[Samba] Mac OS X clients not binding to a Samba+LDAP PDC

SAMBA letz_samba at realmspace.com
Thu Dec 8 14:57:25 GMT 2005 

Have you configured NSS and PAM to use winbindd?

Are you trying to use a PDC or Active Directory LDAP/Kerberos?  
  - PDC supports NTLM for authentication, which is old school Windows NT.
  - Active Directory supports Kerberos for authentication.

I haven't yet used the AD plug-in.  I think that the LDAP schema needs to be modified to support UNIX data like gid/uid, shell, etc.  There's an AD4Unix open source solution that I think can add the compatible schema.  The AD plug-in also I will reconfigure PAM to use Apple's module, you need to configure PAM to use SAMBA's windbindd instead.  Also before this, you must establish authentication through Kerberos, testing with kinit, and configuring Kerberos on the client. You might need to export a keytab that corresponds to a Windows service principal name(s) (user account with name that represents host client and services offered by host client) using ktpass on the Windows domain controller, and import this keybtab securing into the client that needs to access Windows domain controller.

As for Mac OS X, I am pretty sure they support the older SAMBA 2.0, which does not have support for Active Directory, other than through a PDC emulator operations masters on Windows 2000 or Windows Server 2003 domain controller.

Also, you say you are using SAMBA 3.0.20.  Did you compile this on the Macintosh?

 - Joaquin

-----Original Message-----
From: samba-bounces+letz_samba=realmspace.com at lists.samba.org [mailto:samba-bounces+letz_samba=realmspace.com at lists.samba.org] On Behalf Of David Martinez
Sent: Tuesday, December 06, 2005 8:25 AM
To: samba at lists.samba.org
Subject: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC

Hi there !

This is my first post and I really would like to have this stuff working ...
if not, I should go to Win2k3 server .... please help me to avoid it !!!!

I've been trying to integrate Mac OS X (10.3) clients to my Samba server
through the Active Directory Plugin with no success. This PDC is currently
working for 90 PC's with XP SP2.


My server is well configured from the DNS (or I think so):

ns              A       192.168.101.50
ldap            A       192.168.101.50
pruebas         A       192.168.101.50
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV    0 100 389
pruebas.valeeuro.com
_ldap._tcp.dc._msdcs           SRV    0 100 389 pruebas.valeeuro.com
_ldap._tcp.aab455e4-bbb2-408b-a097-bb359f315574.domains._msdcs SRV    0 100
389 pruebas.valeeuro.com
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs SRV    0 100 389
pruebas.valeeuro.com
_ldap._tcp.gc._msdcs           SRV    0 100 389 pruebas.valeeuro.com
_ldap._tcp.pdc._msdcs          SRV    0 100 389 pruebas.valeeuro.com
_gc._tcp.Default-First-Site-Name._sites SRV    0 100 389
pruebas.valeeuro.com
_ldap._tcp.Default-First-Site-Name._sites SRV    0 100 389
pruebas.valeeuro.com
_gc._tcp                       SRV    0 100 389 pruebas.valeeuro.com
_ldap._tcp                     SRV    0 100 389 pruebas.valeeuro.com

When I try to bind the Mac computer to the domain it stops on step 3 and
sends an error "Invalid username and password"

As I see, the Mac is trying to connect using kerberos authentication, which
I dont know how to configure on the samba+ldap!!
¿How do I enable kerberos authentication on my LDAP+SAMBA+Linux server?


My configuration:
samba 3.0.20
openldap 2.2.23 (openldap is the backend for samba)
bind 9.3
linux fedora core 4


Thanks in advance !!!


Saludos
David

--
Saludos
David
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list