Samba3.5.4 authentication questions

MICHAEL BROWN mbrown at mesainc.com
Fri Dec 3 14:43:01 MST 2010


Sure thing.
This config is based off of AD users/groups that have POSIX type attributes assigned within AD.  All posix lookups from my AD servers on the Linux servers
perform perfect for user and group using getent.  The nsswitch is also configured to do posix lookup from AD.  All of the SAMBA share directories that are
physically on the server get the user/group information from AD and are assigned as such physically per file/folder.  Lookups perform good for this from AD as
well.  As you may notice, I do not use winbind to auto assign numbers for user/group mappings because I keep this data static within AD so that it is consistent
through-out the organization.

SMB.CONF::
#======================= Global Settings =====================================
[global]
time server = yes
oplocks = no
level2 oplocks = no
#max protocol = smb2
veto oplock files = /*.DBF/*.dbf/*.MDX/*.mdx/*.ITB/*.itb/*.MDB/*.mdb/*.xls/*.XLS/*.soa/*.SOA

# 1. Server Naming Options:
# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = MYDOMAIN
   realm = MYDOMAIN.COM
   preferred master = no
   map untrusted to domain = no
   allow trusted domains = yes
   local master = no
   domain master = no
   security = ADS
   name resolve order = lmhosts host wins bcast
   password level = 0
   username level = 0
   password server = SERVER1.MYDOMAIN.COM SERVER2.MYDOMAIN.COM SERVER3.MYDOMAIN.COM
   encrypt passwords = yes
   socket options = TCP_NODELAY

# netbios name is the name you will see in "Network Neighbourhood",
# but defaults to your hostname
# server string is the equivalent of the NT Description field
   server string = SMBSERVER
   netbios name = SMBSERVER

   wins server = 192.168.1.138
   dns proxy = yes

# 8. File Naming Options:
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
  preserve case = yes
;  short preserve case = no
# Default case is normally upper case for all DOS files
  default case = lower
#============================ Share Definitions ==============================
#
#============================ User's Home Directory
[home]
   comment = Your Personal Drive
   oplocks = False
   level2 oplocks = False
   path = /home/%u
   public = no
   browseable = yes
   writable = yes
   create mode = 0700

[myshare]
   oplocks = False
   level2 oplocks = False
   comment = Share Area
   path = /home/myshare
   public = no
   read only = no
   writable = yes
   create mode = 0770
   directory mode = 0770
   force group = MYGROUP
   valid users = @MYGROUP
   admin users = @MYGROUP


LDAP.CONF::
# PADL Software
# http://www.padl.com 
#

# Your LDAP server. Must be resolvable without using LDAP.
host	server1.mydomain.com server2.mydomain.com server3.mydomain.com

# The distinguished name of the search base.
base	dc=mydomain,dc=com

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version	3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=bind,cn=users,dc=mydomain,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
bindpw mypassword

port 636

# The search scope.
scope	sub
#scope one
#scope base

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd	ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd	ou=People,dc=mydomain,dc=com?sub
nss_base_shadow	ou=People,dc=mydomain,dc=com?sub
nss_base_group	ou=Group,dc=mydomain,dc=com?sub
nss_base_hosts	ou=Computer,dc=mydomain,dc=com?sub
nss_map_objectclass	posixAccount user
nss_map_objectclass	shadowAccount user
nss_map_objectclass	posixGroup Group
nss_map_attribute	uid sAMAccountName
nss_map_attribute	uidNumber uidNumber
nss_map_attribute	gidNumber gidNumber
nss_map_attribute	gecos name
nss_map_attribute	userPassword userPassword
nss_map_attribute	homeDirectory homeDirectory
nss_map_attribute	uniqueMember msSFUPosixMember
nss_map_attribute	cn cn
pam_login_attribute	sAMAccountName
pam_member_attribute	PosixMember
pam_filter		objectclass=user
pam_password		ad

ssl on

TLS_CACERT /etc/myservercert.pem
TLS_REQCERT never
sasl_secprops maxssf=0

#Don't try forever if the LDAP server is not reacheable
bind_policy soft


KRB5.CONF::
[libdefaults]
	default_realm = MYDOMAIN.COM
	clockskew = 300
[domain_realm]
	.mydomain.com = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
	kdc = server1.mydomain.com
	default_domain = mydomain.com
	admin_server = server1.mydomain.com
	kpasswd_server = server1.mydomain.com
}
[appdefaults]
pam = {
	ticket_lifetime = 1d
	renew_lifetime = 1d
	forwardable = true
	proxiable = false
	retain_after_close = false
	minimum_uid = 1
	try_first_pass = true
}




>>> On Friday, December 03, 2010 at 3:06 PM, in message
<673E6032983AF84185CE49D109B4F40A521BC4 at TK5EX14MBXC101.redmond.corp.microsoft.co 
>, "Matt Ficken (Insight Global)" <v-mafick at microsoft.com> wrote:
> Have you set the 'workgroup' and 'realm' parameters in the [global] section 
> of the samba configuration?
> 
> Could you share a copy of your samba configuration here (minus any 
> confidential info)?
> 
> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org 
> [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of MICHAEL BROWN
> Sent: Friday, December 03, 2010 12:27 PM
> To: samba-technical at lists.samba.org 
> Subject: Samba3.5.4 authentication questions
> 
> Greetings all.
> We are using SAMBA 3.5.4 servers running on SLES 9 and 10 joined to Windows 
> 2008 active directory servers.
> 
> Some things I am noticing are a little odd.
> 
> *) If I map a network drive using the FQDN of a SAMBA server, it works fine. 
>  Example server and share:
> 
> \\myserver.mydomain.com\myshare 
> 
> On the same machine that mapped the FQDN above, if I try to go to "run" and 
> type in:
> 
> \\myserver\myshare 
> 
> I get prompted for credentials.
> 
> What can I be missing to alert SAMBA that this "NETBIOS" name is the same 
> server, kerberos key, etc., that I have
> just mapped previously using the FQDN?  All server resolution, short, FQDN, 
> is resolvable via DNS and NETBIOS.
> 
> 
> *) We have users that have shortcuts to shares on their desktop.  We map the 
> share names via "NET USE".  Later through the day,
> the user clicks on the share, they get prompted for credentials.  The 
> machine's time is correct and the same as the server's time so
> I know it is not a time issue with keys.
> 
> 
> *) Last thing is that it seems the NSCD process and SAMBA hate each other in 
> that no users can authenticate after "X"
> amount of time of NSCD running.  If I stop NSCD, it allows authentication.  
> No group/user additions or changes were made.
> I have added a CRON job to stop that process every 1 min. and it seems to 
> work OK but I was just wondering why I have to do this?
> 
> 
> I *really* wished you guys would have not removed the ability for SAMBA to 
> authenticate a user based off of the machine's name
> and username.  I know this is Windows behavior but Windows is not always 
> right =)
> 
> Thanks!
> 
> NOTICE - This communication may contain confidential and privileged 
> information that is for the sole use of the intended recipient. Any viewing, 
> copying or distribution of, or reliance on this message by unintended 
> recipients is strictly prohibited.  If you have received this message in 
> error, please notify us immediately by replying to the message and deleting 
> it from your computer.

NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited.  If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.


More information about the samba-technical mailing list