[Samba] Re: Authentication against AD?

Dimitri Yioulos dyioulos at firstbhph.com
Wed Sep 14 19:56:27 GMT 2005 

On Wednesday 14 September 2005 3:26 pm, Jason Gerfen wrote:
> Dimitri Yioulos wrote:
> > On Wednesday 14 September 2005 1:07 pm, you wrote:
> >> <snippit>
> >>
> >> add_domain_logon_names:
> >>  Attempting to become logon server for workgroup SCL.UTAH.EDU on subnet
> >> 192.168.0.3
> >> [2005/09/14 10:38:12, 0]
> >> nmbd/nmbd_logonnames.c:become_logon_server_success(124)
> >>  become_logon_server_success: Samba is now a logon server for workgroup
> >> SCL.UTAH.EDU on subnet 192.168.0.3
> >> [2005/09/14 10:43:48, 0]
> >> nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
> >>  *****
> >>
> >>  Samba name server ODIN-NEWB is now a local master browser for
> >> workgroup DOMAIN.Com on subnet 192.168.0.3
> >>
> >>  *****
> >>
> >> I am still not able to authenticate against the domain, any other
> >> suggestions?
> >
> > I think a tip-off is:
> >
> > nmbd/nmbd_logonnames.c:become_logon_server_success(124)
> > become_logon_server_success: Samba is now a logon server for workgroup
> > SCL.UTAH.EDU on subnet 192.168.0.3
> >
> > Is that what you want?  If the samba box has become the logon server,
> > then what's the purpose of your Win2k3 server?
> >
> > Dimitri
>
> Ok, so how do I fix it?  Here is my configuration:
>
> smb.conf
>
> [global]
>        workgroup = DOMAIN.COM
>        realm = REALM.COM
>        security = ADS
>        domain logons = yes
>        encrypt passwords = yes
>        password server = DC1.DOMAIN.COM DC2.DOMAIN.COM
>        server string = odin.scl.utah.edu
>        ldap idmap suffix = ou=users,dc=domain,dc=com
>        prefered master = No
>        local master = no
>        domain master = No
>        prefered master = no
>        hide unreadable = no
>        wins support = no
>        dns proxy = no
>        idmap uid = 15000-20000
>        idmap gid = 15000-20000
>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>        add machine script = /usr/sbin/useradd  -c Machine -d
> /var/lib/nobody -s /bin/false %m$
>        use spnego = yes
>        update encrypted = yes
>        winbind use default domain = yes
>        winbind separator = \
>        winbind enum users = yes
>        winbind enum groups = yes
>        os level = 20
>        template shell = /bin/bash
>        template homedir = /home/%D/%U
>
> [odin]
>        comment = samba box
>        inherit acls = Yes
>        path = /usr/local/odin/
>        read only = no
>        user = @"DOMAIN+domain users"
>        force group = users
>        force user = users
>        guest ok = no
>
> krb5.conf
>
> [libdefaults]
> default_realm = REALM.COM
> clockskew = 300
> dns_lookup_realm = true
> dns_lookup_kdc = true
> default_tkt_enctypes = des-cbc-crc des-cbc-md5
> default_tgs_enctypes = des-cbc-crc
>
> [realms]
> REALM.COM = {
>         kdc = 192.168.0.2
>         default_domain = scl.utah.edu
>         admin_server = 192.168.0.2
> }
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> [domain_realm]
> .domain.com = REALM.COM
> domain.com = REALM.COM
>
> [appdefaults]
> pam = {
>    ticket_lifetime = 1d
>    renew_lifetime = 1d
>    forwardable = true
>    proxiable = false
>    retain_after_close = false
>    minimum_uid = 0
> }
>
> nsswitch.conf
>
> passwd: files winbind
> shadow: files
> group:  files winbind
>
> pam.d/login
>
> #%PAM-1.0
> auth     required       pam_securetty.so
> auth     include        common-auth
> auth     required       pam_nologin.so
> auth     required       pam_mail.so
> auth     sufficient     pam_winbind.so
> #account  include       common-account
> account   sufficient    pam_winbind.so
> password include        common-password
> session  include        common-session
> session  required       pam_resmgr.so
>
> What am I doing wrong?  I followed the samba howto on ADS domain membership
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.ht
>ml#ads-member
>
>
> here are the results of the commands run when creating the computer
> account:
>
> jason at odin-newb:~> sudo net ads join -U"Admin"
> Admin's password:
> [2005/09/14 13:26:03, 0] libads/ldap.c:ads_add_machine_acct(1405)
>  ads_add_machine_acct: Host account for odin-newb already exists -
> modifying old account
> Using short domain name -- SCL.UTAH.EDU
> Joined 'ODIN-NEWB' to realm 'SCL.UTAH.EDU'
>
> Am I ok up to this point?
>
> --
> Jason Gerfen

<CLIP>

Please undertsand that mu configuration is pretty straightforward.  My samba 
boxes are not PDCs/BDCs, I don't use ACLs, etc.  All I want is basic access 
for file and print serving.  Again, that said:

Looks like you're good, up to a point, in that you've joined the domain.  If 
you go to your Win2k3 server, can you browse the samba share you created?

I'm certainly no expert (in fact, the people on the list have helped me), but 
I'm not sure why you need:

ldap idmap suffix = ou=users,dc=domain,dc=com

Anyway, here's my smb.conf from one of my servers:

[global]
   workgroup = HEADQUARTERS
   netbios name = NORWELL
   server string = ""
   hosts allow = 192.168.100. 10.8.0.0/24 127.
   printcap name = /etc/printcap
   load printers = yes
   log file = /var/log/samba/%m.log
   max log size = 50
   security = ads
   encrypt passwords = yes
   socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   remote announce = 192.168.103.255
   name resolve order = wins hosts lmhosts bcast
   wins server = 192.168.100.3
   dns proxy = no
   smb ports = 445   (My note:  conventional wisdom says to use port 139.  
However, this works for me.)
   oplocks = no
   level2 oplocks = no
   kernel oplocks = no
   veto oplock files = /*.mdb/*.MDB/*.ldb/*.LDB/*.ofm/
#   idmap uid = 10000-20000
#   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /home/%D/%U
   template shell = /bin/false
   winbind use default domain = no
   password server = 192.168.100.3
   realm = HEADQUARTERS.MYDOMAIN.COM
[printers]
   comment = All Printers
   path = /var/spool/samba
   valid users = "@HEADQUARTERS\Domain Users"
   browseable = no
   guest ok = no
   writable = no
   printable = yes
[data1]
   comment =
   path = /data1
   valid users = "@HEADQUARTERS\Domain Users"
   admin users = root Administrator Administrator at HEADQUARTERS
   public = no
   browseable = yes
   writable = yes
   printable = no
   create mask = 0770
   force directory mode = 0770

The data1 directory started off with 777 permissions.  After I joined the 
domain, I changed this to 770, with ownership by HEADQUARTERS\Administrator 
and group HEADQUARTERS\Domain Users.

It works, 'nuf said.  HTH.

Dimitri

More information about the samba mailing list