[Samba] CentOS 5 client in W2K3 AD Domain, getent only shows
local info
Lemire, David
d.lemire at anassoc.com
Tue Feb 19 19:37:56 GMT 2008
One additional detail on my setup. In Chapter 7, Samba3-ByExample lists
Kerberos and Samba features needed for working with AD. Checking my
CentOS 5 installtion, I find one gap in each list.
For Kerberos, the guide shows:
root# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
HAVE_KRB5_ENCRYPT_DATA
HAVE_KRB5_FREE_DATA_CONTENTS
(missing) HAVE_KRB5_FREE_KTYPES
HAVE_KRB5_GET_PERMITTED_ENCTYPES
HAVE_KRB5_KEYTAB_ENTRY_KEY
HAVE_KRB5_LOCATE_KDC
HAVE_KRB5_MK_REQ_EXTENDED
HAVE_KRB5_PRINCIPAL2SALT
HAVE_KRB5_PRINC_COMPONENT
HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
HAVE_KRB5_SET_REAL_TIME
HAVE_KRB5_STRING_TO_KEY
HAVE_KRB5_TKT_ENC_PART2
HAVE_KRB5_USE_ENCTYPE
HAVE_LIBGSSAPI_KRB5
HAVE_LIBKRB5
For Samba, the guide shows:
root # smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
(missing) HAVE_LDAP_DOMAIN2HOSTLIST
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_SET_REBIND_PROC_ARGS
I'm not knowledgeable enough to know if missing either of
HAVE_KRB5_FREE_KTYPES or HAVE_LDAP_DOMAIN2HOSTLIST are showstoppers for me.
Dave
Lemire, David wrote:
>> Try comparing what you did to these articles. They worked very well
>> for me on a W2K AD domain.
>> To me, they're more easily understood than the official docs.
>>
>> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
>> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
>>
>
>
> They pretty much describe what I'd done to this point, +/- a couple of
> details (which I do realize may be important). One question they bring
> up for me is this: In describing krb5.conf, I've seen the
> [domain_realms] section shown two or three different ways:
>
> [domain_realms]
> .kerberos.server = DOMAIN.NET
>
>
> [domain_realms]
> .mydomain.domain = DOMAIN.NET
>
>
> [domain_realms]
> .mydomain.domain = DOMAIN.NET
> mydomain.domain = DOMAIN.NET
>
> The example on MIT kerberos site would seem to indicate that the third
> one of those is right (see
> <http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#domain_005frealm>),
> but I've definitely seen both of the others used as example configurations.
>
>
> The other thing I came across after posting my question to this list was
> a entry in Scott Lowe's block about problems w/CentOS 5 and Active
> Directory integration
> <http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/>.
> OTOH, he was having problems getting the machine to join the domain,
> whereas my roadblocks are a step or two beyond that. Still, it makes me
> wonder if I shouldn't just one or more pieces of this puzzle (starting
> w/samba).
>
>
> I need to double-check my samba build include the DOMAIN2HOSTLIST
> component; I can't check at the moment, but IIRC, that might not have
> been in the list when I checked before. Would missing that account for
> my winbind / getent disparity?
>
> Dave
>
>
>
>
>
>
>>
>> Lemire, David wrote:
>>> I'm trying to integrate a Linux machine into our
>>> Win2K3 ADS-based network. The machine must
>>> primarily serve as a user workstation (i.e., a
>>> Samba Client), although it also needs to serve at
>>> least one share for backup purposes. I'd like to
>>> emulate the behavior of our WinXP machines in that
>>> any user in our small company can login to any
>>> computer in the domain based on network
>>> username/password.
>>>
>>> I've been following the information in the
>>> "Samba3-By Example" guide (the on-line, PDF
>>> version, 28 Jan 2008), section 7.3.4. I've had
>>> success joining the network and accessing a share
>>> on a server, but then run into a snag where
>>> getent doesn't return equivalent information to
>>> wbinfo for users and groups. I've done scads of
>>> web searching, reading, tinkering with conf files,
>>> and have scanned about six months of this list's
>>> archive without finding a resolution, although my
>>> problem doesn't seem to be uncommon. Before I post conf files with
>>> specifics I'd like
>>> to ask a couple of basic questions:
>>>
>>> 1) Need I care that getent won't return equivalent
>>> results as wbinfo? The guide describes this is
>>> "to validate the full identity resolution is
>>> functional as required", so I've been taking it as
>>> gospel that I shouldn't tackle PAM until getent
>>> works.
>>>
>>> 2) Active Directory Configuration: Is it a
>>> requirement that I either make configuration
>>> changes in AD or install Microsoft Services for
>>> UNIX to accomplish what I want? The By-Example
>>> guide seems to indicate that I don't have to (1st
>>> page of 7.3.4), but at least one write-up I've
>>> found on-line states that AD mods are necessary
>>> (<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-
>>> details/>
>>> it is from Dec 2005, so could be out-of-date?).
>>>
>>> 3) My software versions are:
>>>
>>> * PDC and BDC are running Active Directory on
>>> Windows Server 2003 SP2 * Linux machine is running CentOS
>>> 5 with current updates * Samba software is 3.0.25b (supplied
>>> w/CentOS) * krb5 software is 1.6.1-17 (supplied w/CentOS) * nss
>>> is 3,11,7 (supplied w/CentOS) * nss_ldap is 253- 5 (supplied w/CentOS)
>>>
>>> Do I need to upgrade to newer versions? I've read
>>> of problems with Samba 3.0.23c on Red Hat, but
>>> nothing I've seen indicates a problem with
>>> 3.0.25b. If upgrading is recommended, I'd
>>> appreciate a pointer to an appropriate source of
>>> RPMs, as these are newest version in the CentOS
>>> Repositories, and I'm not too comfortable with building
>>> >From source yet.
>>>
>>> 4) If nsswitch.conf is configured for winbind, do
>>> I need to worry at all about LDAP configuration?
>>>
>>> 5) I've seen mention about letter case being a
>>> problem in configuring Kerberos and Samba. On our
>>> AD server, the domain appears as "DOMAIN.local",
>>> with the letter case as shown, so the FQDN of the
>>> server is SERVER.DOMAIN.local. Is this somehow
>>> causing me a problem? In the krb5.conf and
>>> smb5.conf files, I've identified the realm as
>>> DOMAIN.LOCAL.
>>>
>>> 6) One oddity: when I started working on this,
>>> after the machine joined the domain, wbinfo showed
>>> results as DOMAIN+username but somewhere along the
>>> line that change to just the username. Is that
>>> indicative of something I've misconfigured?
>>>
>>> Thanks for any insight. My gut tells me I'm not
>>> far off, but I've exceeded my "solve it myself"
>>> frustration level!
>>>
>>> Dave Lemire
>>>
>
--
David Lemire
Director of Technology
& Corporate Capabilties
A&N Associates, Inc.
999 Corporate Blvd, Suite 100
Linthicum, Maryland 21090
TEL: 410-859-5449 x111
FAX: 410-859-5292
d.lemire at anassoc.com
www.anassoc.com
More information about the samba
mailing list