[Samba] Re: Authentication against AD?

Dimitri Yioulos dyioulos at firstbhph.com
Wed Sep 14 20:01:03 GMT 2005 

On Wednesday 14 September 2005 3:56 pm, you wrote:
> On Wednesday 14 September 2005 3:26 pm, Jason Gerfen wrote:
> > Dimitri Yioulos wrote:
> > > On Wednesday 14 September 2005 1:07 pm, you wrote:
> > >> <snippit>
> > >>
> > >> add_domain_logon_names:
> > >>  Attempting to become logon server for workgroup SCL.UTAH.EDU on
> > >> subnet 192.168.0.3
> > >> [2005/09/14 10:38:12, 0]
> > >> nmbd/nmbd_logonnames.c:become_logon_server_success(124)
> > >>  become_logon_server_success: Samba is now a logon server for
> > >> workgroup SCL.UTAH.EDU on subnet 192.168.0.3
> > >> [2005/09/14 10:43:48, 0]
> > >> nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
> > >>  *****
> > >>
> > >>  Samba name server ODIN-NEWB is now a local master browser for
> > >> workgroup DOMAIN.Com on subnet 192.168.0.3
> > >>
> > >>  *****
> > >>
> > >> I am still not able to authenticate against the domain, any other
> > >> suggestions?
> > >
> > > I think a tip-off is:
> > >
> > > nmbd/nmbd_logonnames.c:become_logon_server_success(124)
> > > become_logon_server_success: Samba is now a logon server for workgroup
> > > SCL.UTAH.EDU on subnet 192.168.0.3
> > >
> > > Is that what you want?  If the samba box has become the logon server,
> > > then what's the purpose of your Win2k3 server?
> > >
> > > Dimitri
> >
> > Ok, so how do I fix it?  Here is my configuration:
> >
> > smb.conf
> >
> > [global]
> >        workgroup = DOMAIN.COM
> >        realm = REALM.COM
> >        security = ADS
> >        domain logons = yes
> >        encrypt passwords = yes
> >        password server = DC1.DOMAIN.COM DC2.DOMAIN.COM
> >        server string = odin.scl.utah.edu
> >        ldap idmap suffix = ou=users,dc=domain,dc=com
> >        prefered master = No
> >        local master = no
> >        domain master = No
> >        prefered master = no
> >        hide unreadable = no
> >        wins support = no
> >        dns proxy = no
> >        idmap uid = 15000-20000
> >        idmap gid = 15000-20000
> >        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >        add machine script = /usr/sbin/useradd  -c Machine -d
> > /var/lib/nobody -s /bin/false %m$
> >        use spnego = yes
> >        update encrypted = yes
> >        winbind use default domain = yes
> >        winbind separator = \
> >        winbind enum users = yes
> >        winbind enum groups = yes
> >        os level = 20
> >        template shell = /bin/bash
> >        template homedir = /home/%D/%U
> >
> > [odin]
> >        comment = samba box
> >        inherit acls = Yes
> >        path = /usr/local/odin/
> >        read only = no
> >        user = @"DOMAIN+domain users"
> >        force group = users
> >        force user = users
> >        guest ok = no
> >
> > krb5.conf
> >
> > [libdefaults]
> > default_realm = REALM.COM
> > clockskew = 300
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > default_tkt_enctypes = des-cbc-crc des-cbc-md5
> > default_tgs_enctypes = des-cbc-crc
> >
> > [realms]
> > REALM.COM = {
> >         kdc = 192.168.0.2
> >         default_domain = scl.utah.edu
> >         admin_server = 192.168.0.2
> > }
> >
> > [logging]
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmin.log
> > default = FILE:/var/log/krb5lib.log
> >
> > [domain_realm]
> > .domain.com = REALM.COM
> > domain.com = REALM.COM
> >
> > [appdefaults]
> > pam = {
> >    ticket_lifetime = 1d
> >    renew_lifetime = 1d
> >    forwardable = true
> >    proxiable = false
> >    retain_after_close = false
> >    minimum_uid = 0
> > }
> >
> > nsswitch.conf
> >
> > passwd: files winbind
> > shadow: files
