ldap and active directory configuration
Malcolm Bodger
M.Bodger at westminster.ac.uk
Fri Jul 16 01:21:52 MDT 2010
Hi Scott,
Yes. I don't have admin rights and I'm a Unix/Oracle person with no AD knowledge, so a colleague who has some experience of samba, added the machine using the 'net ads join' command. By the way, I did change the nsswitch.conf:
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
And, getent passwd now lists all local and 107,000 AD users. There is pressure on me to deliver this service by the end of day, so I've switched to local accounts for the 30 users that I know need access. Our policy is single sign on, but these users don't mind having additional login. On another matter, I need to be able to audit users who make changes to files in this area and I've added these lines to the smb.conf:
vfs objects = full_audit
full_audit:priority = NOTICE
full_audit:facility = LOCAL5
I've found these via Google, but please can you tell me if I'm on the right track?
Many thanks,
Regards,
Malcolm.
This e-mail and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must not copy or show them to anyone, nor should you take any action based on them, other than to notify the error by replying to the sender.
________________________________
From: Scott Grizzard [mailto:scott at scottgrizzard.com]
Sent: Thu 15/07/2010 16:54
To: Malcolm Bodger
Cc: samba-technical at lists.samba.org
Subject: Re: RE: RE: ldap and active directory configuration
Does the machine account appear in AD?
On Jul 15, 2010 4:30 AM, "Malcolm Bodger" <M.Bodger at westminster.ac.uk> wrote:
Hi Scott,
Yes, I configured kerberos, but running 'getent passwd' only lists the local users.
The /etc/krb5.conf:
[libdefaults]
default_realm = INTRANET.WMIN.AC.UK <http://intranet.wmin.ac.uk/>
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
ticket_lifetime = 24000
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU <http://athena.mit.edu/> = {
kdc = kerberos.mit.edu:88 <http://kerberos.mit.edu:88/>
kdc = kerberos-1.mit.edu:88 <http://kerberos-1.mit.edu:88/>
kdc = kerberos-2.mit.edu:88 <http://kerberos-2.mit.edu:88/>
admin_server = kerberos.mit.edu <http://kerberos.mit.edu/>
default_domain = mit.edu <http://mit.edu/>
}
MEDIA-LAB.MIT.EDU <http://media-lab.mit.edu/> = {
kdc = kerberos.media.mit.edu <http://kerberos.media.mit.edu/>
admin_server = kerberos.media.mit.edu <http://kerberos.media.mit.edu/>
}
ZONE.MIT.EDU <http://zone.mit.edu/> = {
kdc = casio.mit.edu <http://casio.mit.edu/>
kdc = seiko.mit.edu <http://seiko.mit.edu/>
admin_server = casio.mit.edu <http://casio.mit.edu/>
}
MOOF.MIT.EDU <http://moof.mit.edu/> = {
kdc = three-headed-dogcow.mit.edu:88 <http://three-headed-dogcow.mit.edu:88/>
kdc = three-headed-dogcow-1.mit.edu:88 <http://three-headed-dogcow-1.mit.edu:88/>
admin_server = three-headed-dogcow.mit.edu <http://three-headed-dogcow.mit.edu/>
}
CSAIL.MIT.EDU <http://csail.mit.edu/> = {
kdc = kerberos-1.csail.mit.edu <http://kerberos-1.csail.mit.edu/>
kdc = kerberos-2.csail.mit.edu <http://kerberos-2.csail.mit.edu/>
admin_server = kerberos.csail.mit.edu <http://kerberos.csail.mit.edu/>
default_domain = csail.mit.edu <http://csail.mit.edu/>
krb524_server = krb524.csail.mit.edu <http://krb524.csail.mit.edu/>
}
IHTFP.ORG <http://ihtfp.org/> = {
kdc = kerberos.ihtfp.org <http://kerberos.ihtfp.org/>
admin_server = kerberos.ihtfp.org <http://kerberos.ihtfp.org/>
}
GNU.ORG <http://gnu.org/> = {
kdc = kerberos.gnu.org <http://kerberos.gnu.org/>
kdc = kerberos-2.gnu.org <http://kerberos-2.gnu.org/>
kdc = kerberos-3.gnu.org <http://kerberos-3.gnu.org/>
admin_server = kerberos.gnu.org <http://kerberos.gnu.org/>
}
1TS.ORG <http://1ts.org/> = {
kdc = kerberos.1ts.org <http://kerberos.1ts.org/>
admin_server = kerberos.1ts.org <http://kerberos.1ts.org/>
}
GRATUITOUS.ORG <http://gratuitous.org/> = {
kdc = kerberos.gratuitous.org <http://kerberos.gratuitous.org/>
