[Samba] Mac OS X clients not binding to a Samba+LDAP PDC

SAMBA letz_samba at realmspace.com
Fri Dec 9 08:24:23 GMT 2005

I think the best solution for the Macintosh would be PADLs stuff.  Check out, http://www.padl.com/Contents/OpenSourceSoftware.html.  There's a NSS module that will plug into LDAP for unix information.  You'll need to configure the appropriate mappings.  Also, there's a PAM module that will authenticate using a password hash stored in the LDAP.  Naturally you should encrypt the traffic using either SASL, LDAPS, or LDAP StartTLS.  Amongst the tools is a caching tool, which will allow the laptop to work offline, much like the Windows feature.

For a pure SAMBA 2.0 solution, you would have to configure NSS and PAM to use windbindd on the MacOS X.  I am not even sure how to this or what Apple's level of support is for a complete SAMBA set of tools and configurations.

Another thing, you seem to be confusing PDC with Active Directory DC.  The PDC is from the olden days, and uses NTLM for authentication.  An AD DC uses Kerberos for authentication.  There's no concept of a PDC in Active Directory, as it is a "multi-master" scenario, where every DC is an equal citizen.  If one fails, users authenticate to another DC.  There's no "primary" like in the historic NT domain, which is a "single-master" scenario having a single-point of failure; if the PDC fails, no one authenticates until a BDC is promoted to the role of PDC.

- Joaquin Menchaca

From: David Martinez [mailto:davidmx at gmail.com] 
Sent: Thursday, December 08, 2005 8:13 AM
Cc: samba at lists.samba.org
Subject: Re: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC

Thanks for your response.

I think I'm not been clear, my environment is:

1. Fedora Core 4 + openldap 2.2 + samba 3.0: this is the PDC, samba uses ldap as a backend for users,computers,groups. That box has NSS, PAM and LDAP configured

2. Windows XP clients are attached to the domain and are working pretty good.

3. I need to join Mac OS X 10.3 clients to the same domain in order to have single sign-on. These clients are using samba 2.

   * My first test was to use incorporated LDAP authentication with Mac OS X (Apps->Utilities -> Directory Access -> Authentication -> Custom Path ), I had to change default LDAP attribute mapping and it worked. But this solution won't allow my mobile users to sign on once they are out of office because last login is not catched (I need a windows-like behavior where AD clients can login even when they are not attached to the network).
   * A second test is to use Active Directory Plugin incorporated with Panther but it doesn't work. I've been using a sniffer to see whats going on on the binding process and I found the Mac client asks for kerberos authentication, as long as I have not kerberos in the PDC box the binding process fails. The Active Directory Plugin works fine with Win2K AD servers, I have used it before... looks like the AD Plugin does not use samba.

As you see I have three options:

* Find a solution to the LDAP authentication catching problem when the Mac Clients are not connected to the network.
* Configure kerberos authentication on the LDAP+SAMBA box and join the Mac Clients to the PDC.
* Forgett all this and spend $15,000 bugs on win server and CALS, reconfigure all WinXP Clients and install Win2k on the linux box.

Does anybody here has ever attached Mac OS X clients to a Samba 3 PDC ??



On 12/8/05, SAMBA <letz_samba at realmspace.com> wrote:
Have you configured NSS and PAM to use winbindd?

Are you trying to use a PDC or Active Directory LDAP/Kerberos?
  - PDC supports NTLM for authentication, which is old school Windows NT.
  - Active Directory supports Kerberos for authentication. 

I haven't yet used the AD plug-in.  I think that the LDAP schema needs to be modified to support UNIX data like gid/uid, shell, etc.  There's an AD4Unix open source solution that I think can add the compatible schema.  The AD plug-in also I will reconfigure PAM to use Apple's module, you need to configure PAM to use SAMBA's windbindd instead.  Also before this, you must establish authentication through Kerberos, testing with kinit, and configuring Kerberos on the client. You might need to export a keytab that corresponds to a Windows service principal name(s) (user account with name that represents host client and services offered by host client) using ktpass on the Windows domain controller, and import this keybtab securing into the client that needs to access Windows domain controller.

As for Mac OS X, I am pretty sure they support the older SAMBA 2.0, which does not have support for Active Directory, other than through a PDC emulator operations masters on Windows 2000 or Windows Server 2003 domain controller.

Also, you say you are using SAMBA 3.0.20.  Did you compile this on the Macintosh?

- Joaquin

-----Original Message-----
From: samba-bounces+letz_samba= realmspace.com at lists.samba.org [mailto:samba-bounces+letz_samba=realmspace.com at lists.samba.org] On Behalf Of David Martinez
Sent: Tuesday, December 06, 2005 8:25 AM 
To: samba at lists.samba.org
Subject: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC

Hi there !

This is my first post and I really would like to have this stuff working ... 
if not, I should go to Win2k3 server .... please help me to avoid it !!!!

I've been trying to integrate Mac OS X (10.3) clients to my Samba server
through the Active Directory Plugin with no success. This PDC is currently 
working for 90 PC's with XP SP2.

My server is well configured from the DNS (or I think so):

ns              A
ldap            A
pruebas         A
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV    0 100 389 
_ldap._tcp.dc._msdcs           SRV    0 100 389 pruebas.valeeuro.com
_ldap._tcp.aab455e4-bbb2-408b-a097-bb359f315574.domains._msdcs SRV    0 100
389 pruebas.valeeuro.com 
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs SRV    0 100 389
_ldap._tcp.gc._msdcs           SRV    0 100 389 pruebas.valeeuro.com
_ldap._tcp.pdc._msdcs          SRV    0 100 389 pruebas.valeeuro.com
_gc._tcp.Default-First-Site-Name._sites SRV    0 100 389
_ldap._tcp.Default-First-Site-Name._sites SRV    0 100 389 
_gc._tcp                       SRV    0 100 389 pruebas.valeeuro.com
_ldap._tcp                     SRV    0 100 389 pruebas.valeeuro.com

When I try to bind the Mac computer to the domain it stops on step 3 and
sends an error "Invalid username and password"

As I see, the Mac is trying to connect using kerberos authentication, which
I dont know how to configure on the samba+ldap!!
¿How do I enable kerberos authentication on my LDAP+SAMBA+Linux server?

My configuration: 
samba 3.0.20
openldap 2.2.23 (openldap is the backend for samba)
bind 9.3
linux fedora core 4

Thanks in advance !!!


To unsubscribe from this list go to the following URL and read the 
instructions:  https://lists.samba.org/mailman/listinfo/samba


More information about the samba mailing list