[Samba] CentOS 5 client in W2K3 AD Domain, getent only shows local info

Lemire, David d.lemire at anassoc.com
Tue Feb 19 14:03:20 GMT 2008 

> Try comparing what you did to these articles.  They worked very well for 
> me on a W2K AD domain.
> To me, they're more easily understood than the official docs.
> 
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1


They pretty much describe what I'd done to this point, +/- a couple of 
details (which I do realize may be important).  One question they bring 
up for me is this:  In describing krb5.conf, I've seen the 
[domain_realms] section shown two or three different ways:

  [domain_realms]
         .kerberos.server = DOMAIN.NET


  [domain_realms]
         .mydomain.domain = DOMAIN.NET


  [domain_realms]
         .mydomain.domain = DOMAIN.NET
         mydomain.domain = DOMAIN.NET

The example on MIT kerberos site would seem to indicate that the third 
one of those is right (see 
<http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#domain_005frealm>), 
but I've definitely seen both of the others used as example configurations.


The other thing I came across after posting my question to this list was 
a entry in Scott Lowe's block about problems w/CentOS 5 and Active 
Directory integration 
<http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/>. 
  OTOH, he was having problems getting the machine to join the domain, 
whereas my roadblocks are a step or two beyond that.  Still, it makes me 
wonder if I shouldn't just one or more pieces of this puzzle (starting 
w/samba).


I need to double-check my samba build include the DOMAIN2HOSTLIST 
component; I can't check at the moment, but IIRC, that might not have 
been in the list when I checked before.  Would missing that account for 
my winbind / getent disparity?

Dave






> 
> Lemire, David wrote:
>> I'm trying to integrate a Linux machine into our
>> Win2K3 ADS-based network.  The machine must
>> primarily serve as a user workstation (i.e., a
>> Samba Client), although it also needs to serve at
>> least one share for backup purposes.  I'd like to
>> emulate the behavior of our WinXP machines in that
>> any user in our small company can login to any
>> computer in the domain based on network
>> username/password.
>>
>> I've been following the information in the
>> "Samba3-By Example" guide (the on-line, PDF
>> version, 28 Jan 2008), section 7.3.4.  I've had
>> success joining the network and accessing a share
>> on a server, but then run into a snag where
>> getent doesn't return equivalent information to
>> wbinfo for users and groups. I've done scads of
>> web searching, reading, tinkering with conf files,
>> and have scanned about six months of this list's
>> archive without finding a resolution, although my
>> problem doesn't seem to be uncommon. 
>> Before I post conf files with specifics I'd like
>> to ask a couple of basic questions:
>>
>> 1) Need I care that getent won't return equivalent
>> results as wbinfo?  The guide describes this is
>> "to validate the full identity resolution is
>> functional as required", so I've been taking it as
>> gospel that I shouldn't tackle PAM until getent
>> works.
>>
>> 2) Active Directory Configuration:  Is it a
>> requirement that I either make configuration
>> changes in AD or install Microsoft Services for
>> UNIX to accomplish what I want?  The By-Example
>> guide seems to indicate that I don't have to (1st
>> page of 7.3.4), but at least one write-up I've
>> found on-line states that AD mods are necessary
>> (<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-
>> details/>
>> it is from Dec 2005, so could be out-of-date?).
>>
>> 3) My software versions are:
>>
>> *   PDC and BDC are running Active Directory on
>>           Windows Server 2003 SP2 *   Linux machine is running CentOS 
>> 5 with current updates *   Samba software is 3.0.25b (supplied 
>> w/CentOS) *   krb5 software is 1.6.1-17 (supplied w/CentOS) *   nss is 
>> 3,11,7 (supplied w/CentOS) *   nss_ldap is 253- 5 (supplied w/CentOS)
>>
>> Do I need to upgrade to newer versions?  I've read
>> of problems with Samba 3.0.23c on Red Hat, but
>> nothing I've seen indicates a problem with
>> 3.0.25b.  If upgrading is recommended, I'd
>> appreciate a pointer to an appropriate source of
>> RPMs, as these are newest version in the CentOS
>> Repositories, and I'm not too comfortable with building
>> >From source yet.
>>
>> 4)  If nsswitch.conf is configured for winbind, do
>> I need to worry at all about LDAP configuration?
>>
>> 5)  I've seen mention about letter case being a
>> problem in configuring Kerberos and Samba. On our
>> AD server, the domain appears as "DOMAIN.local",
>> with the letter case as shown, so the FQDN of the
>> server is SERVER.DOMAIN.local.  Is this somehow
>> causing me a problem?  In the krb5.conf  and
>> smb5.conf files, I've identified the realm as
>> DOMAIN.LOCAL.
>>
>> 6)  One oddity:  when I started working on this,
>> after the machine joined the domain, wbinfo showed
>> results as DOMAIN+username but somewhere along the
>> line that change to just the username.  Is that
>> indicative of something I've misconfigured?
>>
>> Thanks for any insight.  My gut tells me I'm not
>> far off, but I've exceeded my "solve it myself"
>> frustration level!
>>
>> Dave Lemire
>>

More information about the samba mailing list