[Samba] Re: Authentication against AD?
dyioulos at firstbhph.com
Thu Sep 15 21:33:28 GMT 2005
On Thursday 15 September 2005 4:17 pm, you wrote:
> Dimitri Yioulos wrote:
> >On Thursday 15 September 2005 3:32 pm, you wrote:
> >>Ok I think I have found my problem. I need to find a way to map Samba
> >>to an active directory common name:
> >>%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com" (example,
> >>I know the syntax is incorrect)
> >>As far as I can tell it is hard coded in the net ads join routine to
> >>tack on the ou=users vs. cn=users, anyone shed some light on this?
> >Uh, I must be missing something here. This is a pretty straightforward
> > set-up, right? You want to join this Samba box to a Win2k3 server for
> > file- or print-serving purposes? I've always felt that you get a basic
> > set-up working first, then start to get fancy.
> >1. kinit Administrator at MYDOMAIN.COM
> >(You'll be prompted for a password. My systems simply return me to a
> > prompt if I'm successful.)
> >2. net ads join -U Administrator at MYDOMAIN.COM
> >(Again, you'll be prompted for a password. Info about the machine joining
> > the AD is returned)
> >Beyond this, someone else will have to help out.
> Yeah this works, I can get my krb creds:
> jason at odin-newb:~> kinit Admin at DOMAIN.COM
> Password for Admin at DOMAIN.COM:
> jason at odin-newb:~> klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: Admin at DOMAIN.COM
> Valid starting Expires Service principal
> 09/15/05 14:12:30 09/16/05 00:11:16 krbtgt/DOMAIN.COM at DOMAIN.COM
> renew until 09/16/05 14:12:30
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
> And this works as well:
> Admin at DOMAIN.COM's password:
> [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405)
> ads_add_machine_acct: Host account for odin-newb already exists -
> modifying old account
> Using short domain name -- DOMAIN.COM
> Joined 'ODIN-NEWB' to realm 'DOMAIN.COM'
> But when testing, using wbinfo -u or getent I am getting only the local
> passwd accounts.
> jason at odin-newb:~> wbinfo -u
> Error looking up domain users
> And here is where my accounts need to be authenticted from
> Note the CN=Users, vs. OU=Users, I will go read the RFC to see if I can
> get more info on this.
So, you're not authenticating against ADS? If you are, are you sure the
winbind daemon is running?
More information about the samba