[Samba] ADS Authentication

Christoph Scheeder christoph.scheeder at scheeder.de
Wed Dec 8 17:12:30 GMT 2004 

first:

STOP,

you want your samba-server to be a membersever in ADS, do you?,

then *remove* *all* bits referencing ldap from your smb.conf.

you entrust all user and groupmanagment to ADS via winbindd
and only via winbindd.

second:
you have configured winbindd not to give you the domain part
from ADS by setting:

winbindd use default domain = Yes

set it to no and you will get the domain part for your
domain users/groups

third:
don't use "/" as domain-seperator in linux/unix.
it has special meaning (path-seperator) and using it probably  will give
you strange problems.

Christoph

Tom Skeren schrieb:
> Edward Wissner wrote:
> 
>> I have similar issues, but am not using an ldap server, rather a W2k 
>> Active Directory domain controller.
> 
> 
> Yes, so am I.  The ldap server listed in ldap.conf is named w2000
> 
>> And am not interested in lging into the linux server with AD.
>> Domain users and groups list without the domain ID for me as well.  I 
>> don't know if that is proper as I have never seen a working setup.
> 
> 
> No...it should be DOMAIN_NAME/user1  DOMAIN_NAME/group1 etc.  The "/" is 
> specified in smb.conf as winbindd separator.
> 
>> I see my shares on the samba server from a w2k client, but am prompted 
>> again for usr/passwd when attempting to open a shared directory.  
>> That's when I get a failure.
> 
> 
> Try mapping a drive by \\ip-addy\share....bet it works.
> 
>>  
>> I'm ready to toss it and start over, migrating completely away from 
>> w2k AD and setting up an ldap directory instead.
> 
> 
> I can't unfortunately.
> 
>> Samba works great if I create my users locally.
> 
> 
> It works pretty well as an NT style PDC, yes, but this project requires 
> a samba server become a member server in ADS.
> 
>> ed
>>     -----Original Message-----
>>     *From:* Tom Skeren [mailto:tms3 at fsklaw.net]
>>     *Sent:* Wednesday, December 08, 2004 10:32 AM
>>     *To:* Edward Wissner; samba
>>     *Subject:* Re: [Samba] ADS Authentication
>>
>>     Edward Wissner wrote:
>>
>>> What did you change in your smb.conf file?
>>>  
>>>
>>     Well, I managed to get samba to authenticate, however, continued
>>     winbindd problems make the setup worthless.  Group searches fail,
>>     or are incomplete.  Domain users and groups list without domain
>>     id.  net groupmap fails.  Attempts to re-join via "net ads join"
>>     fail.
>>     If your interested, I have copied all the relevant config files here:
>>
>>     _*smb.conf:*_
>>
>>     workgroup = FSK
>>      realm = FSKLAW.NET
>>      server string = SSERVER
>>      netbios name = SSERVER
>>      security = ADS
>>      client schannel = Yes
>>      server schannel = Yes
>>      passdb backend = ldapsam:ldap://w2000.fsklaw.net
>>      socket options = TCP_NODELAY
>>      dns proxy = No
>>      ldap admin dn = cn=Administrator,cn=users,DC=fsklaw,DC=net
>>      ldap suffix = DC=fsklaw,DC=net
>>      idmap uid = 10000-20000
>>      idmap gid = 10000-20000
>>      winbind separator = /
>>      winbind enum users = No
>>      winbind enum groups = No
>>      winbind use default domain = Yes
>>      dos filemode = Yes
>>      acl compatibility = win2k
>>             inherit acls = yes
>>             inherit permissions = yes
>>
>>     [FSK]
>>        path = /home/FSK
>>        public = yes
>>        only guest = no
>>        browseable = yes
>>        writeable = yes
>>        printable = no
>>        create mask = 0777
>>        force create mode = 0777
