[Samba] AD Authentication help please?
Jason Gerfen
jason.gerfen at scl.utah.edu
Wed Sep 21 19:12:18 GMT 2005
Well I made the changes you suggested but I am still not able to view
any other container contents. I even used the net ads cache flush to
see if I could get it to work.
Thanks for the suggestions.
Edward Brookhouse wrote:
>Try changing your winbind separator to a + instead of a /
>
>
>Here is my global in smb.conf
>
>[global]
>netbios name = GOETHE
>server string = IT Dev Server
>realm = CORP.PHILLIPS.COM
>workgroup = CORP
>password server = 172.17.17.110
>security = ADS
>encrypt passwords = yes
>socket options = TCP_NODELAY
> local master = no
> dns proxy = yes
> winbind separator = +
>winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind enum groups = yes
> winbind enum users = yes
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/false
> winbind use default domain = no
>
>
>
>
>Then in my homes definition:
>
>
>[homes]
> comment = Home Directories
> browseable = no
> writable = yes
> user = @"CORP+domain users"
>
>
>
>
>Where 'CORP' is my domain
>
>
>
>-----Original Message-----
>From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu]
>Sent: Wednesday, September 21, 2005 2:26 PM
>To: Edward Brookhouse
>Subject: Re: [Samba] AD Authentication help please?
>
>Here is the krb5.conf
>
><KRB5.CONF>
>[libdefaults]
>default_realm = DOMAIN.COM
>clockskew = 300
>dns_lookup_realm = true
>dns_lookup_kdc = true
>default_tkt_enctypes = des-cbc-crc des-cbc-md5
>default_tgs_enctypes = des-cbc-crc
>
>[realms]
>DOMAIN.COM = {
> kdc = 192.168.0.10
> default_domain = domain.com
> admin_server = 192.168.0.10
>}
>
>[logging]
>kdc = FILE:/var/log/krb5kdc.log
>admin_server = FILE:/var/log/kadmin.log
>default = FILE:/var/log/krb5lib.log
>
>[domain_realm]
>.domain.com = DOMAIN.COM
>domain.com = DOMAIN.COM
>
>[appdefaults]
>pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
>}
>
>now the contents of the smb.conf
>
><SMB.CONF>
>[global]
>#
># Network configuration
>#
> server string = odin-newb
> workgroup = DOMAIN.COM
> netbios name = ODIN-NEWB
> realm = DOMAIN.COM
> security = ADS
> password server = 192.168.0.10
>
>#
># Domain configuation options
>#
> prefered master = no
> local master = no
> domain master = no
> prefered master = no
> domain logons = no
>
>#
># Security options
>#
> encrypt passwords = yes
> update encrypted = yes
> password level = 20
>
>#
># Enumeration options
>#
> winbind separator = /
> winbind enum users = yes
> winbind enum groups = yes
>
>#
># User/Group mapping options
>#
> idmap uid = 15000-20000
> idmap gid = 15000-20000
>
>#
># LDAP/AD configuration options
>#
> ldap admin dn = "cn=XXXXX,ou=users,dc=domain,dc=com"
> ldap delete dn = no
>
> use spnego = yes
>
>#
># Networking options
>#
> hide unreadable = no
> wins support = no
> dns proxy = no
>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> add machine script = /usr/sbin/useradd -c Machine -d
>/var/lib/nobody -s /bin/false %m$
>
>#
># Miscellaneous options
>#
> os level = 20
> template shell = /bin/bash
> template homedir = /odin/%D/%U
> load printers = no
>
>#
># Logging options
>#
> log level = 4
> log file = /var/log/samba.log.%m
>
>
>The only container I can view (as far as using the wbinfo -u command) is
>
>anything in
>
>LDAP://192.168.0.10/OU=Test,DC=domain,DC=com # I can view these
>users
>
>And the users I need to authenticate are in
>
>LDAP://192.168.0.10/CN=auth,DC=domain,DC=com
>
>???
>
>
>Edward Brookhouse wrote:
>
>
>
>>No need to be sorry :)
>>
>>That link you sent speaks to adding the Computer into a particular
>>container - nothing about users.
