[Samba] Help with RHEL4 and AD 2003 Authentication

Anoop Bhat mywebsftp at gmail.com
Sat Jul 1 03:19:00 GMT 2006 

ahh ok. i had troubles with leaving the line in there.

any ideas on how i can auth certain groups only?

Thank you pk!

On 6/30/06, pk <paul at computertaming.com> wrote:
>
>
>
> yes
> winbind separator = \
> but that is the default so that line could be commented out and achieve
> the same result.
>
>
> Anoop Bhat wrote:
>
> > any idea what the separator should be to use CORP\zuser as the login?
> >
> > On 6/30/06, pk <paul at computertaming.com> wrote:
> >
> >>
> >> since you smb.conf has winbind separator = + ; login CORP+zuser
> >> wbinfo commands show you dont have access to the domain; go to ad
> server
> >> delete linux computer( that you tried to join to the directory)  from
> >> the active directory.  Kinit show kerberos works, Go to /var/log/samba
> >> check error logs; check system logs, verify winbind is running,  I
> found
> >> after *.conf files were changed dameons had to be restarted. Trying
> >> joing again. What happens if you use smbclient command ie
> >>
> >> smbclient //CORP.OBSCURED.COM/shared something -Uzuser%password
> >>
> >>
> >>
> >>
> >> Anoop Bhat wrote:
> >>
> >> > Hello,
> >> >
> >> > I've been reading up on lots of documents that mention the different
> >> > ways to
> >> > do things as far as joining a linux machine to AD and authentication.
> >> > I've
> >> > tried most of them but its not helping at all. I've included my
> config
> >> > files
> >> > for smb.conf, krb5.conf, pam.d/system-auth and the applicable
> >> > nsswitch.conflines. For security reasons, i've obscured part of the
> >> > domain name. Any help
> >> > is appreciated.
> >> >
> >> > Here are the questions:
> >> >
> >> > 1. Do i need to edit more than one pam.d file? For now, I'm just
> >> > trying to
> >> > be able to SSH in as a domain account and as a local user account.
> >> > 2. Do all the config files here look correct?
> >> > 3. When logging in, what should my login name be? DOMAIN\Username or
> >> just
> >> > Username or username at DOMAIN.NAME.COM ? I've tried all with no luck.
> >> > 4. Can AD group policy affect this in someway?
> >> >
> >> > At the bottom, I have attached the output of some commands that may
> >> also
> >> > help.
> >> >
> >> > Thank you in advance for any help/advice.
> >> >
> >> > Anoop
> >> >
> >> > # pam.d/system-auth
> >> > auth        required      /lib/security/$ISA/pam_env.so
> >> > auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
> >> nullok
> >> > auth        sufficient    /lib/security/$ISA/pam_winbind.so
> >> > use_first_pass
> >> > auth        required      /lib/security/$ISA/pam_deny.so
> >> >
> >> > account     required      /lib/security/$ISA/pam_unix.so
> broken_shadow
> >> > account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid
> >> < 100
> >> > quiet
> >> > account     [default=bad success=ok user_unknown=ignore]
> >> > /lib/security/$ISA/pam_winbind.so
> >> > account     required      /lib/security/$ISA/pam_permit.so
> >> >
> >> > password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> >> > password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> >> > use_authtok
> >> > md5 shadow
> >> > password    sufficient    /lib/security/$ISA/pam_winbind.so
> >> use_authtok
> >> > password    required      /lib/security/$ISA/pam_deny.so
> >> >
> >> > session     required      /lib/security/$ISA/pam_limits.so
> >> > session     required      /lib/security/$ISA/pam_unix.so
> >> >
> >> > # krb5.conf
> >> > [logging]
> >> > default = FILE:/var/log/krb5libs.log