>>        force directory mode = 0777
>>        directory security mask = 0777
>>
>>     _*ldap.conf:
>>     *_
>>     host w2000.fsklaw.net
>>     base dc=fsklaw,dc=net
>>     ldap_version 3
>>     URI ldaps:w2000.fsklaw.net
>>     scope sub
>>     pam_login_attribute Administrator
>>     pam_password md5
>>     idle_timelimit 3600
>>     nss_base_passwd cn=Users,dc=fsklaw,dc=net?one
>>     nss_base_group cn=Users,dc=fsklaw,dc=net?one
>>     ssl on
>>     TLS_CACERT /etc/CA/fsk.pem
>>     tls_ciphers TLSv1
>>     sasl_secprops maxssf=0
>>     krb5_ccname FILE:/tmp/krb5cc_0
>>
>>     _*nsswitch.conf:
>>     *_
>>     passwd: files winbind
>>     shadow: files winbind
>>     group: files winbind
>>     hosts: dns winbind ldap files nis
>>     automount: files winbind ldap nisplus
>>     aliases: files winbind ldap nisplus
>>
>>     _*krb5.conf:*_
>>
>>     [logging]
>>      default = FILE:/var/log/krb5libs.log
>>      kdc = FILE:/var/log/krb5kdc.log
>>      admin_server = FILE:/var/log/kadmind.log
>>
>>     [libdefaults]
>>      ticket_lifetime = 24000
>>      default_realm = FSKLAW.NET
>>      dns_lookup_realm = false
>>      dns_lookup_kdc = false
>>      default_etypes = des-cbc-crc des-cbc-md5
>>      default_etypes_des = des-cbc-crc des-cbc-md5
>>      default_keytab-name = FILE:/etc/krb5.keytab
>>     [realms]
>>
>>      FSKLAW.NET = {
>>       kdc = KERBEROS.FSKLAW.NET
>>       admin_server = w2000.fsklaw.net
>>       default_domain= fsklaw.net
>>      }
>>
>>     [domain_realm]
>>      .fsklaw.net = FSKLAW.NET
>>      fsklaw.net = FSKLAW.NET
>>      .FSKLAW.NET = FSKLAW.NET
>>     .kerberos.server = KERBEROS.FSKLAW.NET
>>     [kdc]
>>      profile = /var/kerberos/krb5kdc/kdc.conf
>>
>>     [pam]
>>      debug = false
>>      ticket_lifetime = 36000
>>      renew_lifetime = 36000
>>      forwardable = true
>>      krb4_convert = false
>>
>>     _*pam.d/login:
>>     *_
>>     #
>>     # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
>>     #
>>     # PAM configuration for the "login" service
>>     #
>>
>>     # auth
>>     auth  required pam_nologin.so  no_warn
>>     auth  sufficient pam_self.so  no_warn
>>     auth  include  system
>>     auth  sufficient /usr/local/lib/pam_winbind.so
>>     # account
>>     account  requisite pam_securetty.so
>>     account  include  system
>>     account  sufficient /usr/local/lib/pam_winbind.so
>>
>>     # session
>>     session  include  system
>>
>>     # password
>>     password include  system
>>
>>> -----Original Message-----
>>> From: Tom Skeren [mailto:tms3 at fsklaw.net]
>>> Sent: Tuesday, December 07, 2004 4:04 PM
>>> To: Jeremy Allison
>>> Cc: samba
>>> Subject: Re: [Samba] ADS Authentication
>>>
>>>
>>> Jeremy Allison wrote:
>>>
>>> It was an smb.conf issue.  Authentication against ADS is now
>>> functioning.  Now it's time to wrestle with ACLs.  Thanks for the help.
>>>
>>> TMS III
>>>
>>>  
>>>
>>>> On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>>>
>>>>
>>>>   
>>>>
>>>>> I'm about ready to smash my head through a wall...I could use a few
>>>>>     
>>>
>>> answers.
>>>  
>>>
>>>>> 1.  When using security = ads, and completing net ads join, it was my
>>>>> understanding that samba authenticated username/pword against ads, and
>>>>> local posix accounts were nolonger needed, is this true?
>>>>>
>>>>>
>>>>>     
>>>>
>>>> Yes, so long as you have nsswitch and pam set up correctly. It sounds
>>>> like you don't.
>>>>
>>>> Jeremy.
>>>>
>>>>
>>>>   
>>>
>>>
>>>
>>>
>>>
>>>  
>>>
>>
>

More information about the samba mailing list