admin_server = kerberos.gratuitous.org <http://kerberos.gratuitous.org/>
}
DOOMCOM.ORG <http://doomcom.org/> = {
kdc = kerberos.doomcom.org <http://kerberos.doomcom.org/>
admin_server = kerberos.doomcom.org <http://kerberos.doomcom.org/>
}
ANDREW.CMU.EDU <http://andrew.cmu.edu/> = {
kdc = vice28.fs.andrew.cmu.edu <http://vice28.fs.andrew.cmu.edu/>
kdc = vice2.fs.andrew.cmu.edu <http://vice2.fs.andrew.cmu.edu/>
kdc = vice11.fs.andrew.cmu.edu <http://vice11.fs.andrew.cmu.edu/>
kdc = vice12.fs.andrew.cmu.edu <http://vice12.fs.andrew.cmu.edu/>
admin_server = vice28.fs.andrew.cmu.edu <http://vice28.fs.andrew.cmu.edu/>
default_domain = andrew.cmu.edu <http://andrew.cmu.edu/>
}
CS.CMU.EDU <http://cs.cmu.edu/> = {
kdc = kerberos.cs.cmu.edu <http://kerberos.cs.cmu.edu/>
kdc = kerberos-2.srv.cs.cmu.edu <http://kerberos-2.srv.cs.cmu.edu/>
admin_server = kerberos.cs.cmu.edu <http://kerberos.cs.cmu.edu/>
}
DEMENTIA.ORG <http://dementia.org/> = {
kdc = kerberos.dementia.org <http://kerberos.dementia.org/>
kdc = kerberos2.dementia.org <http://kerberos2.dementia.org/>
admin_server = kerberos.dementia.org <http://kerberos.dementia.org/>
}
stanford.edu <http://stanford.edu/> = {
kdc = krb5auth1.stanford.edu <http://krb5auth1.stanford.edu/>
kdc = krb5auth2.stanford.edu <http://krb5auth2.stanford.edu/>
kdc = krb5auth3.stanford.edu <http://krb5auth3.stanford.edu/>
admin_server = krb5-admin.stanford.edu <http://krb5-admin.stanford.edu/>
default_domain = stanford.edu <http://stanford.edu/>
}
INTRANET.WMIN.AC.UK <http://intranet.wmin.ac.uk/> = {
kdc = ISLS-INT-DC-6.WMIN.AC.UK <http://isls-int-dc-6.wmin.ac.uk/>
admin_server = ISLS-INT-DC-6.WMIN.AC.UK <http://isls-int-dc-6.wmin.ac.uk/>
default_domain = INTRANET.WMIN.AC.UK <http://intranet.wmin.ac.uk/>
}
[domain_realm]
.mit.edu <http://mit.edu/> = ATHENA.MIT.EDU <http://athena.mit.edu/>
mit.edu <http://mit.edu/> = ATHENA.MIT.EDU <http://athena.mit.edu/>
.media.mit.edu <http://media.mit.edu/> = MEDIA-LAB.MIT.EDU <http://media-lab.mit.edu/>
media.mit.edu <http://media.mit.edu/> = MEDIA-LAB.MIT.EDU <http://media-lab.mit.edu/>
.csail.mit.edu <http://csail.mit.edu/> = CSAIL.MIT.EDU <http://csail.mit.edu/>
csail.mit.edu <http://csail.mit.edu/> = CSAIL.MIT.EDU <http://csail.mit.edu/>
.whoi.edu <http://whoi.edu/> = ATHENA.MIT.EDU <http://athena.mit.edu/>
whoi.edu <http://whoi.edu/> = ATHENA.MIT.EDU <http://athena.mit.edu/>
.stanford.edu <http://stanford.edu/> = stanford.edu <http://stanford.edu/>
.intranet.wmin.ac.uk <http://intranet.wmin.ac.uk/> = INTRANET.WMIN.AC.UK <http://intranet.wmin.ac.uk/>
intranet.wmin.ac.uk <http://intranet.wmin.ac.uk/> = INTRANET.WMIN.AC.UK <http://intranet.wmin.ac.uk/>
[login]
krb4_convert = true
krb4_get_tickets = false
The /etc/nsswitch.conf:
passwd: files winbind
group: files winbind
shadow: files
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
The wbinfo -u and -g options does return the users and groups.
Thanks,
Malcolm.
This e-mail and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must not copy or show them to anyone, nor should you take any action based on them, other than to notify the error by replying to the sender.
________________________________
From: Scott Grizzard [mailto:scott at scottgrizzard.com]
Sent: Thu 15/07/2010 08:49
To: Malcolm Bodger
Cc: samba-technical at lists.samba.org
Subject: Re: RE: ldap and active directory configuration
Did you configure Kerberos for that server? What does your krb5.conf look like?
How about you nsswi...
The University of Westminster is a charity and a company limited by guarantee. Registration number: 977818 England. Registered Office: 309 Regent Street, London W1B 2UW.
--
The University of Westminster is a charity and a company limited by
guarantee. Registration number: 977818 England. Registered Office:
309 Regent Street, London W1B 2UW, UK.
More information about the samba-technical
mailing list