[Samba] Re: Authentication against AD?
Dimitri Yioulos
dyioulos at firstbhph.com
Wed Sep 14 19:56:27 GMT 2005
On Wednesday 14 September 2005 3:26 pm, Jason Gerfen wrote:
> Dimitri Yioulos wrote:
> > On Wednesday 14 September 2005 1:07 pm, you wrote:
> >> <snippit>
> >>
> >> add_domain_logon_names:
> >> Attempting to become logon server for workgroup SCL.UTAH.EDU on subnet
> >> 192.168.0.3
> >> [2005/09/14 10:38:12, 0]
> >> nmbd/nmbd_logonnames.c:become_logon_server_success(124)
> >> become_logon_server_success: Samba is now a logon server for workgroup
> >> SCL.UTAH.EDU on subnet 192.168.0.3
> >> [2005/09/14 10:43:48, 0]
> >> nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
> >> *****
> >>
> >> Samba name server ODIN-NEWB is now a local master browser for
> >> workgroup DOMAIN.Com on subnet 192.168.0.3
> >>
> >> *****
> >>
> >> I am still not able to authenticate against the domain, any other
> >> suggestions?
> >
> > I think a tip-off is:
> >
> > nmbd/nmbd_logonnames.c:become_logon_server_success(124)
> > become_logon_server_success: Samba is now a logon server for workgroup
> > SCL.UTAH.EDU on subnet 192.168.0.3
> >
> > Is that what you want? If the samba box has become the logon server,
> > then what's the purpose of your Win2k3 server?
> >
> > Dimitri
>
> Ok, so how do I fix it? Here is my configuration:
>
> smb.conf
>
> [global]
> workgroup = DOMAIN.COM
> realm = REALM.COM
> security = ADS
> domain logons = yes
> encrypt passwords = yes
> password server = DC1.DOMAIN.COM DC2.DOMAIN.COM
> server string = odin.scl.utah.edu
> ldap idmap suffix = ou=users,dc=domain,dc=com
> prefered master = No
> local master = no
> domain master = No
> prefered master = no
> hide unreadable = no
> wins support = no
> dns proxy = no
> idmap uid = 15000-20000
> idmap gid = 15000-20000
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> add machine script = /usr/sbin/useradd -c Machine -d
> /var/lib/nobody -s /bin/false %m$
> use spnego = yes
> update encrypted = yes
> winbind use default domain = yes
> winbind separator = \
> winbind enum users = yes
> winbind enum groups = yes
> os level = 20
> template shell = /bin/bash
> template homedir = /home/%D/%U
>
> [odin]
> comment = samba box
> inherit acls = Yes
> path = /usr/local/odin/
> read only = no
> user = @"DOMAIN+domain users"
> force group = users
> force user = users
> guest ok = no
>
> krb5.conf
>
> [libdefaults]
> default_realm = REALM.COM
> clockskew = 300
> dns_lookup_realm = true
> dns_lookup_kdc = true
> default_tkt_enctypes = des-cbc-crc des-cbc-md5
> default_tgs_enctypes = des-cbc-crc
>
> [realms]
> REALM.COM = {
> kdc = 192.168.0.2
> default_domain = scl.utah.edu
> admin_server = 192.168.0.2
> }
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> [domain_realm]
> .domain.com = REALM.COM
> domain.com = REALM.COM
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> }
>
> nsswitch.conf
>
> passwd: files winbind
> shadow: files
> group: files winbind
>
> pam.d/login
>
> #%PAM-1.0
> auth required pam_securetty.so
> auth include common-auth
> auth required pam_nologin.so
> auth required pam_mail.so
> auth sufficient pam_winbind.so
> #account include common-account
> account sufficient pam_winbind.so
> password include common-password
> session include common-session
> session required pam_resmgr.so
>
> What am I doing wrong? I followed the samba howto on ADS domain membership
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.ht
>ml#ads-member
>
>
> here are the results of the commands run when creating the computer
> account:
>
> jason at odin-newb:~> sudo net ads join -U"Admin"
> Admin's password:
> [2005/09/14 13:26:03, 0] libads/ldap.c:ads_add_machine_acct(1405)
> ads_add_machine_acct: Host account for odin-newb already exists -
> modifying old account
> Using short domain name -- SCL.UTAH.EDU
> Joined 'ODIN-NEWB' to realm 'SCL.UTAH.EDU'
>
> Am I ok up to this point?
>
> --
> Jason Gerfen
<CLIP>
Please undertsand that mu configuration is pretty straightforward. My samba
boxes are not PDCs/BDCs, I don't use ACLs, etc. All I want is basic access
for file and print serving. Again, that said:
Looks like you're good, up to a point, in that you've joined the domain. If
you go to your Win2k3 server, can you browse the samba share you created?
I'm certainly no expert (in fact, the people on the list have helped me), but
I'm not sure why you need:
ldap idmap suffix = ou=users,dc=domain,dc=com
Anyway, here's my smb.conf from one of my servers:
[global]
workgroup = HEADQUARTERS
netbios name = NORWELL
server string = ""
hosts allow = 192.168.100. 10.8.0.0/24 127.
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
max log size = 50
security = ads
encrypt passwords = yes
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
remote announce = 192.168.103.255
name resolve order = wins hosts lmhosts bcast
wins server = 192.168.100.3
dns proxy = no
smb ports = 445 (My note: conventional wisdom says to use port 139.
However, this works for me.)
oplocks = no
level2 oplocks = no
kernel oplocks = no
veto oplock files = /*.mdb/*.MDB/*.ldb/*.LDB/*.ofm/
# idmap uid = 10000-20000
# idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/false
winbind use default domain = no
password server = 192.168.100.3
realm = HEADQUARTERS.MYDOMAIN.COM
[printers]
comment = All Printers
path = /var/spool/samba
valid users = "@HEADQUARTERS\Domain Users"
browseable = no
guest ok = no
writable = no
printable = yes
[data1]
comment =
path = /data1
valid users = "@HEADQUARTERS\Domain Users"
admin users = root Administrator Administrator at HEADQUARTERS
public = no
browseable = yes
writable = yes
printable = no
create mask = 0770
force directory mode = 0770
The data1 directory started off with 777 permissions. After I joined the
domain, I changed this to 770, with ownership by HEADQUARTERS\Administrator
and group HEADQUARTERS\Domain Users.
It works, 'nuf said. HTH.
Dimitri
More information about the samba
mailing list