[Samba] SSO Samba/AD integration

Bruno Guerreiro bruno.guerreiro at ine.pt
Thu Sep 15 14:21:47 GMT 2005 

Hi,
/bin/false prevents a user from logging to the machine, while allowing it to
athenticate... You can use shares which are located in your samba server,
access via FTP,etc. Just can't logon to the machine itself
Not sure about this one ( don't use AD), but have you tried setting this:

template shell = (whatever shel you want normally /bin/bash)


>From man smb.conf:

       template shell (G)
              When filling out the user information for a Windows NT user,
the winbindd(8) daemon uses this parameter to fill in the login shell  for
that
              user.

              No default


Best Regards,
Bruno Guerreiro


>-----Original Message-----
>From: Brian Atkins [mailto:batkins at tlcdelivers.com]
>Sent: quinta-feira, 15 de Setembro de 2005 14:04
>To: samba at lists.samba.org
>Subject: [Samba] SSO Samba/AD integration
>
>
>OK, I'm certain that this topic has been beat to death, but I need some
>assistance.  I am trying to migrate to a SSO for the majority of our
>workstations and servers within our organization.  I am 
>currently trying
>to integrate a Gentoo Linux workstation to authenticate to the AD
>server.  Once I get the process nailed down, I'll be moving on 
>to bigger
>and better things...
>
>Prior to starting, I already had Samba installed and was able to share
>files with Windows based boxes, though only through a guest account. 
>Since yesterday, I have installed openLDAP with mit-krb5 and Samba
>support enabled.  I modified smb.conf, nsswitch.conf, and /etc/hosts in
>accordance with a document I located on the Gentoo site.  It was pretty
>straight forward, nothing earth-shattering.  Once Samba was restarted
>(with windbind), I was able to use kinit to join the domain
>successfully, and can now get user and group listings using the 'getent
>[passwd|group]' commands.  However, when I try signing into the
>workstation using an AD account, the login is denied.  What gives? 
>
>Here are my basics:
>
>nsswitch.conf:
>--------------
>passwd:      compat winbind
>shadow:      compat
>group:       compat winbind
>
># passwd:    db files nis
># shadow:    db files nis
># group:     db files nis
>
>hosts:       files dns winbind
>networks:    files dns
>
>services:    db files
>protocols:   db files
>rpc:         db files
>ethers:      db files
>netmasks:    files
>netgroup:    files
>bootparams:  files
>
>automount:   files
>aliases:     files
>
>
>hosts
>-----
>...
>10.10.57.124    tlcdcm.UNICITY.TLCDELIVERS.COM  tlcdcm UNICITY
>10.10.57.140    tlcdcm2.UNICITY.TLCDELIVERS.COM tlcdcm2
>10.10.56.111    web-backupws.UNICITY.TLCDELIVERS.COM    web-backupws
>...
>
>smb.conf
>--------
>[global]
>   netbios name = briansrapier
>   socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   winbind enum users = yes
>   winbind gid = 10000-20000
>   workgroup = UNICITY
>   os level = 20
>   winbind enum groups = yes
>   password server = *
>   preferred master = no
>   winbind separator = +
>   max log size = 50
>   log file = /var/log/samba3/log.%m
>   encrypt passwords = yes
>   dns proxy = no
>   realm = UNICITY.TLCDELIVERS.COM
>   security = ADS
>   wins server = 10.10.57.124
>   wins proxy = no
>...
>
>Doing a 'getent passwd' returns users similar to:
>...
>UNICITY+cfedeles:x:10172:10000:NAME:/home/UNICITY/cfedeles:/bin/false
>UNICITY+tevans:x:10173:10000:NAME:/home/UNICITY/tevans:/bin/false
>UNICITY+mbare:x:10174:10000:NAME:/home/UNICITY/mbare:/bin/false
>...
>
>But also lists computer accounts as well:
>...
>UNICITY+imd-gsanchez$:x:10539:10004:IMD-GSANCHEZ:/home/UNICITY/
>imd-gsanchez_:/bin/false
>UNICITY+imd-sharepoint$:x:10553:10004:IMD-SHAREPOINT:/home/UNIC
>ITY/imd-sharepoint_:/bin/false
>UNICITY+imd-alucchiani$:x:10559:10004:IMD-ALUCCHIANI:/home/UNIC
>ITY/imd-alucchiani_:/bin/false
>...
>
>However, 'getent group' works just fine:
>...
>UNICITY+Exchange Domain Servers:x:10025:
>UNICITY+Exchange Enterprise Servers:x:10026:
>UNICITY+Trainers:x:10027:UNICITY+sblizzard,UNICITY+jedgell,UNICITY+jime
>...
>
>The '/bin/false' login shell in the passwd schema leads me to 
>believe that is where the problem lies, but I am not sure what 
>to do to fix it.
>
>Thanks for the input.
>
>-- 
>Brian Atkins
>
>"An adventure is never an adventure 
>when it's happening.  Challenging
>experiences need time to ferment, 
>and an adventure is simply physical 
>and emotional discomfort recollected 
>in tranquility." -- Tim Cahill
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list