[Samba] ADS Authentication
Tom Skeren
tms3 at fsklaw.net
Wed Dec 8 16:27:16 GMT 2004
Edward Wissner wrote:
> I have similar issues, but am not using an ldap server, rather a W2k
> Active Directory domain controller.
Yes, so am I. The ldap server listed in ldap.conf is named w2000
> And am not interested in lging into the linux server with AD.
> Domain users and groups list without the domain ID for me as well. I
> don't know if that is proper as I have never seen a working setup.
No...it should be DOMAIN_NAME/user1 DOMAIN_NAME/group1 etc. The "/" is
specified in smb.conf as winbindd separator.
> I see my shares on the samba server from a w2k client, but am prompted
> again for usr/passwd when attempting to open a shared directory.
> That's when I get a failure.
Try mapping a drive by \\ip-addy\share....bet it works.
>
> I'm ready to toss it and start over, migrating completely away
> from w2k AD and setting up an ldap directory instead.
I can't unfortunately.
> Samba works great if I create my users locally.
It works pretty well as an NT style PDC, yes, but this project requires
a samba server become a member server in ADS.
> ed
>
> -----Original Message-----
> *From:* Tom Skeren [mailto:tms3 at fsklaw.net]
> *Sent:* Wednesday, December 08, 2004 10:32 AM
> *To:* Edward Wissner; samba
> *Subject:* Re: [Samba] ADS Authentication
>
> Edward Wissner wrote:
>
>>What did you change in your smb.conf file?
>>
>>
> Well, I managed to get samba to authenticate, however, continued
> winbindd problems make the setup worthless. Group searches fail,
> or are incomplete. Domain users and groups list without domain
> id. net groupmap fails. Attempts to re-join via "net ads join"
> fail.
>
> If your interested, I have copied all the relevant config files here:
>
> _*smb.conf:*_
>
> workgroup = FSK
> realm = FSKLAW.NET
> server string = SSERVER
> netbios name = SSERVER
> security = ADS
> client schannel = Yes
> server schannel = Yes
> passdb backend = ldapsam:ldap://w2000.fsklaw.net
> socket options = TCP_NODELAY
> dns proxy = No
> ldap admin dn = cn=Administrator,cn=users,DC=fsklaw,DC=net
> ldap suffix = DC=fsklaw,DC=net
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind separator = /
> winbind enum users = No
> winbind enum groups = No
> winbind use default domain = Yes
> dos filemode = Yes
> acl compatibility = win2k
> inherit acls = yes
> inherit permissions = yes
>
> [FSK]
> path = /home/FSK
> public = yes
> only guest = no
> browseable = yes
> writeable = yes
> printable = no
> create mask = 0777
> force create mode = 0777
> force directory mode = 0777
> directory security mask = 0777
>
> _*ldap.conf:
> *_
> host w2000.fsklaw.net
> base dc=fsklaw,dc=net
> ldap_version 3
> URI ldaps:w2000.fsklaw.net
> scope sub
> pam_login_attribute Administrator
> pam_password md5
> idle_timelimit 3600
> nss_base_passwd cn=Users,dc=fsklaw,dc=net?one
> nss_base_group cn=Users,dc=fsklaw,dc=net?one
> ssl on
> TLS_CACERT /etc/CA/fsk.pem
> tls_ciphers TLSv1
> sasl_secprops maxssf=0
> krb5_ccname FILE:/tmp/krb5cc_0
>
> _*nsswitch.conf:
> *_
> passwd: files winbind
> shadow: files winbind
> group: files winbind
> hosts: dns winbind ldap files nis
> automount: files winbind ldap nisplus
> aliases: files winbind ldap nisplus
>
> _*krb5.conf:*_
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = FSKLAW.NET
> dns_lookup_realm = false
> dns_lookup_kdc = false
> default_etypes = des-cbc-crc des-cbc-md5
> default_etypes_des = des-cbc-crc des-cbc-md5
> default_keytab-name = FILE:/etc/krb5.keytab
> [realms]
>
> FSKLAW.NET = {
> kdc = KERBEROS.FSKLAW.NET
> admin_server = w2000.fsklaw.net
> default_domain= fsklaw.net
> }
>
> [domain_realm]
> .fsklaw.net = FSKLAW.NET
> fsklaw.net = FSKLAW.NET
> .FSKLAW.NET = FSKLAW.NET
> .kerberos.server = KERBEROS.FSKLAW.NET
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [pam]
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
>
> _*pam.d/login:
> *_
> #
> # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
> #
> # PAM configuration for the "login" service
> #
>
> # auth
> auth required pam_nologin.so no_warn
> auth sufficient pam_self.so no_warn
> auth include system
> auth sufficient /usr/local/lib/pam_winbind.so
> # account
> account requisite pam_securetty.so
> account include system
> account sufficient /usr/local/lib/pam_winbind.so
>
> # session
> session include system
>
> # password
> password include system
>
>>-----Original Message-----
>>From: Tom Skeren [mailto:tms3 at fsklaw.net]
>>Sent: Tuesday, December 07, 2004 4:04 PM
>>To: Jeremy Allison
>>Cc: samba
>>Subject: Re: [Samba] ADS Authentication
>>
>>
>>Jeremy Allison wrote:
>>
>>It was an smb.conf issue. Authentication against ADS is now
>>functioning. Now it's time to wrestle with ACLs. Thanks for the help.
>>
>>TMS III
>>
>>
>>
>>>On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>>
>>>
>>>
>>>
>>>>I'm about ready to smash my head through a wall...I could use a few
>>>>
>>>>
>>answers.
>>
>>
>>>>1. When using security = ads, and completing net ads join, it was my
>>>>understanding that samba authenticated username/pword against ads, and
>>>>local posix accounts were nolonger needed, is this true?
>>>>
>>>>
>>>>
>>>>
>>>Yes, so long as you have nsswitch and pam set up correctly. It sounds
>>>like you don't.
>>>
>>>Jeremy.
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>
More information about the samba
mailing list