[Samba] ADS Authentication
Tom Skeren
tms3 at fsklaw.net
Wed Dec 8 18:46:36 GMT 2004
Christoph Scheeder wrote:
> first:
>
> STOP,
Too late, but not a problem. I was begining to suspect the Free BSD 5.x
guide I was using was problematic. I just did a clean install of 5.3,
and am installing software. I had already considered getting rid of
ldap refences. Should I also get rid of nss_ldap?
Thanks for the fresh pair of eyes looking at this for me.
TMS III
>
> you want your samba-server to be a membersever in ADS, do you?,
>
> then *remove* *all* bits referencing ldap from your smb.conf.
>
> you entrust all user and groupmanagment to ADS via winbindd
> and only via winbindd.
>
> second:
> you have configured winbindd not to give you the domain part
> from ADS by setting:
>
> winbindd use default domain = Yes
>
> set it to no and you will get the domain part for your
> domain users/groups
>
> third:
> don't use "/" as domain-seperator in linux/unix.
Yeah, I thought about that I will switch back to _ as a separator.
> it has special meaning (path-seperator) and using it probably will give
> you strange problems.
>
> Christoph
>
> Tom Skeren schrieb:
>
>> Edward Wissner wrote:
>>
>>> I have similar issues, but am not using an ldap server, rather a W2k
>>> Active Directory domain controller.
>>
>>
>>
>> Yes, so am I. The ldap server listed in ldap.conf is named w2000
>>
>>> And am not interested in lging into the linux server with AD.
>>> Domain users and groups list without the domain ID for me as well.
>>> I don't know if that is proper as I have never seen a working setup.
>>
>>
>>
>> No...it should be DOMAIN_NAME/user1 DOMAIN_NAME/group1 etc. The "/"
>> is specified in smb.conf as winbindd separator.
>>
>>> I see my shares on the samba server from a w2k client, but am
>>> prompted again for usr/passwd when attempting to open a shared
>>> directory. That's when I get a failure.
>>
>>
>>
>> Try mapping a drive by \\ip-addy\share....bet it works.
>>
>>>
>>> I'm ready to toss it and start over, migrating completely away from
>>> w2k AD and setting up an ldap directory instead.
>>
>>
>>
>> I can't unfortunately.
>>
>>> Samba works great if I create my users locally.
>>
>>
>>
>> It works pretty well as an NT style PDC, yes, but this project
>> requires a samba server become a member server in ADS.
>>
>>> ed
>>> -----Original Message-----
>>> *From:* Tom Skeren [mailto:tms3 at fsklaw.net]
>>> *Sent:* Wednesday, December 08, 2004 10:32 AM
>>> *To:* Edward Wissner; samba
>>> *Subject:* Re: [Samba] ADS Authentication
>>>
>>> Edward Wissner wrote:
>>>
>>>> What did you change in your smb.conf file?
>>>>
>>>>
>>> Well, I managed to get samba to authenticate, however, continued
>>> winbindd problems make the setup worthless. Group searches fail,
>>> or are incomplete. Domain users and groups list without domain
>>> id. net groupmap fails. Attempts to re-join via "net ads join"
>>> fail.
