[Samba] AD4Unix & Samba-3.0.20b+winbind (UPDATE)

Jason Gerfen jason.gerfen at scl.utah.edu
Wed Nov 30 13:24:52 GMT 2005 

Yes, technically we do not need AD4Unix extensions for Windows client 
authentication against a samba file share.  We use the AD4Unix 
extensions for authenticating Mac's and Linux machines is all, we use 
the extensions to provide the 4 requirements for a Unix account (UID, 
GID, Home dir. & Def. shell).

markus wrote:

> Hi Jason,
>
> I don't really understand, why you are extending your schema with 
> AD4Unix whilst using winbind. You don't need to. If your are using 
> nss_ldap your schema needs some more entries to fetch unix related 
> data like gid, uid and so on. Winbind is based on SID's and stores 
> mappings in so called idmaps.
>
> Markus
>
> Jason Gerfen wrote:
>
>> Ok in my test environment I just got done updating the schema on the 
>> Win2K domain to include the AD4Unix package and I am still able to 
>> authentication and view all users from any container including the 
>> CN=Users (default) and a new OU=authenticated.  Can someone please 
>> help me out on this?  The only major difference between the test 
>> domain and the live domain is the number of users at this point and 
>> the container setup in AD.
>>
>> Jason Gerfen wrote:
>>
>>> Scenario:  Samba-3.0.20b domain member server on SuSE 9.3 (w/ all 
>>> available patches applied) providing kerberos authentication through 
>>> a Windows 2000 domain with AD4Unix services installed.
>>>
>>> Problem(s):
>>> 1. Can only view users from one OU in Active Directory (default is: 
>>> CN=Users, problem container is: OU=authenticated)
>>> 2. According to log.winbind and log.smbd authentication fails with 
>>> error:   check_ntlm_password:  Authentication for user [testj] -> 
>>> [testj] FAILED with error NT_STATUS_WRONG_PASSWORD.  Is this error 
>>> due to falling back to NTLM authentication vs. Kerberos TGT systems?
>>>
>>> Troubleshooting performed:
>>> 1. Used 'net ads leave' to remove from domain, updated Samba+Winbind 
>>> from 3.0.13 to 3.0.20b
>>> 2. Manually removed machine trust account from active directory
>>> 3. Manually removed cache files for Samba prior to upgrade
>>> 4. Attempted using 3.0.21rc1 release with same results
>>> 5. Created a Win 2K test domain w/o AD4Unix and Samba-3.0.13 ADS 
>>> member server which would authenticate via Kerberos without problems.
>>> 6. Upgraded Samba to 3.0.20b and still worked fine on test domain 
>>> w/o AD4Unix setup
>>> 7. Am in the process of upgrading Win2K domain server (in test env.) 
>>> to provide AD4Unix services to see if it breaks.
>>>
>>> Any help, insight into this is definately appreciated
>>>
>>> Here is the pertinent configuration files:
>>>
>>> [smb.conf]
>>> [global]
>>>        workgroup = DOMAIN
>>>        realm = DOMAIN.COM
>>>        server string = new-odin.domain.com
>>>        security = ADS
>>>        update encrypted = Yes
>>>        encrypt passwords = yes
>>>        password server = *
>>>        preferred master = No
>>>        domain master = No
>>>        idmap uid = 500-500000
>>>        idmap gid = 500-500000
>>>        winbind trusted domains only = yes
>>>        winbind separator = /
>>>        winbind cache time = 5
>>>        winbind use default domain = Yes
>>>        winbind nested groups = Yes
>>>        log level = 2
>>>        interfaces = eth*
>>>        bind interfaces only = yes
>>>        socket options = IPTOS_LOWDELAY TCP_NODELAY
>>>
>>> [images]
>>>        comment = ODIN
>>>        user = %S
>>>        path = /odin/images
>>>        inherit acls = Yes
>>>        browseable = yes
>>>        writeable = yes
>>>        read only = no
>>>        public = yes
>>>
>>>
>>> [home]
>>>        comment = User Home Directories
>>>        user = %S
>>>        path = /odin/home/%S
>>>        inherit acls = Yes
>>>        writeable = yes
>>>        read only = no
>>>        public = no
>>>        browseable = yes
>>>
>>> [krb5.conf]
>>> [libdefaults]
>>> default_realm = DOMAIN.COM
>>> clockskew = 300
>>>
>>> [realms]
>>> UTAH.EDU = {
>>> kdc = 192.168.0.10
>>> default_domain = domain.com
>>> admin_server = 192.168.0.10
>>> }
>>>
>>>
>>> [logging]
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmin.log
>>> default = FILE:/var/log/krb5lib.log
>>>
>>> [domain_realm]
>>> .domain.com = DOMAIN.COM
>>> domain.com = DOMAIN.COM
>>>
>>> [appdefaults]
>>> pam = {
>>> ticket_lifetime = 1d
>>> renew_lifetime = 1d
>>> forwardable = true
>>> proxiable = false
>>> retain_after_close = false
>>> minimum_uid = 0
>>> }
>>>
>>> [nsswitch.conf]
>>> passwd: files winbind
>>> shadow: files winbind
>>> group:  files winbind
>>>
>>> hosts:  files dns winbind
>>> networks:       files dns
>>>
>>> services:       files
>>> protocols:      files
>>> rpc:    files
>>> ethers: files
>>> netmasks:       files
>>> netgroup:       files
>>> publickey:      files
>>>
>>> bootparams:     files
>>> automount:      files nis
>>> aliases:        files
>>>
>>
>>
>


-- 
Jason Gerfen

"Oh I have seen alot of what
 the world can do, and its
 breaking my heart in two..."
 ~ Wild World, Cat Stevens

More information about the samba mailing list