[Samba] Re: Samba with AD

Franz Pfoertsch franz.pfoertsch at brose.net
Mon Nov 6 14:45:33 GMT 2006 

Have you configured kerberos?

have a look at http://wiki.samba.org/index.php/Samba_%26_Active_Directory

"ads_connect preauthentication failed" means there is something wrong with
authenication or the machine account already exists.

regards
Franz

Pashii B wrote:

> I am stuck with Samba -Active Directory communication. Trying to bring my
> SUSE 10.0 to speak with AD Domain.
> 
> net rpc testjoin - brings a unable to find suitable server message
> 
> net join -  kerberos_kinit_password preauthentication failed and
> ads_connect preauthentication failed
> 
> wbinfo -u works fine
> wbinfo -t works fine
> getent passwd/group works too
> 
> smb is running
> nmb is running
> winbindd is running
> nscd is not running
> 
> Here my smb.conf
> 
> [global]
> workgroup = (netbios name of mydomain)
> realm = mydomain.local
> netbios name = sambaservername
> server string =
> security = ads
> template shell = /bin/bash
> idmap uid = 150000-250000
> idmap gid = 150000-250000
> idmap backend = ldap://192.168.5.15 ldap://10.0.0.210
> winbind use default domain = yes
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
> map to guest = Bad User
> include = /etc/samba/dhcp.conf
> logon path = \\%L\profiles\.msprofile
> logon home = \\%L\%U\.9xprofile
> logon drive = P:
> add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$
> domain logons = no
> domain master = No
> ldap admin dn =
> ldap delete dn = No
> #ldap filter = (uid=%u)
> ldap group suffix =
> ldap idmap suffix =
> ldap machine suffix =
> ldap passwd sync = No
> ldap replication sleep = 1000
> ldap ssl = Start_tls
> ldap suffix =
> ldap timeout = 5
> ldap user suffix =
> passdb backend = ldapsam:ldap://192.168.5.15  ldapsam:ldap://10.0.0.210
> security = user
> debug level = 5
> log level = 5
> 
> 
> my nsswitch.conf
> 
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Legal entries are:
> #
> #       compat                  Use compatibility setup
> #       nisplus                 Use NIS+ (NIS version 3)
> #       nis                     Use NIS (NIS version 2), also called YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
> # For more information, please read the nsswitch.conf.5 manual page.
> #
> 
> # passwd: files nis
> # shadow: files nis
> # group:  files nis
> 
> passwd:       files ldap
> group:        files ldap
> shadow:       files
> 
> hosts:        files dns
> networks:     files dns
> 
> services:     files
> protocols:    files
> rpc:  files
> ethers:       files
> netmasks:     files
> netgroup:     files
> publickey:    files
> 
> bootparams:   files
> automount:    files nis
> aliases:      files
> 
> 
> my krb5.conf
> 
> [libdefaults]
> default_realm = mydomain.local
> clockskew = 300
> 
> [realms]
> mydomain.local = {
> kdc = (FQDN of AD Domain Controller)
> default_domain = mydomain.local
> admin_server = (FQDN of AD Domain Controller)
> }
> 
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> 
> [domain_realm]
> .mydomain.local = mydomain.local
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> try_first_pass = true
> }
> 
> 
> my pam.d/login
> 
> #%PAM-1.0
> auth     required       pam_securetty.so
> auth     sufficient     pam_winbind.so use_first_pass_use_authtok
> auth     sufficient     pam_unix2.so
> auth   required       pam_stack.so use_first_pass
> auth     required       pam_nologin.so
> auth     required       pam_mail.so
> account  sufficient     pam_winbind.so use_first_pass use_authtok
> account  required       pam_stack.so service=system-auth
> account  sufficient     pam_unix2.so
> password sufficient     pam_winbind.so use_first_pass use_authtok
> password required       pam_pwcheck.so
> password sufficient     pam_unix2.so
> session  required       pam_stack.so service=system-auth
> session  optional       pam_console.so
> session  sufficient     pam_winbind.so use_first_pass use_authtok
> session  required       pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session  sufficient     pam_unix2.so
> session  required       pam_limits.so
> 
> and finally /etc/ldap.conf
> 
> #
> # This is the configuration file for the LDAP nameservice
> # switch library, the LDAP PAM module and the shadow package.
> #
> 
> # Your LDAP server. Must be resolvable without using LDAP.
> host 192.168.5.15 10.0.0.210
> 
> # The distinguished name of the search base.
> base dc=mydomain,dc=local
> 
> # The LDAP version to use (defaults to 3
> # if supported by client library)
> ldap_version 3
> 
> # The distinguished name to bind to the server with.
> # Optional: default is to bind anonymously.
> rootbinddn (DN of administrator)
> 
> # The credentials to bind with.
> # Optional: default is no credential.
> bindpw secret
> 
> # The distinguished name to bind to the server with
> # if the effective user ID is root. Password is
> # stored in /etc/ldap.secret (mode 600)
> rootbinddn (DN of administrator)
> 
> # The port.
> # Optional: default is 389.
> #port 389
> 
> # The search scope.
> #scope sub
> #scope one
> #scope base
> 
> # Search timelimit
> #timelimit 30
> 
> # Bind timelimit
> #bind_timelimit 30
> 
> # Idle timelimit; client will close connections
> # (nss_ldap only) if the server has not been contacted
> # for the number of seconds specified below.
> #idle_timelimit 3600
> 
> # Filter to AND with uid=%s
