[Samba] Problems with Samba and Windows 2003 Active Domain Server
Mark A. Holm
markh at infoarch.com
Thu Jun 9 07:14:16 GMT 2005
Michael,
Thanks for the questions. I was beginning to think I was going to have to figure it out on my own.
As stated before, everything is the release packages as released with Core 3 at current patch levels. Using rpm -q I get back:
samba-3.0.10-1.fc3
krb5-workstation 1.3.6-5
pam_krb5 2.1.2-1
/etc/nsswitch.conf (stripped of comments):
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns winbind
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files
Contents of /etc/pam.d/login:
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open
I added the pam_winbind lines. Outputs from kinit and klist:
[root at mail pam.d]# kinit administrator
Password for administrator at PORTLAND-INT.CLIENT.COM:
[root at mail pam.d]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at PORTLAND-INT.CLIENT.COM
Valid starting Expires Service principal
06/09/05 00:06:53 06/09/05 10:06:51 krbtgt/PORTLAND-INT.CLIENT.COM at PORTLAND-INT.CLIENT.COM
renew until 06/10/05 00:06:53
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
As far as I know, everything is giving correct answers. Or am I misinterpreting any of this?
markh
-----Original Message-----
From: Michael Andrewjeski [mailto:mandrewjeski at zonelabs.com]
Sent: Wednesday, June 08, 2005 1:36 PM
To: markh at infoarch.com; samba at lists.samba.org
Subject: RE: [Samba] Problems with Samba and Windows 2003 Active Domain Server
Need more info..
What version of samba and kerberos are you running?
What does your /etc/nsswitch.conf look like?
How about your /etc/pam.d/login did u modify it?
Have you tried kinit? Klist? If so what was the output?
-----Original Message-----
From: samba-bounces+mandrewjeski=zonelabs.com at lists.samba.org
[mailto:samba-bounces+mandrewjeski=zonelabs.com at lists.samba.org] On
Behalf Of Mark A. Holm
Sent: Wednesday, June 08, 2005 1:05 AM
To: samba at lists.samba.org
Subject: [Samba] Problems with Samba and Windows 2003 Active Domain
Server
Can somebody with experience making a RedHat Fedora Core 3 server with
Samba installed work in a Windows 2003 Active Domain please give me some
pointers? I have a small installation with one Windows 2003 Server
running as a domain controller for about 10 Windows XP machines. This is
working just fine. I decided that I wanted to add a RedHat Fedora Core 3
server as a Mail server, running Cyrus IMAP and Open Group Ware. The
first thing that I wanted to do was get the Fedora machine working as a
member of the domain and authenticating users from the domain for local
login for mail and SSH access. I found several different tutorials on
the web, including the one in the documentation on the samba.org site,
about doing this and followed as close as I could to their instructions.
For the file samples included below, I have started with the files as
supply by RedHat and for the most part stripped out the comments for
brevity here. Also changed some names to protect the innocent.
