[Samba] ADS member server w/ winbind on debian sarge
Noah Dain
noahdain at gmail.com
Sun Jun 19 22:21:57 GMT 2005
ok, i've been buggering on and off with this for way too long now.
I'm just plain stuck.
The objective is to get full authentication working for a samba
machine by integrating it into and existing AD system as a member
server.
The domain is windows 2003, in native mode. There are two domain controllers.
The samba box is running debian sarge, using only the official sarge
packages. (samba 3.0.14a-3, MIT kerberos 1.3.6-2)
I followed the Samba3 By Example, chapter 7. I can join the domain
via 'net ads join' and all the tests seem to work, meaning:
getent passwd|group
wbinfo u|g
wbinfo --sequence
wbinfo -a username%passwd
wbinfo -t
kinit & klist
net ads status|user|group|info|testjoin
all succeed.
dns is working properly. I've even tried with/without hosts files.
The samba machine syncs time to one of the domain controllers.
I can create files and chown/chgrp them to domain user and group accounts.
I can create a share made writeable for the 'domain users' group and
have various 'domain users' create files in there.
However, I cannot log onto the samba machine using a domain account,
and when i attempt to access home directories of domain accounts
hosted on the samba machine, i keep getting prompted for a password
(and no passwords work).
I created the home directories and then chown'd them to the
DOMAIN+user and chgrp'd them to the domain user's primary group.
so, without further delay, the /etc/samba/smb.conf:
[global]
unix charset = LOCALE
workgroup = DOMAIN
realm = DOMAIN.LOCAL
security = ADS
; auth methods = winbind guest sam
password server = dc1.domain.local
username map = /etc/samba/smbusers
log level = 3 passdb:2 auth:2 winbind:2
syslog = 0
log file = /var/log/samba/%m
max log size = 0
printcap name = CUPS
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind trusted domains only = no
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
template primary group = "Domain Users"
template shell = /bin/bash
template homedir = /home/%D/%U
domain master = no
local master = yes
preferred master = no
os level = 255
interfaces = 192.168.1.151/24
bind interfaces only = yes
[homes]
comment = Home Dirs
valid users = %S
read only = No
browseable = No
; root preexec = /etc/samba/scripts/mk_sambadir "/home/%D/%U" "%U" "%G"
[testshare]
path = /test
comment = samba ads test share
read only = no
browseable = yes
writelist = @"Domain Users"
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
admin users = root, Administrator
write list = root
<EOF>
/etc/krb5.conf:
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
DOMAIN.LOCAL = {
default_domain = domain.local
kdc = dc1.domain.local
}
[domain_realms]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
<EOF>
/etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
networks: files
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files
aliases: files
<EOF>
debian uses /etc/pam.d/common-* files to hold pam settings which are
@included into all other pam.d files.
/etc/pam.d/common-account:
account required pam_unix.so
account sufficient pam_winbind.so use_first_pass
<EOF>
/etc/pam.d/common-auth:
auth required pam_unix.so nullok_secure
auth sufficient pam_winbind.so use_first_pass
<EOF>
/etc/pam.d/common-password:
password required pam_unix.so nullok obscure min=4 max=8 md5
password sufficient pam_winbind.so use_first_pass
<EOF>
/etc/pam.d/common-session:
session required pam_unix.so
session sufficient pam_winbind.so use_first_pass
<EOF>
there are security audit entries of the samba machine logging on and
off, using kerberos.
??
--
Noah Dain
noahdain at gmail.com
More information about the samba
mailing list