[Samba] Re: Authentication against AD?
Jason Gerfen
jason.gerfen at scl.utah.edu
Wed Sep 14 19:26:21 GMT 2005
Dimitri Yioulos wrote:
> On Wednesday 14 September 2005 1:07 pm, you wrote:
>
>
>> <snippit>
>>
>> add_domain_logon_names:
>> Attempting to become logon server for workgroup SCL.UTAH.EDU on subnet
>> 192.168.0.3
>> [2005/09/14 10:38:12, 0]
>> nmbd/nmbd_logonnames.c:become_logon_server_success(124)
>> become_logon_server_success: Samba is now a logon server for workgroup
>> SCL.UTAH.EDU on subnet 192.168.0.3
>> [2005/09/14 10:43:48, 0]
>> nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
>> *****
>>
>> Samba name server ODIN-NEWB is now a local master browser for
>> workgroup DOMAIN.Com on subnet 192.168.0.3
>>
>> *****
>>
>> I am still not able to authenticate against the domain, any other
>> suggestions?
>>
>
>
> I think a tip-off is:
>
> nmbd/nmbd_logonnames.c:become_logon_server_success(124)
> become_logon_server_success: Samba is now a logon server for workgroup
> SCL.UTAH.EDU on subnet 192.168.0.3
>
> Is that what you want? If the samba box has become the logon server,
> then what's the purpose of your Win2k3 server?
>
> Dimitri
>
>
Ok, so how do I fix it? Here is my configuration:
smb.conf
[global]
workgroup = DOMAIN.COM
realm = REALM.COM
security = ADS
domain logons = yes
encrypt passwords = yes
password server = DC1.DOMAIN.COM DC2.DOMAIN.COM
server string = odin.scl.utah.edu
ldap idmap suffix = ou=users,dc=domain,dc=com
prefered master = No
local master = no
domain master = No
prefered master = no
hide unreadable = no
wins support = no
dns proxy = no
idmap uid = 15000-20000
idmap gid = 15000-20000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
use spnego = yes
update encrypted = yes
winbind use default domain = yes
winbind separator = \
winbind enum users = yes
winbind enum groups = yes
os level = 20
template shell = /bin/bash
template homedir = /home/%D/%U
[odin]
comment = samba box
inherit acls = Yes
path = /usr/local/odin/
read only = no
user = @"DOMAIN+domain users"
force group = users
force user = users
guest ok = no
krb5.conf
[libdefaults]
default_realm = REALM.COM
clockskew = 300
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
[realms]
REALM.COM = {
kdc = 192.168.0.2
default_domain = scl.utah.edu
admin_server = 192.168.0.2
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.domain.com = REALM.COM
domain.com = REALM.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
auth required pam_mail.so
auth sufficient pam_winbind.so
#account include common-account
account sufficient pam_winbind.so
password include common-password
session include common-session
session required pam_resmgr.so
What am I doing wrong? I followed the samba howto on ADS domain membership
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member
here are the results of the commands run when creating the computer
account:
jason at odin-newb:~> sudo net ads join -U"Admin"
Admin's password:
[2005/09/14 13:26:03, 0] libads/ldap.c:ads_add_machine_acct(1405)
ads_add_machine_acct: Host account for odin-newb already exists -
modifying old account
Using short domain name -- SCL.UTAH.EDU
Joined 'ODIN-NEWB' to realm 'SCL.UTAH.EDU'
Am I ok up to this point?
--
Jason Gerfen
"My girlfriend threated to
leave me if I went boarding...
I will miss her."
~ DIATRIBE aka FBITKK
More information about the samba
mailing list