[Samba] AD Integrated authentication
michaelc at rmt.com.au
Wed Jun 6 00:13:38 GMT 2007
thanks for your responses. It's now over a week later and i've re-installed to make sure it's not a RedHat magical if-you-don't-install-it-at-install-time-you-don't-get-the-right-config-files-setup issue. It's still not working, but i've found a new wall to bang my head against and its name is Kerberos.
i may be back :)
From: mikee [mailto:mikee at mikee.ath.cx]
Sent: Wednesday, 6 June 2007 4:13 AM
To: Michael Cleghorn
Subject: Re: [Samba] AD Integrated authentication
On Mon, 28 May 2007, Michael Cleghorn might have said:
> Hello list,
> i'm going to try very hard not to rant here, but i've been trying to get Samba working for 3 days, and it's just not happening. Let me start from the beginning. i'm just a lowly Windows admin but i've been doing this for 10 years, so i'm pretty sure i know what i'm doing (present situation excepted, clearly). i've got RedHat AS4 and a primarily Windows 2000 domain. i want to be able to transparently browse to the shares on the RH server from a Windows client without having to authenticate again, which is exactly what the AD integrated authentication is for, right?
> If i do "wbinfo -u" i get a list of AD objects, but without the AD domain name prepended which is my first clue that something isn't right. If i do "wbinfo -a username%password" both plaintext and challenge response authentication work. If i do "getent passwd" i get only local usernames. Same for "getent group" except i get local groups, obviously. From everything i've read in the man pages and god only know how many online troubleshooting and/or help docs, this just doesn't happen. Everything that mentions using wbinfo and getent for testing just says "and you can try this and oh, look it works". i'm paraphrasing slightly.
> i have joined the RH server to the domain. i can get a Kerberos ticket issued if i want one. i have been through smb.conf, nsswitch.conf and /etc/pam.d so often, i no longer remember what my originals looked like. i'm happy to post excerpts from any or all of these of they will help (i'm not going to do it now in case 1 - it's an easy fix, in which case i'm not sure if i'll laugh or cry and 2 - to keep things relatively short). The logs have been less than ideally helpful since i already know that authentication isn't working... somewhere.
> Can someone help? Please?
I authenticate my users with OpenLDAP on my Fedora Core box.
The FC box uses samba and samba does authenticate the remote
share access. Below is a snippet of my current configuration.
security = USER
client plaintext auth = Yes
client lanman auth = Yes
encrypt passwords = Yes
lanman auth = No
ntlm auth = Yes
password level = 0
guest account = nobody
admin users =
hosts allow = .pointwise.com, 10.1.2., 10.1.3., 192.168.100.
cups options = raw
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
usershare allow guests = yes
time server = yes
workgroup = XXXX
netbios aliases = loghost, mailhost, backuphost, ldaphost
server string = Samba Server (%h)
logon drive = L:
logon home = \\%N\%U
logon path = \\%N\%U\profile
logon script = /etc/samba/login.bat
ldap delete dn = Yes
ldap suffix = dc=pointwise,dc=com
ldap admin dn = cn=manager,dc=pointwise,dc=com
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap ssl = off
ldapsam:trusted = Yes
ldap timeout = 15
utmp directory = /var/run
wtmp directory = /var/log
utmp = Yes
password server = ldaphost.pointwise.com
passdb backend = ldapsam:ldap://ldaphost.pointwise.com
ldap passwd sync = Yes
#unix password sync = Yes
#passwd program = /usr/sbin/smbldap-passwd %u
#passwd chat = "Changing * password*for*\nNew password*" %n\n "*Retype new password*" %n\n"
#passwd chat debug = Yes
os level = 66
preferred master = Yes
local master = Yes
domain master = Yes
domain logons = Yes
allow trusted domains = Yes
More information about the samba