[Samba] ADS Authentication
Christoph Scheeder
christoph.scheeder at scheeder.de
Wed Dec 8 17:12:30 GMT 2004
first:
STOP,
you want your samba-server to be a membersever in ADS, do you?,
then *remove* *all* bits referencing ldap from your smb.conf.
you entrust all user and groupmanagment to ADS via winbindd
and only via winbindd.
second:
you have configured winbindd not to give you the domain part
from ADS by setting:
winbindd use default domain = Yes
set it to no and you will get the domain part for your
domain users/groups
third:
don't use "/" as domain-seperator in linux/unix.
it has special meaning (path-seperator) and using it probably will give
you strange problems.
Christoph
Tom Skeren schrieb:
> Edward Wissner wrote:
>
>> I have similar issues, but am not using an ldap server, rather a W2k
>> Active Directory domain controller.
>
>
> Yes, so am I. The ldap server listed in ldap.conf is named w2000
>
>> And am not interested in lging into the linux server with AD.
>> Domain users and groups list without the domain ID for me as well. I
>> don't know if that is proper as I have never seen a working setup.
>
>
> No...it should be DOMAIN_NAME/user1 DOMAIN_NAME/group1 etc. The "/" is
> specified in smb.conf as winbindd separator.
>
>> I see my shares on the samba server from a w2k client, but am prompted
>> again for usr/passwd when attempting to open a shared directory.
>> That's when I get a failure.
>
>
> Try mapping a drive by \\ip-addy\share....bet it works.
>
>>
>> I'm ready to toss it and start over, migrating completely away from
>> w2k AD and setting up an ldap directory instead.
>
>
> I can't unfortunately.
>
>> Samba works great if I create my users locally.
>
>
> It works pretty well as an NT style PDC, yes, but this project requires
> a samba server become a member server in ADS.
>
>> ed
>> -----Original Message-----
>> *From:* Tom Skeren [mailto:tms3 at fsklaw.net]
>> *Sent:* Wednesday, December 08, 2004 10:32 AM
>> *To:* Edward Wissner; samba
>> *Subject:* Re: [Samba] ADS Authentication
>>
>> Edward Wissner wrote:
>>
>>> What did you change in your smb.conf file?
>>>
>>>
>> Well, I managed to get samba to authenticate, however, continued
>> winbindd problems make the setup worthless. Group searches fail,
>> or are incomplete. Domain users and groups list without domain
>> id. net groupmap fails. Attempts to re-join via "net ads join"
>> fail.
>> If your interested, I have copied all the relevant config files here:
>>
>> _*smb.conf:*_
>>
>> workgroup = FSK
>> realm = FSKLAW.NET
>> server string = SSERVER
>> netbios name = SSERVER
>> security = ADS
>> client schannel = Yes
>> server schannel = Yes
>> passdb backend = ldapsam:ldap://w2000.fsklaw.net
>> socket options = TCP_NODELAY
>> dns proxy = No
>> ldap admin dn = cn=Administrator,cn=users,DC=fsklaw,DC=net
>> ldap suffix = DC=fsklaw,DC=net
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> winbind separator = /
>> winbind enum users = No
>> winbind enum groups = No
>> winbind use default domain = Yes
>> dos filemode = Yes
>> acl compatibility = win2k
>> inherit acls = yes
>> inherit permissions = yes
>>
>> [FSK]
>> path = /home/FSK
>> public = yes
>> only guest = no
>> browseable = yes
>> writeable = yes
>> printable = no
>> create mask = 0777
>> force create mode = 0777
>> force directory mode = 0777
>> directory security mask = 0777
>>
>> _*ldap.conf:
>> *_
>> host w2000.fsklaw.net
>> base dc=fsklaw,dc=net
>> ldap_version 3
>> URI ldaps:w2000.fsklaw.net
>> scope sub
>> pam_login_attribute Administrator
>> pam_password md5
>> idle_timelimit 3600
>> nss_base_passwd cn=Users,dc=fsklaw,dc=net?one
>> nss_base_group cn=Users,dc=fsklaw,dc=net?one
>> ssl on
>> TLS_CACERT /etc/CA/fsk.pem
>> tls_ciphers TLSv1
>> sasl_secprops maxssf=0
>> krb5_ccname FILE:/tmp/krb5cc_0
>>
>> _*nsswitch.conf:
>> *_
>> passwd: files winbind
>> shadow: files winbind
>> group: files winbind
>> hosts: dns winbind ldap files nis
>> automount: files winbind ldap nisplus
>> aliases: files winbind ldap nisplus
>>
>> _*krb5.conf:*_
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> ticket_lifetime = 24000
>> default_realm = FSKLAW.NET
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> default_etypes = des-cbc-crc des-cbc-md5
>> default_etypes_des = des-cbc-crc des-cbc-md5
>> default_keytab-name = FILE:/etc/krb5.keytab
>> [realms]
>>
>> FSKLAW.NET = {
>> kdc = KERBEROS.FSKLAW.NET
>> admin_server = w2000.fsklaw.net
>> default_domain= fsklaw.net
>> }
>>
>> [domain_realm]
>> .fsklaw.net = FSKLAW.NET
>> fsklaw.net = FSKLAW.NET
>> .FSKLAW.NET = FSKLAW.NET
>> .kerberos.server = KERBEROS.FSKLAW.NET
>> [kdc]
>> profile = /var/kerberos/krb5kdc/kdc.conf
>>
>> [pam]
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>>
>> _*pam.d/login:
>> *_
>> #
>> # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
>> #
>> # PAM configuration for the "login" service
>> #
>>
>> # auth
>> auth required pam_nologin.so no_warn
>> auth sufficient pam_self.so no_warn
>> auth include system
>> auth sufficient /usr/local/lib/pam_winbind.so
>> # account
>> account requisite pam_securetty.so
>> account include system
>> account sufficient /usr/local/lib/pam_winbind.so
>>
>> # session
>> session include system
>>
>> # password
>> password include system
>>
>>> -----Original Message-----
>>> From: Tom Skeren [mailto:tms3 at fsklaw.net]
>>> Sent: Tuesday, December 07, 2004 4:04 PM
>>> To: Jeremy Allison
>>> Cc: samba
>>> Subject: Re: [Samba] ADS Authentication
>>>
>>>
>>> Jeremy Allison wrote:
>>>
>>> It was an smb.conf issue. Authentication against ADS is now
>>> functioning. Now it's time to wrestle with ACLs. Thanks for the help.
>>>
>>> TMS III
>>>
>>>
>>>
>>>> On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> I'm about ready to smash my head through a wall...I could use a few
>>>>>
>>>
>>> answers.
>>>
>>>
>>>>> 1. When using security = ads, and completing net ads join, it was my
>>>>> understanding that samba authenticated username/pword against ads, and
>>>>> local posix accounts were nolonger needed, is this true?
>>>>>
>>>>>
>>>>>
>>>>
>>>> Yes, so long as you have nsswitch and pam set up correctly. It sounds
>>>> like you don't.
>>>>
>>>> Jeremy.
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
More information about the samba
mailing list