[Samba] Help with RHEL4 and AD 2003 Authentication
Anoop Bhat
mywebsftp at gmail.com
Fri Jun 30 15:42:31 GMT 2006
any idea what the separator should be to use CORP\zuser as the login?
On 6/30/06, pk <paul at computertaming.com> wrote:
>
> since you smb.conf has winbind separator = + ; login CORP+zuser
> wbinfo commands show you dont have access to the domain; go to ad server
> delete linux computer( that you tried to join to the directory) from
> the active directory. Kinit show kerberos works, Go to /var/log/samba
> check error logs; check system logs, verify winbind is running, I found
> after *.conf files were changed dameons had to be restarted. Trying
> joing again. What happens if you use smbclient command ie
>
> smbclient //CORP.OBSCURED.COM/shared something -Uzuser%password
>
>
>
>
> Anoop Bhat wrote:
>
> > Hello,
> >
> > I've been reading up on lots of documents that mention the different
> > ways to
> > do things as far as joining a linux machine to AD and authentication.
> > I've
> > tried most of them but its not helping at all. I've included my config
> > files
> > for smb.conf, krb5.conf, pam.d/system-auth and the applicable
> > nsswitch.conflines. For security reasons, i've obscured part of the
> > domain name. Any help
> > is appreciated.
> >
> > Here are the questions:
> >
> > 1. Do i need to edit more than one pam.d file? For now, I'm just
> > trying to
> > be able to SSH in as a domain account and as a local user account.
> > 2. Do all the config files here look correct?
> > 3. When logging in, what should my login name be? DOMAIN\Username or
> just
> > Username or username at DOMAIN.NAME.COM ? I've tried all with no luck.
> > 4. Can AD group policy affect this in someway?
> >
> > At the bottom, I have attached the output of some commands that may also
> > help.
> >
> > Thank you in advance for any help/advice.
> >
> > Anoop
> >
> > # pam.d/system-auth
> > auth required /lib/security/$ISA/pam_env.so
> > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> > auth sufficient /lib/security/$ISA/pam_winbind.so
> > use_first_pass
> > auth required /lib/security/$ISA/pam_deny.so
> >
> > account required /lib/security/$ISA/pam_unix.so broken_shadow
> > account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
> > quiet
> > account [default=bad success=ok user_unknown=ignore]
> > /lib/security/$ISA/pam_winbind.so
> > account required /lib/security/$ISA/pam_permit.so
> >
> > password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> > password sufficient /lib/security/$ISA/pam_unix.so nullok
> > use_authtok
> > md5 shadow
> > password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
> > password required /lib/security/$ISA/pam_deny.so
> >
> > session required /lib/security/$ISA/pam_limits.so
> > session required /lib/security/$ISA/pam_unix.so
> >
> > # krb5.conf
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = CORP.OBSCURED.COM
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > forwardable = yes
> > default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> > default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> > preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> >
> > [realms]
> > CORP.OBSCURED.COM = {
> > kdc = dmc01.corp.obscured.com
> > kdc = dmc02.corp.obscured.com
> > default_domain = CORP.OBSCURED.COM
> > kdc = dmc03.corp.obscured.com
> > }
> >
> > [domain_realm]
> > .example.com = CORP.OBSCURED.COM
> > example.com = CORP.OBSCURED.COM
> >
> > [kdc]
> > profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > [appdefaults]
> > pam = {
> > debug = false
> > ticket_lifetime = 36000
> > renew_lifetime = 36000
> > forwardable = true
> > krb4_convert = false
> > }
> >
> > # smb.conf
> > [global]
> > workgroup = CORP
> > netbios name = ADTEST01
> > server string = A test server
> > printcap name = /etc/printcap
> > load printers = yes
> > log file = /var/log/samba/%m.log
> > log level = 10
> > max log size = 50
> > security = ads
> > realm = CORP.OBSCURED.COM
> > encrypt passwords = yes
> > preferred master = no
> > smb passwd file = /etc/samba/smbpasswd
> > allow trusted domains = yes
> > unix password sync = yes
> > password server = *
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> > *passwd:*all*authentication*tokens*updated*successfully*
> > pam password change = yes
> > obey pam restrictions = yes
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > dns proxy = no
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > enhanced browsing = no
> > winbind use default domain = no
> > winbind separator = +
> > winbind enum users = yes
> > winbind enum groups = yes
> > template shell = /bin/bash
> > template homedir = /home/%U
> >
> > # nsswitch.conf
> > passwd: files winbind
> > shadow: files winbind
> > group: files winbind
> >
> > hosts: files dns
> >
> > bootparams: nisplus [NOTFOUND=return] files
> > ethers: files
> > netmasks: files
> > networks: files
> > protocols: files winbind
> > rpc: files
> > services: files winbind
> > netgroup: files winbind
> > publickey: files
> > automount: files winbind
> > aliases: files
> >
> > # OUTPUT
> >
> > # net ads join -U Administrator
> > bhataadmin's password:
> > [2006/06/30 09:54:14, 0] libads/ldap.c:ads_add_machine_acct(1368)
> > ads_add_machine_acct: Host account for ADTEST01 already exists -
> > modifying
> > old account
> > Using short domain name -- CORP
> > Joined 'ADTEST01' to realm 'CORP.OBSCURED.COM'
> > #
> >
> > # kinit Administrator at CORP.OBSCURED.COM
> > Password for Administrator at CORP.OBSCURED.COM:
> > #
> >
> > # wbinfo -u
> > Error looking up domain users
> > # wbinfo -g
> > Error looking up domain groups
> > # wbinfo -t
> > checking the trust secret via RPC calls failed
> > error code was (0x0)
> > Could not check secret
> > #
> >
> > Thanks very much.
>
>
>
>
More information about the samba
mailing list