>>> If your interested, I have copied all the relevant config files
>>> here:
>>>
>>> _*smb.conf:*_
>>>
>>> workgroup = FSK
>>> realm = FSKLAW.NET
>>> server string = SSERVER
>>> netbios name = SSERVER
>>> security = ADS
>>> client schannel = Yes
>>> server schannel = Yes
>>> passdb backend = ldapsam:ldap://w2000.fsklaw.net
>>> socket options = TCP_NODELAY
>>> dns proxy = No
>>> ldap admin dn = cn=Administrator,cn=users,DC=fsklaw,DC=net
>>> ldap suffix = DC=fsklaw,DC=net
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>> winbind separator = /
>>> winbind enum users = No
>>> winbind enum groups = No
>>> winbind use default domain = Yes
>>> dos filemode = Yes
>>> acl compatibility = win2k
>>> inherit acls = yes
>>> inherit permissions = yes
>>>
>>> [FSK]
>>> path = /home/FSK
>>> public = yes
>>> only guest = no
>>> browseable = yes
>>> writeable = yes
>>> printable = no
>>> create mask = 0777
>>> force create mode = 0777
>>> force directory mode = 0777
>>> directory security mask = 0777
>>>
>>> _*ldap.conf:
>>> *_
>>> host w2000.fsklaw.net
>>> base dc=fsklaw,dc=net
>>> ldap_version 3
>>> URI ldaps:w2000.fsklaw.net
>>> scope sub
>>> pam_login_attribute Administrator
>>> pam_password md5
>>> idle_timelimit 3600
>>> nss_base_passwd cn=Users,dc=fsklaw,dc=net?one
>>> nss_base_group cn=Users,dc=fsklaw,dc=net?one
>>> ssl on
>>> TLS_CACERT /etc/CA/fsk.pem
>>> tls_ciphers TLSv1
>>> sasl_secprops maxssf=0
>>> krb5_ccname FILE:/tmp/krb5cc_0
>>>
>>> _*nsswitch.conf:
>>> *_
>>> passwd: files winbind
>>> shadow: files winbind
>>> group: files winbind
>>> hosts: dns winbind ldap files nis
>>> automount: files winbind ldap nisplus
>>> aliases: files winbind ldap nisplus
>>>
>>> _*krb5.conf:*_
>>>
>>> [logging]
>>> default = FILE:/var/log/krb5libs.log
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmind.log
>>>
>>> [libdefaults]
>>> ticket_lifetime = 24000
>>> default_realm = FSKLAW.NET
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = false
>>> default_etypes = des-cbc-crc des-cbc-md5
>>> default_etypes_des = des-cbc-crc des-cbc-md5
>>> default_keytab-name = FILE:/etc/krb5.keytab
>>> [realms]
>>>
>>> FSKLAW.NET = {
>>> kdc = KERBEROS.FSKLAW.NET
>>> admin_server = w2000.fsklaw.net
>>> default_domain= fsklaw.net
>>> }
>>>
>>> [domain_realm]
>>> .fsklaw.net = FSKLAW.NET
>>> fsklaw.net = FSKLAW.NET
>>> .FSKLAW.NET = FSKLAW.NET
>>> .kerberos.server = KERBEROS.FSKLAW.NET
>>> [kdc]
>>> profile = /var/kerberos/krb5kdc/kdc.conf
>>>
>>> [pam]
>>> debug = false
>>> ticket_lifetime = 36000
>>> renew_lifetime = 36000
>>> forwardable = true
>>> krb4_convert = false
>>>
>>> _*pam.d/login:
>>> *_
>>> #
>>> # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des
>>> Exp $
>>> #
>>> # PAM configuration for the "login" service
>>> #
>>>
>>> # auth
>>> auth required pam_nologin.so no_warn
>>> auth sufficient pam_self.so no_warn
>>> auth include system
>>> auth sufficient /usr/local/lib/pam_winbind.so
>>> # account
>>> account requisite pam_securetty.so
>>> account include system
>>> account sufficient /usr/local/lib/pam_winbind.so
>>>
>>> # session
>>> session include system
>>>
>>> # password
>>> password include system
>>>
>>>> -----Original Message-----
>>>> From: Tom Skeren [mailto:tms3 at fsklaw.net]
>>>> Sent: Tuesday, December 07, 2004 4:04 PM
>>>> To: Jeremy Allison
>>>> Cc: samba
>>>> Subject: Re: [Samba] ADS Authentication
>>>>
>>>>
>>>> Jeremy Allison wrote:
>>>>
>>>> It was an smb.conf issue. Authentication against ADS is now
>>>> functioning. Now it's time to wrestle with ACLs. Thanks for the
>>>> help.
>>>>
>>>> TMS III
>>>>
>>>>
>>>>
>>>>> On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> I'm about ready to smash my head through a wall...I could use a few
>>>>>>
>>>>>
>>>>
>>>> answers.
>>>>
>>>>
>>>>>> 1. When using security = ads, and completing net ads join, it
>>>>>> was my
>>>>>> understanding that samba authenticated username/pword against
>>>>>> ads, and
>>>>>> local posix accounts were nolonger needed, is this true?
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> Yes, so long as you have nsswitch and pam set up correctly. It sounds
>>>>> like you don't.
>>>>>
>>>>> Jeremy.
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>
>
More information about the samba
mailing list