[Samba] Samba 3.0.14a, Windows 2k3 and ADS [REPOST]
sysrm
sysrm at stvincent.ac.uk
Tue May 17 14:57:44 GMT 2005
Hi John, read the chapter 7 (and most of the document, very well written
btw)
I seem to be where I needed to already.
In one of your examples (7.3.4.1)
"5. Validate the operation of this configuration by executing:" ...
It says that getent passwd administrator SHOULD return the administrator but
I get nothing
Instead if I run getent passwd | grep administrator I get..
DEV-DOMAIN+administrator:x:10007:10018:Administrator:/home/DEV-DOMAIN/ad
DEV-DOMAIN+mini
strator:/bin/false
Now obviously DEV-DOMAIN+ is the AD part of things, is this possible to be
stripped out? Have I missed something in my smb/krb configuration?
Also my script basically looks at /etc/shadow and grabs out usernames and
passwords and puts them to the various .htaccess auth files and squid auth
file.
Now when I run getent shadow it only returns local account information.
My nsswitch.conf has;
passwd: files winbind
shadow: files winbind
group: files winbind
Should I be seeing more info than just the local accounts? If not, is there
a way in which I can ask the AD / kerberos to provide that information?
Wbinfo doesn't seem to have any option to show crypted passwords...
If it should be (as I am guessing by the "see chapter 7" bit previously
replied to) any ideas why I cant seem to see them/get to them?
Many thanks
Ross
-----Original Message-----
From: samba-bounces+sysrm=stvincent.ac.uk at lists.samba.org
[mailto:samba-bounces+sysrm=stvincent.ac.uk at lists.samba.org] On Behalf Of
John H Terpstra
Sent: 13 May 2005 12:06
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 3.0.14a, Windows 2k3 and ADS
On Friday 13 May 2005 04:59, sysrm wrote:
> Thanks john,
>
> Is there any specific chapter I should be looking at?
Chapter 7 covers Samba as an ADS Domain Member server.
>
> Searches for the -F switch, adding accounts via samba etc didn't turn
> up anything.
>
> Also it seems to be written more with samba as the PDC, which isnt the
> case for me.
Nope. Chapter 7 deals with domain member servers and clients in general. It
includes ADS members.
With ADS your Samba server should use Kerberos. To do that on RHEL3 will
require a lot of work. RHEL3 has MIT KRB 1.2.7 - that will not play well
with
W2K3 ADS for which at least 1.3.4 is needed.
Further comments below.
>
> Thanks anyways
>
> Ross
>
> -----Original Message-----
> From: samba-bounces+sysrm=stvincent.ac.uk at lists.samba.org
> [mailto:samba-bounces+sysrm=stvincent.ac.uk at lists.samba.org] On Behalf
> Of John H Terpstra
> Sent: 13 May 2005 11:32
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 3.0.14a, Windows 2k3 and ADS
>
> Ross,
>
> You may find some useful info in the book "Samba-3 by Example" that
> answers your questions. It can be downloaded from:
>
> http://www.samba.org/samba/docs/Samba-Guide.pdf
>
>
> Cheers,
> John T.
>
> On Friday 13 May 2005 04:21, sysrm wrote:
> > Hi all
> >
> > Thanks for everyones help so far with trying to get these all working.
> >
> > I am now at the stage where I can logon to the domain and access a
> > samba share with out having to enter in a username password (i.e
> > samba is using AD to authenticate)
> >
> > My system is setup like so:
> >
> > Windows 2k3 PDC (so I get group policy features, bad password
> > attempts, account expiry etc) Samba 3.0.14a on RH es3 linux
> > FileStore ( peoples Home drive email etc )
> >
> > Now I have a couple of questions...
> >
> > 1. I can use the net rpc add user command to add users, when I do
> > this they are disabled in windows AD, and ive been unable to find
> > any documentation of the -F switch (which is where I assume u can
> > say if they are disabled, what their home directory is, and where to
> > map it
> > etc)
I am documenting this now in the Samba-HOWTO-Collection.
> > 2. In various howto's docs etc people talk about using samba as the
> > pdc and open ldap etc. Is the above system using LDAP ? i.e Windows
> > 2k3 AD ? Or is what I have using kerberos?
Kerberos.
> > 3. assuming im not using ldap, I have a script that currently runs
> > every 15 mins and brings out a user,cryptpasswd list of my users and
> > gives it out to various services (such as .htaccess and squid)
> > Either by using ldap or another way, how is this possible to do?
> > Since the users are no longer on the linux box (locally)
Use winbind - see chapter 7.
- John T.
> > Many thanks!
> >
> > Ross
>
> --
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
>
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> Other books in production.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list