>>
>>What is the layout of your domain? Which container can you see? Which
>>can you not?
>>
>>How is your realm setup in krb5.conf ?
>>
>>
>>
>>
>>
>>-----Original Message-----
>>From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu]
>>Sent: Wednesday, September 21, 2005 2:10 PM
>>To: Edward Brookhouse; samba at lists.samba.org
>>Subject: Re: [Samba] AD Authentication help please?
>>
>>Strange, I guess that is my misunderstanding of the how it aquires the
>>list of users when running a wbinfo -u command.
>>
>>Yep, here is the output:
>>
>>jason at odin-newb:~> sudo net ads join -U Admin at domain.com
>>Admin at domain.com's password: xxxxxx
>>Using short domain name -- DOMAIN.COM
>>Joined 'ODIN-NEWB' to realm 'DOMAIN.COM'
>>
>>And when I check to see if it is avialable within Active Directory
>>(member server of Win2k domain) I can clearly see the
>>CN=odin-newb,cn=computers,dc=domain,dc=com listed in the appropriate
>>container.
>>
>>My problem at this point is the only users I can view are in a
>>
>>
>different
>
>
>>container. You say you can view all users for all containers right?
>>
>>Well after joining the domain the first time I followed the
>>
>>
>samba3-howto
>
>
>>and attempted to point to a container of users and now those are the
>>only ones I can view.
>>
>>http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-membe
>>
>>
>r
>
>
>>.html#ads-create-machine-account
>>
>>I am sorry about any confusion.
>>
>>Edward Brookhouse wrote:
>>
>>
>>
>>
>>
>>>I still do not understand what you mean by map ?
>>>
>>>In my setup wbinfo -u shows me 'everything' regardless of the
>>>
>>>
>container
>
>
>>>it's in.
>>>
>>>It sounds like you think there should be some kind of authentication
>>>mapping but there does not need to be one -
>>>
>>>By adding the computer to the domain - and setting up the kerb conf -
>>>when an auth request hits samba he will hand it to the domain and the
>>>domain should do a recursive search for user objects under
>>>dc=your,dc=toplevel,dc=com
>>>
>>>The only reason you see the ou=Users in your trace is because Admin
>>>lives in ou=Users by default.
>>>
>>>Can you authenticate ? Have you tried?
>>>
>>>
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu]
>>>Sent: Wednesday, September 21, 2005 1:46 PM
>>>To: Edward Brookhouse
>>>Subject: Re: [Samba] AD Authentication help please?
>>>
>>>Sorry, I suppose I am leaving things out.
>>>
>>>I am able to see the machine in the computers container after I
>>>successfully joined the domain using the net ads join command.
>>>
>>>
>However
>
>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>while trying (multiple times) to map to the CN=users container in
>>>
>>>
>>>
>>>
>>Active
>>
>>
>>
>>
>>>directory I mapped to an OU=otherUsers which is now what I see when I
>>>
>>>
>>>
>>>
>>do
>>
>>
>>
>>
>>>a wbinfo -u command.
>>>
>>>If what you are saying is correct about the default mapping to the
>>>cn=users I need to revert back to this somehow.
>>>
>>>Edward Brookhouse wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Try to forget about where the users live for a sec - get the computer
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>in
>>>
>>>
>>>
>>>
>>>
>>>
>>>>the domain first. Your net ads join command should return a welcome
>>>>
>>>>
>to
>
>
>>>>the domain if it does not - use a net rpc join command in the same
>>>>fashion -=
>>>>
>>>>Then go look in AD to see if that computer showed up in your
>>>>
>>>>
>Computers
>
>
>>>>container -
>>>>
>>>>If It did great .. you should be golden
>>>>
>>>>If not - go back to the net join until it works :)
>>>>
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu]
>>>>Sent: Wednesday, September 21, 2005 1:22 PM
>>>>To: Edward Brookhouse
>>>>Subject: Re: [Samba] AD Authentication help please?
>>>>
>>>>Hmm, that might be my problem. I am using the HOWTO and running the
>>>>commands in this order:
>>>>
>>>>%> net ads join -U <username>
>>>>%> kinit <username>
>>>>%> net ads join -U <username> "users" as the container which is not
>>>>found.
