[Samba] SSO Samba/AD integration

Brian Atkins batkins at tlcdelivers.com
Thu Sep 15 13:03:33 GMT 2005 

OK, I'm certain that this topic has been beat to death, but I need some
assistance.  I am trying to migrate to a SSO for the majority of our
workstations and servers within our organization.  I am currently trying
to integrate a Gentoo Linux workstation to authenticate to the AD
server.  Once I get the process nailed down, I'll be moving on to bigger
and better things...

Prior to starting, I already had Samba installed and was able to share
files with Windows based boxes, though only through a guest account. 
Since yesterday, I have installed openLDAP with mit-krb5 and Samba
support enabled.  I modified smb.conf, nsswitch.conf, and /etc/hosts in
accordance with a document I located on the Gentoo site.  It was pretty
straight forward, nothing earth-shattering.  Once Samba was restarted
(with windbind), I was able to use kinit to join the domain
successfully, and can now get user and group listings using the 'getent
[passwd|group]' commands.  However, when I try signing into the
workstation using an AD account, the login is denied.  What gives? 

Here are my basics:

nsswitch.conf:
--------------
passwd:      compat winbind
shadow:      compat
group:       compat winbind

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns winbind
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files


hosts
-----
...
10.10.57.124    tlcdcm.UNICITY.TLCDELIVERS.COM  tlcdcm UNICITY
10.10.57.140    tlcdcm2.UNICITY.TLCDELIVERS.COM tlcdcm2
10.10.56.111    web-backupws.UNICITY.TLCDELIVERS.COM    web-backupws
...

smb.conf
--------
[global]
   netbios name = briansrapier
   socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind gid = 10000-20000
   workgroup = UNICITY
   os level = 20
   winbind enum groups = yes
   password server = *
   preferred master = no
   winbind separator = +
   max log size = 50
   log file = /var/log/samba3/log.%m
   encrypt passwords = yes
   dns proxy = no
   realm = UNICITY.TLCDELIVERS.COM
   security = ADS
   wins server = 10.10.57.124
   wins proxy = no
...

Doing a 'getent passwd' returns users similar to:
...
UNICITY+cfedeles:x:10172:10000:NAME:/home/UNICITY/cfedeles:/bin/false
UNICITY+tevans:x:10173:10000:NAME:/home/UNICITY/tevans:/bin/false
UNICITY+mbare:x:10174:10000:NAME:/home/UNICITY/mbare:/bin/false
...

But also lists computer accounts as well:
...
UNICITY+imd-gsanchez$:x:10539:10004:IMD-GSANCHEZ:/home/UNICITY/imd-gsanchez_:/bin/false
UNICITY+imd-sharepoint$:x:10553:10004:IMD-SHAREPOINT:/home/UNICITY/imd-sharepoint_:/bin/false
UNICITY+imd-alucchiani$:x:10559:10004:IMD-ALUCCHIANI:/home/UNICITY/imd-alucchiani_:/bin/false
...

However, 'getent group' works just fine:
...
UNICITY+Exchange Domain Servers:x:10025:
UNICITY+Exchange Enterprise Servers:x:10026:
UNICITY+Trainers:x:10027:UNICITY+sblizzard,UNICITY+jedgell,UNICITY+jime
...

The '/bin/false' login shell in the passwd schema leads me to believe that is where the problem lies, but I am not sure what to do to fix it.

Thanks for the input.

-- 
Brian Atkins

"An adventure is never an adventure 
when it's happening.  Challenging
experiences need time to ferment, 
and an adventure is simply physical 
and emotional discomfort recollected 
in tranquility." -- Tim Cahill

More information about the samba mailing list