> > group:  files winbind
> >
> > pam.d/login
> >
> > #%PAM-1.0
> > auth     required       pam_securetty.so
> > auth     include        common-auth
> > auth     required       pam_nologin.so
> > auth     required       pam_mail.so
> > auth     sufficient     pam_winbind.so
> > #account  include       common-account
> > account   sufficient    pam_winbind.so
> > password include        common-password
> > session  include        common-session
> > session  required       pam_resmgr.so
> >
> > What am I doing wrong?  I followed the samba howto on ADS domain
> > membership
> > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.
> >ht ml#ads-member
> >
> >
> > here are the results of the commands run when creating the computer
> > account:
> >
> > jason at odin-newb:~> sudo net ads join -U"Admin"
> > Admin's password:
> > [2005/09/14 13:26:03, 0] libads/ldap.c:ads_add_machine_acct(1405)
> >  ads_add_machine_acct: Host account for odin-newb already exists -
> > modifying old account
> > Using short domain name -- SCL.UTAH.EDU
> > Joined 'ODIN-NEWB' to realm 'SCL.UTAH.EDU'
> >
> > Am I ok up to this point?
> >
> > --
> > Jason Gerfen
>
> <CLIP>
>
> Please undertsand that mu configuration is pretty straightforward.  My
> samba boxes are not PDCs/BDCs, I don't use ACLs, etc.  All I want is basic
> access for file and print serving.  Again, that said:
>
> Looks like you're good, up to a point, in that you've joined the domain. 
> If you go to your Win2k3 server, can you browse the samba share you
> created?
>
> I'm certainly no expert (in fact, the people on the list have helped me),
> but I'm not sure why you need:
>
> ldap idmap suffix = ou=users,dc=domain,dc=com
>
> Anyway, here's my smb.conf from one of my servers:
>
> [global]
>    workgroup = HEADQUARTERS
>    netbios name = NORWELL
>    server string = ""
>    hosts allow = 192.168.100. 10.8.0.0/24 127.
>    printcap name = /etc/printcap
>    load printers = yes
>    log file = /var/log/samba/%m.log
>    max log size = 50
>    security = ads
>    encrypt passwords = yes
>    socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192 remote announce = 192.168.103.255
>    name resolve order = wins hosts lmhosts bcast
>    wins server = 192.168.100.3
>    dns proxy = no
>    smb ports = 445   (My note:  conventional wisdom says to use port 139.
> However, this works for me.)
>    oplocks = no
>    level2 oplocks = no
>    kernel oplocks = no
>    veto oplock files = /*.mdb/*.MDB/*.ldb/*.LDB/*.ofm/
> #   idmap uid = 10000-20000
> #   idmap gid = 10000-20000
>    winbind enum users = yes
>    winbind enum groups = yes
>    template homedir = /home/%D/%U
>    template shell = /bin/false
>    winbind use default domain = no
>    password server = 192.168.100.3
>    realm = HEADQUARTERS.MYDOMAIN.COM
> [printers]
>    comment = All Printers
>    path = /var/spool/samba
>    valid users = "@HEADQUARTERS\Domain Users"
>    browseable = no
>    guest ok = no
>    writable = no
>    printable = yes
> [data1]
>    comment =
>    path = /data1
>    valid users = "@HEADQUARTERS\Domain Users"
>    admin users = root Administrator Administrator at HEADQUARTERS
>    public = no
>    browseable = yes
>    writable = yes
>    printable = no
>    create mask = 0770
>    force directory mode = 0770
>
> The data1 directory started off with 777 permissions.  After I joined the
> domain, I changed this to 770, with ownership by HEADQUARTERS\Administrator
> and group HEADQUARTERS\Domain Users.
>
> It works, 'nuf said.  HTH.
>
> Dimitri

Oops, obviously these lines are uncommented (how'd I do that?):

idmap uid = 10000-20000
idmap gid = 10000-20000

Dimitri

More information about the samba mailing list