> #pam_filter objectclass=account
> 
> # The user ID attribute (defaults to uid)
> #pam_login_attribute uid
> 
> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> #pam_lookup_policy yes
> 
> # Check the 'host' attribute for access control
> # Default is no; if set to yes, and user has no
> # value for the host attribute, and pam_ldap is
> # configured for account management (authorization)
> # then the user will not be allowed to login.
> #pam_check_host_attr yes
> 
> # Group to enforce membership of
> #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
> 
> # Group member attribute
> #pam_member_attribute uniquemember
> 
> # Specify a minium or maximum UID number allowed
> #pam_min_uid 0
> #pam_max_uid 0
> 
> # Template login attribute, default template user
> # (can be overriden by value of former attribute
> # in user's entry)
> #pam_login_attribute userPrincipalName
> #pam_template_login_attribute uid
> #pam_template_login nobody
> 
> # Do not hash the password at all; presume
> # the directory server will do it, if
> # necessary. This is the default.
> #pam_password clear
> 
> # Hash password locally; required for University of
> # Michigan LDAP server, and works with Netscape
> # Directory Server if you're using the UNIX-Crypt
> # hash mechanism and not using the NT Synchronization
> # service.
> pam_password crypt
> 
> # Remove old password first, then update in
> # cleartext. Necessary for use with Novell
> # Directory Services (NDS)
> #pam_password nds
> 
> # Update Active Directory password, by
> # creating Unicode password and updating
> # unicodePwd attribute.
> #pam_password ad
> 
> # Use the OpenLDAP password change
> # extended operation to update the password.
> #pam_password exop
> 
> # Redirect users to a URL or somesuch on password
> # changes.
> #pam_password_prohibit_message Please visit http://internal to change your
> #password.
> 
> # RFC2307bis naming contexts
> # Syntax:
> # nss_base_XXX                base?scope?filter
> # where scope is {base,one,sub}
> # and filter is a filter to be &'d with the
> # default filter.
> # You can omit the suffix eg:
> # nss_base_passwd     ou=People,
> # to append the default base DN but this
> # may incur a small performance impact.
> #nss_base_passwd      ou=People,dc=padl,dc=com?one
> #nss_base_shadow      ou=People,dc=padl,dc=com?one
> #nss_base_group               ou=Group,dc=padl,dc=com?one
> #nss_base_hosts               ou=Hosts,dc=padl,dc=com?one
> #nss_base_services    ou=Services,dc=padl,dc=com?one
> #nss_base_networks    ou=Networks,dc=padl,dc=com?one
> #nss_base_protocols   ou=Protocols,dc=padl,dc=com?one
> #nss_base_rpc         ou=Rpc,dc=padl,dc=com?one
> #nss_base_ethers      ou=Ethers,dc=padl,dc=com?one
> #nss_base_netmasks    ou=Networks,dc=padl,dc=com?ne
> #nss_base_bootparams  ou=Ethers,dc=padl,dc=com?one
> #nss_base_aliases     ou=Aliases,dc=padl,dc=com?one
> #nss_base_netgroup    ou=Netgroup,dc=padl,dc=com?one
> 
> # attribute/objectclass mapping
> # Syntax:
> #nss_map_attribute    rfc2307attribute        mapped_attribute
> #nss_map_objectclass  rfc2307objectclass      mapped_objectclass
> 
> # configure --enable-nds is no longer supported.
> # For NDS now do:
> #nss_map_attribute uniqueMember member
> 
> # configure --enable-mssfu-schema is no longer supported.
> # For MSSFU now do:
> #nss_map_objectclass posixAccount User
> #nss_map_attribute uid msSFUName
> #nss_map_attribute uniqueMember posixMember
> #nss_map_attribute userPassword msSFUPassword
> #nss_map_attribute homeDirectory msSFUHomeDirectory
> #nss_map_objectclass posixGroup Group
> #pam_login_attribute msSFUName
> #pam_filter objectclass=User
> #pam_password ad
> 
> # configure --enable-authpassword is no longer supported
> # For authPassword support, now do:
> #nss_map_attribute userPassword authPassword
> #pam_password nds
> 
> # For IBM SecureWay support, do:
> #nss_map_objectclass posixAccount aixAccount
> #nss_map_attribute uid userName
> #nss_map_attribute gidNumber gid
> #nss_map_attribute uidNumber uid
> #nss_map_attribute userPassword passwordChar
> #nss_map_objectclass posixGroup aixAccessGroup
> #nss_map_attribute cn groupName
> #nss_map_attribute uniqueMember member
> #pam_login_attribute userName
> #pam_filter objectclass=aixAccount
> #pam_password clear
> 
> # Netscape SDK LDAPS
> #ssl on
> 
> # Netscape SDK SSL options
> #sslpath /etc/ssl/certs/cert7.db
> 
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> ssl start_tls
> #ssl on
> 
> # OpenLDAP SSL options
> # Require and verify server certificate (yes/no)
> # Default is "no"
> #tls_checkpeer yes
> 
> # CA certificates for server certificate verification
> # At least one of these are required if tls_checkpeer is "yes"
> #tls_cacertfile /etc/ssl/ca.cert
> #tls_cacertdir /etc/ssl/certs
> 
> # SSL cipher suite
> # See man ciphers for syntax
> #tls_ciphers TLSv1
> 
> # Client certificate and key
> # Use these, if your server requires client authentication.
> #tls_cert
> #tls_key
> 
> 
> 
> Any Tips what I am missing out on ?????  I am trying to get authentication
> working with SAMBA through to AD
> 
> Regards
> 
> Pashii
> _____________________________________________________________________
> Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
> http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
>

More information about the samba mailing list