[Samba] Re: Authentication against AD?
Ernest Keller
Ernest.Keller at arivia.co.za
Fri Sep 16 05:51:51 GMT 2005
Hi,
I get exactly the same.
'kinit -U[username]%[password] works 100%; 'klist' shows my kerberos
ticket(s); I set up my krb5.conf as per the examples in Samba 3 by
Example-HOWTO; I joined the domain 100% with 'net ads join -U
[username]%[password]', but:
wbinfo -u just gives me "Error looking up domain users."
wbinfo -g gives me a listing of all the ADS groups <-- working 100%?
'getent passwd' gives me a listing of all local users, but no domain /
ADS users
'getent group' gives me the local groups, but no ADS groups (just hangs
a while after local groups and then probably times out)
I only have a small office file & print server (about 12 users), so I
got around this by using local accounts and manually mapping them to the
corresponding domain users (/etc/samba/smbusers - local username =
[DOMAIN]/[domain username]) and using 'username map =
/etc/samba/smbusers' in smb.conf .
Here is my config:
[global]
realm = COMPANY.COM
security = ADS
password server = kdc.company.com
idmap uid = 10000-1000000
idmap gid = 10000-1000000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind separator = /
unix password sync = yes
workgroup = COMPANY-COM
interfaces = eth0 lo
bind interfaces only = yes
netbios name = SERVER
name resolve order = wins hosts bcast
dns proxy = no
domain logons = no
preferred master = no
domain master = no
local master = yes
os level = 33
max log size = 1024
log level = 2
log file = /var/log/samba/samba-new.log
syslog = 1
guest account = smbguest
username level = 50
username map = /etc/samba/smbusers
encrypt passwords = yes
password level = 20
client use spnego = yes
wins server = x.x.x.x
preserve case = yes
short preserve case = yes
case sensitive = no
hide dot files = yes
hide unreadable = yes
hide special files = yes
map to guest = never
I also repeatedly get the following in
/var/log/samba/log-wb.COMPANY-COM:
[2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
cli_rpc_open failed on pipe \lsarpc to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer
[2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
cli_rpc_open failed on pipe \NETLOGON to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer
Service smb status gives:
smbd (pid 21371 21233) is running...
nmbd (pid 14018) is running...
Service winbind status gives:
winbindd (pid 8991 8370 8367 8366) is running...
I'm running Samba 3.0.20 on Linux Fedora Core 4
Although we can work, any help to get the proper domain authentication
working would be greatly appreciated.
TIA
Ernest
> Dimitri Yioulos wrote:
> >On Thursday 15 September 2005 3:32 pm, you wrote:
> >></snip>
> >>
> >>Ok I think I have found my problem. I need to find a way to map
> >>Samba to an active directory common name:
> >>
> >>%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com"
> >>(example, I know the syntax is incorrect)
> >>
> >>As far as I can tell it is hard coded in the net ads join routine to
> >>tack on the ou=users vs. cn=users, anyone shed some light on this?
> >
> >Uh, I must be missing something here. This is a pretty
> >straightforward set-up, right? You want to join this Samba box to a
> >Win2k3 server for
> > file- or print-serving purposes? I've always felt that you get a
> >basic set-up working first, then start to get fancy.
> >
> >AFAIK:
> >
> >1. kinit Administrator at MYDOMAIN.COM
> >(You'll be prompted for a password. My systems simply return me to a
> >prompt if I'm successful.) 2. net ads join -U
> >Administrator at MYDOMAIN.COM (Again, you'll be prompted for a password.
> >Info about the machine joining the AD is returned)
> >
> >Beyond this, someone else will have to help out.
> >
> >Best,
> >
> >Dimitri
>
> Yeah this works, I can get my krb creds:
>
> jason at odin-newb:~> kinit Admin at DOMAIN.COM Password for
> Admin at DOMAIN.COM:
> jason at odin-newb:~> klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: Admin at DOMAIN.COM
>
> Valid starting Expires Service principal
> 09/15/05 14:12:30 09/16/05 00:11:16 krbtgt/DOMAIN.COM at DOMAIN.COM
> renew until 09/16/05 14:12:30
>
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
>
> And this works as well:
>
> Admin at DOMAIN.COM's password:
> [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405)
> ads_add_machine_acct: Host account for odin-newb already exists -
> modifying old account Using short domain name -- DOMAIN.COM Joined
> 'ODIN-NEWB' to realm 'DOMAIN.COM'
>
> But when testing, using wbinfo -u or getent I am getting only the
> local passwd accounts.
>
> jason at odin-newb:~> wbinfo -u
> Error looking up domain users
>
> And here is where my accounts need to be authenticted from
>
> LDAP://server.domain.com/CN=Users,DC=server,DC=domain,DC=com
>
> Note the CN=Users, vs. OU=Users, I will go read the RFC to see if I
> can get more info on this.
So, you're not authenticating against ADS? If you are, are you sure the
winbind daemon is running?
Dimitri
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list