> >> > kdc = FILE:/var/log/krb5kdc.log
> >> > admin_server = FILE:/var/log/kadmind.log
> >> >
> >> > [libdefaults]
> >> > default_realm = CORP.OBSCURED.COM
> >> > dns_lookup_realm = true
> >> > dns_lookup_kdc = true
> >> > ticket_lifetime = 24h
> >> > forwardable = yes
> >> > default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> >> > default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> >> > preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> >> >
> >> > [realms]
> >> > CORP.OBSCURED.COM = {
> >> >  kdc = dmc01.corp.obscured.com
> >> >  kdc = dmc02.corp.obscured.com
> >> >  default_domain = CORP.OBSCURED.COM
> >> >  kdc = dmc03.corp.obscured.com
> >> > }
> >> >
> >> > [domain_realm]
> >> > .example.com = CORP.OBSCURED.COM
> >> > example.com = CORP.OBSCURED.COM
> >> >
> >> > [kdc]
> >> > profile = /var/kerberos/krb5kdc/kdc.conf
> >> >
> >> > [appdefaults]
> >> > pam = {
> >> >   debug = false
> >> >   ticket_lifetime = 36000
> >> >   renew_lifetime = 36000
> >> >   forwardable = true
> >> >   krb4_convert = false
> >> > }
> >> >
> >> > # smb.conf
> >> > [global]
> >> > workgroup = CORP
> >> > netbios name = ADTEST01
> >> > server string = A test server
> >> > printcap name = /etc/printcap
> >> > load printers = yes
> >> > log file = /var/log/samba/%m.log
> >> > log level = 10
> >> > max log size = 50
> >> > security = ads
> >> > realm = CORP.OBSCURED.COM
> >> > encrypt passwords = yes
> >> > preferred master = no
> >> > smb passwd file = /etc/samba/smbpasswd
> >> > allow trusted domains = yes
> >> > unix password sync = yes
> >> > password server = *
> >> > passwd program = /usr/bin/passwd %u
> >> > passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> >> > *passwd:*all*authentication*tokens*updated*successfully*
> >> > pam password change = yes
> >> > obey pam restrictions = yes
> >> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >> > dns proxy = no
> >> > idmap uid = 10000-20000
> >> > idmap gid = 10000-20000
> >> > enhanced browsing = no
> >> > winbind use default domain = no
> >> > winbind separator = +
> >> > winbind enum users = yes
> >> > winbind enum groups = yes
> >> > template shell = /bin/bash
> >> > template homedir = /home/%U
> >> >
> >> > # nsswitch.conf
> >> > passwd:     files winbind
> >> > shadow:     files winbind
> >> > group:      files winbind
> >> >
> >> > hosts:      files dns
> >> >
> >> > bootparams: nisplus [NOTFOUND=return] files
> >> > ethers:     files
> >> > netmasks:   files
> >> > networks:   files
> >> > protocols:  files winbind
> >> > rpc:        files
> >> > services:   files winbind
> >> > netgroup:   files winbind
> >> > publickey:  files
> >> > automount:  files winbind
> >> > aliases:    files
> >> >
> >> > # OUTPUT
> >> >
> >> > # net ads join -U Administrator
> >> > bhataadmin's password:
> >> > [2006/06/30 09:54:14, 0] libads/ldap.c:ads_add_machine_acct(1368)
> >> >  ads_add_machine_acct: Host account for ADTEST01 already exists -
> >> > modifying
> >> > old account
> >> > Using short domain name -- CORP
> >> > Joined 'ADTEST01' to realm 'CORP.OBSCURED.COM'
> >> > #
> >> >
> >> > # kinit Administrator at CORP.OBSCURED.COM
> >> > Password for Administrator at CORP.OBSCURED.COM:
> >> > #
> >> >
> >> > # wbinfo -u
> >> > Error looking up domain users
> >> > # wbinfo -g
> >> > Error looking up domain groups
> >> > # wbinfo -t
> >> > checking the trust secret via RPC calls failed
> >> > error code was  (0x0)
> >> > Could not check secret
> >> > #
> >> >
> >> > Thanks very much.
> >>
> >>
> >>
> >>
>
>
>

More information about the samba mailing list