>>>>
>>>>Do I need to do a net ads leave command? In order to attempt a new
>>>>mapping for the users container?
>>>>
>>>>Edward Brookhouse wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>I'm still confused on what you are saying - here is why:
>>>>>
>>>>># net ads join
>>>>>
>>>>>Should join the 'computer' to the domain - the user should already
>>>>>
>>>>>
>be
>
>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>in
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>there -the ou=users is the default implied container where users
>>>>>
>>>>>
>>>>>
>>>>>
>>live,
>>
>>
>>
>>
>>>>>but it should not matter where the users is in the directory -
>>>>>
>>>>>For example -
>>>>>
>>>>>My domain is laid out like:
>>>>>
>>>>>dc=corp,dc=example,dc=com
>>>>>
>>>>>with ou=users being where admin lives
>>>>>but all my other users live in ou=HD,ou=7811
>>>>>
>>>>>once you do net ads join the computer should show up in the
>>>>>
>>>>>
>Computers
>
>
>>>>>container.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>-----Original Message-----
>>>>>From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu]
>>>>>Sent: Tuesday, September 20, 2005 3:35 PM
>>>>>To: Edward Brookhouse; samba at lists.samba.org
>>>>>Subject: Re: [Samba] AD Authentication help please?
>>>>>
>>>>>When joining the samba box to a domain:
>>>>>
>>>>>%> net ads join -U <username>
>>>>>%> kinit Admin at DOMAIN.COM
>>>>>%> net ads join -U <username> <LDAP/AD Container of users>
>>>>>
>>>>>The last command fails and when doing an strace you can clearly see
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>that
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>it is expecting an Organizational Unit (OU) vs. a Common Name (CN)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>which
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>is where the users I need to authenticate are currently residing.
>>>>>
>>>>>Do I need to move these to an OU vs. a CN? Here is the strace
>>>>>
>>>>>
>output
>
>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>I
>>>
>>>
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>am refering to:
>>>>>
>>>>>%> strace -o tmp net ads join -U "Admin" "users"
>>>>>
>>>>>(only inclusing pertinant lines with searching for container to map
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>to)
>>>
>>>
>>>
>>>
>>>
>>>
>>>>>write(6, "0C\2\1\5c>\4\36ou=users,dc=DOMAIN,dc=COM"..., 69) = 69
>>>>>
>>>>>
><--
>
>
>>>>>
>>>>>
>>>>>
>>>>>
>>
>>
>>
>>
>>>>>here is the hard coded ou, I am not 100% familiar with the LDAP RFC
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>but
>>>
>>>
>>>
>>>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>on a windows Active Directory there are CN and OU containers
>>>>>
>>>>>See how it is appending the OU=USERS?
>>>>>
>>>>>
>>>>>Edward Brookhouse wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Not sure I understand your question. What are you trying to map?
>>>>>>
>>>>>>-----Original Message-----
>>>>>>From: samba-bounces+ebroo=healthydirections.com at lists.samba.org
>>>>>>[mailto:samba-bounces+ebroo=healthydirections.com at lists.samba.org]
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>On
>>
>>
>>
>>
>>>>>>Behalf Of Jason Gerfen
>>>>>>Sent: Tuesday, September 20, 2005 11:25 AM
>>>>>>To: samba at lists.samba.org
>>>>>>Subject: [Samba] AD Authentication help please?
>>>>>>
>>>>>>I am having a problem which with much help from this list I have
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>gotten
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>90% complete. I am attempting to create a samba server which will
>>>>>>authenticate users as a Domain member server using active
>>>>>>
>>>>>>
>directory.
>
>
>>>>>>The question I have is how can I map a specific container which is
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>not
>>>
>>>
>>>
>>>
>>>
>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>an OU but a CN in the active directory?
>>>>>>
>>>>>>Any help is appreciated.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
>
--
Jason Gerfen
"My girlfriend threated to
leave me if I went boarding...
I will miss her."
~ DIATRIBE aka FBITKK
More information about the samba
mailing list