My smb.conf file looks like the following:
Smb.conf
[global]
log file = /var/log/samba/%m.log
load printers = yes
idmap gid = 16777216-33554431
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind trusted domains only = yes
realm = PORTLAND-INT.CLIENT.COM
winbind use default domain = yes
template primary group = "Staff"
template homedir = /home/%U
template shell = /bin/bash
dns proxy = no
netbios name = mail
cups options = raw
server string = Mail Linux Samba Server
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = server.portland-int.client.com
workgroup = SKYLINE
os level = 20
os level = 20
printcap name = /etc/printcap
security = ads
preferred master = no
max log size = 50
[homes]
comment = Home Directories
browseable = no
writeable = yes
; [netlogon]
; comment = Network Logon Service
; path = /home/netlogon
; guest ok = yes
; writable = no
; share modes = no
;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
[public]
comment = Public Stuff
path = /home/samba
public = yes
read only = no
; write list = @staff
EOF
The KRB5.conf file contains:
Krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = PORTLAND-INT.CLIENT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
PORTLAND-INT.CLIENT.COM = {
kdc = server.portland-int.client.com:88
admin_server = server.portland-int.client.com:749
default_domain = portland-int.client.com
}
[domain_realm]
.portland-int.client.com = PORTLAND-INT.CLIENT.COM
portland-int.client.com = PORTLAND-INT.CLIENT.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
EOF
After doing "/etc/init.d/smb restart; /etc/init.d/winbind restart", I
was able to issue a "net ads -U administrator join CLIENT" command and
received the Welcome to the CLIENT domain message. At this point I can
do either of:
wbinfo -a "CLIENT\\markh%MYPASSWD"
wbinfo -a "markh%MYPASSWD"
And receive the response:
plaintext password authentication succeeded
challenge/response password authentication succeeded
The next steps I tried, was to do a wbinfo -u and a wbinfo -g. These
looked close to the examples given, but lacked the Domain specifier for
the users that the other examples gave. Example output given below:
Wbinfo -u:
taaron
pfraser
DEBRA-DESKTOP$
markh
SALES-MGR$
ROGER-PC$
WAREHOUSE2$
kaycee
WAREHOUSE$
seanj
seane
amy
mail$
Wbinfo -g:
BUILTIN#System Operators
BUILTIN#Replicators
BUILTIN#Guests
BUILTIN#Power Users
BUILTIN#Print Operators
BUILTIN#Administrators
BUILTIN#Account Operators
BUILTIN#Backup Operators
BUILTIN#Users
Domain Admins
Domain Users
Domain Guests
Sales
QuickBooks Users
Act Users
QuoteWerks Users
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Next step it said to do was to issue a "getent passwd" and a "getent
group". The Passwd version only shows what is on the local Linux server,
while the Group version shows the local groups and the BUILTIN groups
from the active directory. None of the Active Directory users or local
groups are shown. Example output below:
Getent passwd:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual
console memory owner:/dev:/sbin/nologin nscd:x:28:28:NSCD
Daemon:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin netdump:x:34:34:Network
Crash Dump user:/var/crash:/bin/bash sshd:x:74:74:Privilege-separated
SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC
user:/:/sbin/nologin rpcuser:x:29:29:RPC Service
User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS
User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
marktest:x:500:500:Mark Test Login:/home/marktest:/bin/bash
clamav:x:501:501:CLAM AV User:/home/clamav:/bin/bash
dspam:x:502:502:DSPAM User:/home/dspam:/bin/bash
Getent group:
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
dbus:x:81:
floppy:x:19:
vcsa:x:69:
nscd:x:28:
rpm:x:37:
haldaemon:x:68:
utmp:x:22:
netdump:x:34:
slocate:x:21:
sshd:x:74:
rpc:x:32:
rpcuser:x:29:
nfsnobody:x:65534:
mailnull:x:47:
smmsp:x:51:
pcap:x:77:
apache:x:48:
squid:x:23:
webalizer:x:67:
xfs:x:43:
ntp:x:38:
gdm:x:42:
named:x:25:
mailman:x:41:
mysql:x:27:
marktest:x:500:
clamav:x:501:
dspam:x:502:
BUILTIN#System Operators:x:16777216:
BUILTIN#Replicators:x:16777217:
BUILTIN#Guests:x:16777218:
BUILTIN#Power Users:x:16777219:
BUILTIN#Print Operators:x:16777220:
BUILTIN#Administrators:x:16777221:
BUILTIN#Account Operators:x:16777222:
BUILTIN#Backup Operators:x:16777223:
BUILTIN#Users:x:16777224:
Until I can get past that last step and see more than the BUILTIN groups
and actually see users from the domain, I know that I cannot get
authorization to work. Can somebody point out what I missed or help walk
me through what is needed to make this work?
The one thing I have noted is that the profile file defined for the kdc
in krb5.conf doesn't exist. Should it and if so what should it contain?
Any and all help greatly appreciated. It shouldn't be this hard to make
Windows and Linux work together. sigh!
markh
====================================================
Mark A. Holm President
InfoArch, Inc.
7456 SW Baseline, PMB#123. Phone: (503) 750-9741
Hillsboro, OR 97123 Fax: (503) 591-8584
http://www.infoarch.com <mailto:markh at infoarch.com>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list