[Samba] Samba working in Active Directory .config's included

Tim jordan timothy_jordan at labor.state.ak.us
Sat Dec 20 00:31:08 GMT 2003 

I'm struggling just as much as the next person on this setup.  Although;
I do have it working under Mandrake 9.2 with Samba3.0.pre1.

Perhaps we can work together and figure out what is different between
setups.

smb.conf:

> #======================= Global Settings =====================================
> [global]
> 
> # 1. Server Naming Options:
>    workgroup = LABOR
>    realm = LABOR.AK
>    server string = Samba Server %v
> # 2. Printing Options:
>    printcap name = cups
>    load printers = yes
>    printing = cups
> # This should work well for winbind:
>   printer admin = @"Domain Admins"
> 
> # 3. Logging Options:
>    log file = /var/log/samba3/log.%m
>    max log size = 50
>    log level = 5
> 
> # 4. Security and Domain Membership Options:
>    security = ads
>    password server = ipaddress of w2k pdc
>    encrypt passwords = yes
> 
> # 5. Winbind
>    winbind uid = 10000-20000
>    winbind gid = 10000-20000
>    winbind use default domain = yes
>    allow trusted domains = no
>    template homedir = /home/%D/%U
>    obey pam restrictions = yes
>    template shell = /bin/bash
> 
> # 5. Browser Control and Networking Options:
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>    local master = no
>    os level = 0
>    domain master = no
>    preferred master = no
> /etc/pam.d/samba
> 
> #%PAM-1.0
> > auth       required	/lib/security/pam_nologin.so
> > auth       required	/lib/security/pam_stack.so service=system-auth
> > account    required	/lib/security/pam_stack.so service=system-auth
> > session    required	/lib/security/pam_stack.so service=system-auth
> > 
> /etc/pam.d/system-auth
> #%PAM-1.0
> auth       required	/lib/security/pam_nologin.so
> auth       required	/lib/security/pam_stack.so service=system-auth
> account    required	/lib/security/pam_stack.so service=system-auth
> session    required	/lib/security/pam_stack.so service=system-auth
> # 6. Domain Control Options:
>    domain logons = no
>    add user script = /usr/sbin/useradd -s /bin/false '%u'
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
> 
> 
> # 7. Name Resolution Options:
>    name resolve order = wins lmhosts bcast
>    wins server = ipaddress of wins server
>    dns proxy = no 
> 
> 
> #============================ Share Definitions ==============================
> [Domain Admins]
>    comment = Private Directory
>    path = /private
>    valid users =@"Domain Admins"
>    public = no
>    writable = yes
>    printable = no  
> [Temp]
>    comment = Temporary file space
>    path = /tmp
>    read only = no
>    public = yes
> 
> [Gentoo]
>    comment = Gentoo resources
>    path = /samba/gentoo
>    public = yes
>    writable = no
>    write list = "@Domain Admins"



krb5.conf:



> 	logging]
>  default = FILE:/var/log/kerberos/krb5libs.log
>  kdc = FILE:/var/log/kerberos/krb5kdc.log
>  admin_server = FILE:/var/log/kerberos/kadmind.log
> 
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = LABOR.AK
>  default_tgs_enctypes = des-cbc-crc des-cbc-md5 
>  default_tkt_enctypes = des-cbc-crc des-cbc-md5 
> #permitted_enctypes = des-cbc-crc des-cbc-md5
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  kdc_req_checksum_type = 2
>  checksum_type = 2
>  ccache_type = 1
>  forwardable = true
>  proxiable = true
> 
> [realms]
>  LABOR.AK = {
>   kdc = MYW2KPDC.LABOR.AK:88
>   admin_server = MYW2KPDC.LABOR.AK:749
>   default_domain = LABOR.AK
>  }
> 
> [domain_realm]
>  .LABOR.AK = LABOR.AK
> 
> [kdc]
>  profile = /etc/kerberos/krb5kdc/kdc.conf
> 
> [pam]
>  debug = false
>  ticket_lifetime = 36000
>  renew_lifetime = 36000 
>  forwardable = true
>  krb4_convert = false
> 
>  [login]
>  krb4_convert = false
>  krb4_get_tickets = false


Checking encryption type:


> # klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: TIM at LABOR.AK
> 
> Valid starting     Expires            Service principal
> 12/19/03 13:59:10  12/19/03 23:59:50  krbtgt/LABOR.AK at LABOR.AK
>         renew until 12/20/03 13:59:10, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32

	



/etc/pam.d/login:


> #%PAM-1.0
> auth       required	/lib/security/pam_securetty.so
> auth       sufficient	/lib/security/pam_stack.so service=system-auth-winbind
> auth       required	/lib/security/pam_nologin.so
> account    sufficient	/lib/security/pam_stack.so service=system-auth-winbind
> password   required	/lib/security/pam_stack.so service=system-auth
> session    required	/lib/security/pam_stack.so service=system-auth
> session    optional	/lib/security/pam_console.so


/etc/pam.d/system-auth-winbind


> #%PAM-1.0
> 
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_winbind.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass
> auth        required      /lib/security/pam_deny.so
> 
> account     sufficient    /lib/security/pam_winbind.so
> account     required      /lib/security/pam_unix.so
> 
> password    required      /lib/security/pam_cracklib.so retry=3
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
> password    required      /lib/security/pam_deny.so
> 
> session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so


/etc/nsswitch.conf


> passwd:     files  winbind
> shadow:     files nisplus nis
> group:      files  winbind
> 
> #hosts:     db files nisplus nis dns
> hosts:      files dns wins

More information about the samba mailing list