediately by replying to the message and deleting
> it from your computer.
NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.
More information about the samba-technical
mailing list