[Samba] samba 3.0 kerberos question

[Bob Bartels]

Axel,

So far this is what I've found out:

Once you modify all the pam.d modules you want to authenticate with by adding 
winbind.so ( ssh, login, su, xdm etc.) and gotten the logins to work... The 
next problem is uid/gui mappings from the AD->unix. Then comes the mounting 
of the users directory from an AD. So far the only solution I've found is to 
use  
http://uranus.it.swin.edu.au/~jn/linux/smbfs/

This loads a daemon that gets userid and passwd from winbind. It then uses 
that info to bascially use smbmount with the login credentials to mount the 
users home dir at login time.

I don't know how to parse the AD to get the actual home directory...At this 
point our home dirs are all going to be DFS$ mounts on the windows servers. I 
need to parse the Active Directory for this and then pipe that info to smbfs.

Then all my AD users should be able to login to our shared unix server and 
find themselves in their unified home directory. I'm sure permission issues 
will be the next hurdle. 

If anyone has a better solution or a howto in the works as to this type of 
scenerio/solution - Windows AD userbase who need to use a unix server for 
research and want a unified homedir/account setup.

Thanks

Bob





> Quoting Andrew Bartlett <abartlet at samba.org>:
> > On Thu, 2003-10-23 at 06:19, Bob Bartels wrote:
> > > I have successfully joined a machine to a active directory and got a
> >
> > kerberos
> >
> > > session ticket.
> > >
> > > Smbclient //server/share$ -k works and allows me access to the dirs on
> > > a server in the domain in which I authenticated and received a krb
> > > ticket
> >
> > from.
> >
> > > smbmount //server/share$ /localmount -o krb Should work as
> > > well...right??
> >
> > NO!
> >
> > > I get this error when I try it:
> > >
> > > Warning: kerberos support will only work for samba servers
> > > Anonymous login successful
> > > 2348: tree connect failed: ERRDOS - ERRnoaccess (Access denied.)
> > > SMB connection failed
> > >
> > >
> > > Why is this happening and is there a way to mount a sharepoint after
> >
> > getting a
> >
> > > kerberos ticket without having the re-authenticate?
> >
> > Not with smbfs.  It is hoped that the CIFS VFS will get better in this
> > regard.
>
> So is there any solution to use smb shares (on Samba AND Windows Servers)
> as home directories for linux users with all their consequences? I mean
> automatically mount them at boot time, use pam_mkhomedir with them, single
> signon during the logon process, etc.
>
> That's what I was expecting from the release of Samba 3.0, centralized home
> directories for Windows and Linux users in heterogeneous networks resulting
> in dramatically reduced administration efforts and the end of not
> unnecessary redundant information... Kerberos is the key to that scenario.
>
> Regards,
>
> Axel Suppantschitsch.
>
> Dipl.-Ing. (FH) Axel Suppantschitsch
> ---
> FH JOANNEUM Gesellschaft mbH
> University of Applied Sciences
> Department of Information Management
> Operating System Technologies
> Alte Poststrasse 147, A-8020 Graz
> www.fh-joanneum.at