[Samba] ADS Authentication
Tom Skeren
tms3 at fsklaw.net
Wed Dec 8 15:31:46 GMT 2004
Edward Wissner wrote:
>What did you change in your smb.conf file?
>
>
Well, I managed to get samba to authenticate, however, continued
winbindd problems make the setup worthless. Group searches fail, or are
incomplete. Domain users and groups list without domain id. net
groupmap fails. Attempts to re-join via "net ads join" fail.
If your interested, I have copied all the relevant config files here:
_*smb.conf:*_
workgroup = FSK
realm = FSKLAW.NET
server string = SSERVER
netbios name = SSERVER
security = ADS
client schannel = Yes
server schannel = Yes
passdb backend = ldapsam:ldap://w2000.fsklaw.net
socket options = TCP_NODELAY
dns proxy = No
ldap admin dn = cn=Administrator,cn=users,DC=fsklaw,DC=net
ldap suffix = DC=fsklaw,DC=net
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = /
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
dos filemode = Yes
acl compatibility = win2k
inherit acls = yes
inherit permissions = yes
[FSK]
path = /home/FSK
public = yes
only guest = no
browseable = yes
writeable = yes
printable = no
create mask = 0777
force create mode = 0777
force directory mode = 0777
directory security mask = 0777
_*ldap.conf:
*_
host w2000.fsklaw.net
base dc=fsklaw,dc=net
ldap_version 3
URI ldaps:w2000.fsklaw.net
scope sub
pam_login_attribute Administrator
pam_password md5
idle_timelimit 3600
nss_base_passwd cn=Users,dc=fsklaw,dc=net?one
nss_base_group cn=Users,dc=fsklaw,dc=net?one
ssl on
TLS_CACERT /etc/CA/fsk.pem
tls_ciphers TLSv1
sasl_secprops maxssf=0
krb5_ccname FILE:/tmp/krb5cc_0
_*nsswitch.conf:
*_
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: dns winbind ldap files nis
automount: files winbind ldap nisplus
aliases: files winbind ldap nisplus
_*krb5.conf:*_
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = FSKLAW.NET
dns_lookup_realm = false
dns_lookup_kdc = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_keytab-name = FILE:/etc/krb5.keytab
[realms]
FSKLAW.NET = {
kdc = KERBEROS.FSKLAW.NET
admin_server = w2000.fsklaw.net
default_domain= fsklaw.net
}
[domain_realm]
.fsklaw.net = FSKLAW.NET
fsklaw.net = FSKLAW.NET
.FSKLAW.NET = FSKLAW.NET
.kerberos.server = KERBEROS.FSKLAW.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
_*pam.d/login:
*_
#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_self.so no_warn
auth include system
auth sufficient /usr/local/lib/pam_winbind.so
# account
account requisite pam_securetty.so
account include system
account sufficient /usr/local/lib/pam_winbind.so
# session
session include system
# password
password include system
>-----Original Message-----
>From: Tom Skeren [mailto:tms3 at fsklaw.net]
>Sent: Tuesday, December 07, 2004 4:04 PM
>To: Jeremy Allison
>Cc: samba
>Subject: Re: [Samba] ADS Authentication
>
>
>Jeremy Allison wrote:
>
>It was an smb.conf issue. Authentication against ADS is now
>functioning. Now it's time to wrestle with ACLs. Thanks for the help.
>
>TMS III
>
>
>
>>On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>
>>
>>
>>
>>>I'm about ready to smash my head through a wall...I could use a few
>>>
>>>
>answers.
>
>
>>>1. When using security = ads, and completing net ads join, it was my
>>>understanding that samba authenticated username/pword against ads, and
>>>local posix accounts were nolonger needed, is this true?
>>>
>>>
>>>
>>>
>>Yes, so long as you have nsswitch and pam set up correctly. It sounds
>>like you don't.
>>
>>Jeremy.
>>
>>
>>
>>
>
>
>
>
>
>
More information about the samba
mailing list