[Samba] Mac OS X clients not binding to a Samba+LDAP PDC

David Martinez davidmx at gmail.com
Thu Dec 8 16:13:19 GMT 2005

Thanks for your response.

I think I'm not been clear, my environment is:

1. Fedora Core 4 + openldap 2.2 + samba 3.0: this is the PDC, samba uses
ldap as a backend for users,computers,groups. That box has NSS, PAM and LDAP

2. Windows XP clients are attached to the domain and are working pretty

3. I need to join Mac OS X 10.3 clients to the same domain in order to have
single sign-on. These clients are using samba 2.

   * My first test was to use incorporated LDAP authentication with Mac OS X
(Apps->Utilities -> Directory Access -> Authentication -> Custom Path ), I
had to change default LDAP attribute mapping and it worked. But this
solution won't allow my mobile users to sign on once they are out of office
because last login is not catched (I need a windows-like behavior where AD
clients can login even when they are not attached to the network).
   * A second test is to use Active Directory Plugin incorporated with
Panther but it doesn't work. I've been using a sniffer to see whats going on
on the binding process and I found the Mac client asks for kerberos
authentication, as long as I have not kerberos in the PDC box the binding
process fails. The Active Directory Plugin works fine with Win2K AD servers,
I have used it before... looks like the AD Plugin does not use samba.

As you see I have three options:

* Find a solution to the LDAP authentication catching problem when the Mac
Clients are not connected to the network.
* Configure kerberos authentication on the LDAP+SAMBA box and join the Mac
Clients to the PDC.
* Forgett all this and spend $15,000 bugs on win server and CALS,
reconfigure all WinXP Clients and install Win2k on the linux box.

Does anybody here has ever attached Mac OS X clients to a Samba 3 PDC ??


On 12/8/05, SAMBA <letz_samba at realmspace.com> wrote:
> Have you configured NSS and PAM to use winbindd?
> Are you trying to use a PDC or Active Directory LDAP/Kerberos?
>   - PDC supports NTLM for authentication, which is old school Windows NT.
>   - Active Directory supports Kerberos for authentication.
> I haven't yet used the AD plug-in.  I think that the LDAP schema needs to
> be modified to support UNIX data like gid/uid, shell, etc.  There's an
> AD4Unix open source solution that I think can add the compatible
> schema.  The AD plug-in also I will reconfigure PAM to use Apple's module,
> you need to configure PAM to use SAMBA's windbindd instead.  Also before
> this, you must establish authentication through Kerberos, testing with
> kinit, and configuring Kerberos on the client. You might need to export a
> keytab that corresponds to a Windows service principal name(s) (user account
> with name that represents host client and services offered by host client)
> using ktpass on the Windows domain controller, and import this keybtab
> securing into the client that needs to access Windows domain controller.
> As for Mac OS X, I am pretty sure they support the older SAMBA 2.0, which
> does not have support for Active Directory, other than through a PDC
> emulator operations masters on Windows 2000 or Windows Server 2003 domain
> controller.
> Also, you say you are using SAMBA 3.0.20.  Did you compile this on the
> Macintosh?
> - Joaquin
> -----Original Message-----
> From: samba-bounces+letz_samba=realmspace.com at lists.samba.org [mailto:
> samba-bounces+letz_samba=realmspace.com at lists.samba.org] On Behalf Of
> David Martinez
> Sent: Tuesday, December 06, 2005 8:25 AM
> To: samba at lists.samba.org
> Subject: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC
> Hi there !
> This is my first post and I really would like to have this stuff working
> ...
> if not, I should go to Win2k3 server .... please help me to avoid it !!!!
> I've been trying to integrate Mac OS X (10.3) clients to my Samba server
> through the Active Directory Plugin with no success. This PDC is currently
> working for 90 PC's with XP SP2.
> My server is well configured from the DNS (or I think so):
> ns              A
> ldap            A
> pruebas         A
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV    0 100 389
> pruebas.valeeuro.com
> _ldap._tcp.dc._msdcs           SRV    0 100 389 pruebas.valeeuro.com
> _ldap._tcp.aab455e4-bbb2-408b-a097-bb359f315574.domains._msdcs SRV    0
> 100
> 389 pruebas.valeeuro.com
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs SRV    0 100 389
> pruebas.valeeuro.com
> _ldap._tcp.gc._msdcs           SRV    0 100 389 pruebas.valeeuro.com
> _ldap._tcp.pdc._msdcs          SRV    0 100 389 pruebas.valeeuro.com
> _gc._tcp.Default-First-Site-Name._sites SRV    0 100 389
> pruebas.valeeuro.com
> _ldap._tcp.Default-First-Site-Name._sites SRV    0 100 389
> pruebas.valeeuro.com
> _gc._tcp                       SRV    0 100 389 pruebas.valeeuro.com
> _ldap._tcp                     SRV    0 100 389 pruebas.valeeuro.com
> When I try to bind the Mac computer to the domain it stops on step 3 and
> sends an error "Invalid username and password"
> As I see, the Mac is trying to connect using kerberos authentication,
> which
> I dont know how to configure on the samba+ldap!!
> ¿How do I enable kerberos authentication on my LDAP+SAMBA+Linux server?
> My configuration:
> samba 3.0.20
> openldap 2.2.23 (openldap is the backend for samba)
> bind 9.3
> linux fedora core 4
> Thanks in advance !!!
> Saludos
> David
> --
> Saludos
> David
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba


More information about the samba mailing list