[Samba] Samba 3.0.14a, Windows 2k3 and ADS

sysrm sysrm at stvincent.ac.uk
Mon May 16 12:17:44 GMT 2005 

Hi John, read the chapter 7 (and most of the document, very well written
btw)

I seem to be where I needed to already.

In one of your examples (7.3.4.1)
 "5. Validate the operation of this configuration by executing:" ...

It says that getent passwd administrator SHOULD return the administrator but
I get nothing

Instead if I run getent passwd | grep administrator I get..

DEV-DOMAIN+administrator:x:10007:10018:Administrator:/home/DEV-DOMAIN/admini
strator:/bin/false

Now obviously DEV-DOMAIN+ is the AD part of things, is this possible to be
stripped out? Have I missed something in my smb/krb configuration?

Also my script basically looks at /etc/shadow and grabs out usernames and
passwords and puts them to the various .htaccess auth files and squid auth
file.

Now when I run getent shadow it only returns local account information.

My nsswitch.conf has;

passwd:     files winbind
shadow:     files winbind
group:      files winbind

Should I be seeing more info than just the local accounts?  If not, is there
a way in which I can ask the AD / kerberos to provide that information?

Wbinfo doesn't seem to have any option to show crypted passwords...

If it should be (as I am guessing by the "see chapter 7" bit previously
replied to) any ideas why I cant seem to see them/get to them?

Many thanks

Ross

-----Original Message-----
From: samba-bounces+sysrm=stvincent.ac.uk at lists.samba.org
[mailto:samba-bounces+sysrm=stvincent.ac.uk at lists.samba.org] On Behalf Of
John H Terpstra
Sent: 13 May 2005 12:06
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 3.0.14a, Windows 2k3 and ADS

On Friday 13 May 2005 04:59, sysrm wrote:
> Thanks john,
>
> Is there any specific chapter I should be looking at?

Chapter 7 covers Samba as an ADS Domain Member server.

>
> Searches for the -F switch, adding accounts via samba etc didn't turn 
> up anything.
>
> Also it seems to be written more with samba as the PDC, which isnt the 
> case for me.

Nope. Chapter 7 deals with domain member servers and clients in general. It
includes ADS members.

With ADS your Samba server should use Kerberos. To do that on RHEL3 will
require a lot of work. RHEL3 has MIT KRB 1.2.7 - that will not play well
with
W2K3 ADS for which at least 1.3.4 is needed.

Further comments below.

>
> Thanks anyways
>
> Ross
>
> -----Original Message-----
> From: samba-bounces+sysrm=stvincent.ac.uk at lists.samba.org
> [mailto:samba-bounces+sysrm=stvincent.ac.uk at lists.samba.org] On Behalf 
> Of John H Terpstra
> Sent: 13 May 2005 11:32
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 3.0.14a, Windows 2k3 and ADS
>
> Ross,
>
> You may find some useful info in the book "Samba-3 by Example" that 
> answers your questions. It can be downloaded from:
>
> http://www.samba.org/samba/docs/Samba-Guide.pdf
>
>
> Cheers,
> John T.
>
> On Friday 13 May 2005 04:21, sysrm wrote:
> > Hi all
> >
> > Thanks for everyones help so far with trying to get these all working.
> >
> > I am now at the stage where I can logon to the domain and access a 
> > samba share with out having to enter in a username password (i.e 
> > samba is using AD to authenticate)
> >
> > My system is setup like so:
> >
> > Windows 2k3 PDC (so I get group policy features, bad password 
> > attempts, account expiry etc) Samba 3.0.14a on RH es3 linux 
> > FileStore ( peoples Home drive email etc )
> >
> > Now I have a couple of questions...
> >
> > 1. I can use the net rpc add user command to add users, when I do 
> > this they are disabled in windows AD, and ive been unable to find 
> > any documentation of the -F switch (which is where I assume u can 
> > say if they are disabled, what their home directory is, and where to 
> > map it
> > etc)

I am documenting this now in the Samba-HOWTO-Collection.

> > 2. In various howto's docs etc people talk about using samba as the 
> > pdc and open ldap etc. Is the above system using LDAP ? i.e Windows
> > 2k3 AD ? Or is what I have using kerberos?

Kerberos.

> > 3. assuming im not using ldap, I have a script that currently runs 
> > every 15 mins and brings out a user,cryptpasswd list of my users and 
> > gives it out to various services (such as .htaccess and squid) 
> > Either by using ldap or another way, how is this possible to do? 
> > Since the users are no longer on the linux box (locally)

Use winbind - see chapter 7.

- John T.

> > Many thanks!
> >
> > Ross
>
> --
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
>
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> Other books in production.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list