[Samba] Help with RHEL4 and AD 2003 Authentication
Anoop Bhat
mywebsftp at gmail.com
Fri Jun 30 15:01:31 GMT 2006
Hello,
I've been reading up on lots of documents that mention the different ways to
do things as far as joining a linux machine to AD and authentication. I've
tried most of them but its not helping at all. I've included my config files
for smb.conf, krb5.conf, pam.d/system-auth and the applicable
nsswitch.conflines. For security reasons, i've obscured part of the
domain name. Any help
is appreciated.
Here are the questions:
1. Do i need to edit more than one pam.d file? For now, I'm just trying to
be able to SSH in as a domain account and as a local user account.
2. Do all the config files here look correct?
3. When logging in, what should my login name be? DOMAIN\Username or just
Username or username at DOMAIN.NAME.COM ? I've tried all with no luck.
4. Can AD group policy affect this in someway?
At the bottom, I have attached the output of some commands that may also
help.
Thank you in advance for any help/advice.
Anoop
# pam.d/system-auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
# krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CORP.OBSCURED.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms]
CORP.OBSCURED.COM = {
kdc = dmc01.corp.obscured.com
kdc = dmc02.corp.obscured.com
default_domain = CORP.OBSCURED.COM
kdc = dmc03.corp.obscured.com
}
[domain_realm]
.example.com = CORP.OBSCURED.COM
example.com = CORP.OBSCURED.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
# smb.conf
[global]
workgroup = CORP
netbios name = ADTEST01
server string = A test server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba/%m.log
log level = 10
max log size = 50
security = ads
realm = CORP.OBSCURED.COM
encrypt passwords = yes
preferred master = no
smb passwd file = /etc/samba/smbpasswd
allow trusted domains = yes
unix password sync = yes
password server = *
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
pam password change = yes
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 10000-20000
idmap gid = 10000-20000
enhanced browsing = no
winbind use default domain = no
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
# nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: files
automount: files winbind
aliases: files
# OUTPUT
# net ads join -U Administrator
bhataadmin's password:
[2006/06/30 09:54:14, 0] libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for ADTEST01 already exists - modifying
old account
Using short domain name -- CORP
Joined 'ADTEST01' to realm 'CORP.OBSCURED.COM'
#
# kinit Administrator at CORP.OBSCURED.COM
Password for Administrator at CORP.OBSCURED.COM:
#
# wbinfo -u
Error looking up domain users
# wbinfo -g
Error looking up domain groups
# wbinfo -t
checking the trust secret via RPC calls failed
error code was (0x0)
Could not check secret
#
Thanks very much.
More information about the samba
mailing list