[Samba] AD Authentication help please?

Jason Gerfen jason.gerfen at scl.utah.edu
Wed Sep 21 18:09:33 GMT 2005 

Strange, I guess that is my misunderstanding of the how it aquires the 
list of users when running a wbinfo -u command.

Yep, here is the output:

jason at odin-newb:~> sudo net ads join -U Admin at domain.com
Admin at domain.com's password: xxxxxx
Using short domain name -- DOMAIN.COM
Joined 'ODIN-NEWB' to realm 'DOMAIN.COM'

And when I check to see if it is avialable within Active Directory 
(member server of Win2k domain) I can clearly see the 
CN=odin-newb,cn=computers,dc=domain,dc=com listed in the appropriate 
container.

My problem at this point is the only users I can view are in a different 
container.  You say you can view all users for all containers right?

Well after joining the domain the first time I followed the samba3-howto 
and attempted to point to a container of users and now those are the 
only ones I can view.

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-create-machine-account

I am sorry about any confusion.

Edward Brookhouse wrote:

>I still do not understand what you mean by map ?
>
>In my setup wbinfo -u shows me 'everything' regardless of the container
>it's in.
>
>It sounds like you think there should be some kind of authentication
>mapping but there does not need to be one - 
>
>By adding the computer to the domain - and setting up the kerb conf -
>when an auth request hits samba he will hand it to the domain and the
>domain should do a recursive search for user objects under
>dc=your,dc=toplevel,dc=com
>
>The only reason you see the ou=Users in your trace is because Admin
>lives in ou=Users by default.
>
>Can you authenticate ? Have you tried?
>
> 
>
>
>
>-----Original Message-----
>From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu] 
>Sent: Wednesday, September 21, 2005 1:46 PM
>To: Edward Brookhouse
>Subject: Re: [Samba] AD Authentication help please?
>
>Sorry, I suppose I am leaving things out.
>
>I am able to see the machine in the computers container after I 
>successfully joined the domain using the net ads join command.  However 
>while trying (multiple times) to map to the CN=users container in Active
>
>directory I mapped to an OU=otherUsers which is now what I see when I do
>
>a wbinfo -u command.
>
>If what you are saying is correct about the default mapping to the 
>cn=users I need to revert back to this somehow.
>
>Edward Brookhouse wrote:
>
>  
>
>>Try to forget about where the users live for a sec - get the computer
>>    
>>
>in
>  
>
>>the domain first. Your net ads join command should return a welcome to
>>the domain if it does not - use a net rpc join command in the same
>>fashion -=
>>
>>Then go look in AD to see if that computer showed up in your Computers
>>container - 
>>
>>If It did great .. you should be golden 
>>
>>If not - go back to the net join until it works :)
>>
>>
>>
>>-----Original Message-----
>>From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu] 
>>Sent: Wednesday, September 21, 2005 1:22 PM
>>To: Edward Brookhouse
>>Subject: Re: [Samba] AD Authentication help please?
>>
>>Hmm, that might be my problem.  I am using the HOWTO and running the 
>>commands in this order:
>>
>>%> net ads join -U <username>
>>%> kinit <username>
>>%> net ads join -U <username> "users" as the container which is not
>>found.
>>
>>Do I need to do a net ads leave command?  In order to attempt a new 
>>mapping for the users container?
>>
>>Edward Brookhouse wrote:
>>
>> 
>>
>>    
>>
>>>I'm still confused on what you are saying - here is why:
>>>
>>># net ads join 
>>>
>>>Should join the 'computer' to the domain - the user should already be
>>>   
>>>
>>>      
>>>
>>in
>> 
>>
>>    
>>
>>>there -the ou=users is the default implied container where users live,
>>>but it should not matter where the users is in the directory - 
>>>
>>>For example -
>>>
>>>My domain is laid out like:
>>>
>>>dc=corp,dc=example,dc=com
>>>
>>>with ou=users being where admin lives 
>>>but all my other users live in ou=HD,ou=7811
>>>
>>>once you do net ads join the computer should show up in the Computers
>>>container.
>>>
>>>
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu] 
>>>Sent: Tuesday, September 20, 2005 3:35 PM
>>>To: Edward Brookhouse; samba at lists.samba.org
>>>Subject: Re: [Samba] AD Authentication help please?
>>>
>>>When joining the samba box to a domain:
>>>
>>>%> net ads join -U <username>
>>>%> kinit Admin at DOMAIN.COM
>>>%> net ads join -U <username> <LDAP/AD Container of users>
>>>
>>>The last command fails and when doing an strace you can clearly see
>>>   
>>>
>>>      
>>>
>>that
>> 
>>
>>    
>>
>>>it is expecting an Organizational Unit (OU) vs. a Common Name (CN)
>>>   
>>>
>>>      
>>>
>>which
>> 
>>
>>    
>>
>>>is where the users I need to authenticate are currently residing.
>>>
>>>Do I need to move these to an OU vs. a CN?  Here is the strace output
>>>      
>>>
>I
>  
>
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>am refering to:
>>>
>>>%> strace -o tmp net ads join -U "Admin" "users"
>>>
>>>(only inclusing pertinant lines with searching for container to map
>>>      
>>>
>to)
>  
>
>>>write(6, "0C\2\1\5c>\4\36ou=users,dc=DOMAIN,dc=COM"..., 69) = 69  <-- 
>>>here is the hard coded ou, I am not 100% familiar with the LDAP RFC
>>>      
>>>
>but
>  
>
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>on a windows Active Directory there are CN and OU containers
>>>
>>>See how it is appending the OU=USERS?
>>>
>>>
>>>Edward Brookhouse wrote:
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>Not sure I understand your question. What are you trying to map?
>>>>
>>>>-----Original Message-----
>>>>From: samba-bounces+ebroo=healthydirections.com at lists.samba.org
>>>>[mailto:samba-bounces+ebroo=healthydirections.com at lists.samba.org] On
>>>>Behalf Of Jason Gerfen
>>>>Sent: Tuesday, September 20, 2005 11:25 AM
>>>>To: samba at lists.samba.org
>>>>Subject: [Samba] AD Authentication help please?
>>>>
>>>>I am having a problem which with much help from this list I have
>>>>     
>>>>
>>>>        
>>>>
>>gotten
>> 
>>
>>    
>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>   
>>>
>>>      
>>>
>>>>90% complete.  I am attempting to create a samba server which will 
>>>>authenticate users as a Domain member server using active directory.
>>>>
>>>>The question I have is how can I map a specific container which is
>>>>        
>>>>
>not
>  
>
>>>>     
>>>>
>>>>        
>>>>
>> 
>>
>>    
>>
>>>>an OU but a CN in the active directory?
>>>>
>>>>Any help is appreciated.
>>>>
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>
>
>  
>


-- 
Jason Gerfen
Student Computing Labs, University Of Utah
jason.gerfen at scl.utah.edu

J. Willard Marriott Library
295 S 1500 E, Salt Lake City, UT 84112-0860
801-585-9810

"My girlfriend threated to
 leave me if I went boarding...
 I will miss her."
 ~ DIATRIBE aka FBITKK

More information about the samba mailing list