[Samba] CentOS 5 client in W2K3 AD Domain, getent only shows local info

Lemire, David d.lemire at anassoc.com
Tue Feb 19 19:37:56 GMT 2008 

One additional detail on my setup.  In Chapter 7, Samba3-ByExample lists 
Kerberos and Samba features needed for working with AD.  Checking my 
CentOS 5 installtion, I find one gap in each list.

For Kerberos, the guide shows:

root# smbd -b | grep KRB
      HAVE_KRB5_H
      HAVE_ADDRTYPE_IN_KRB5_ADDRESS
      HAVE_KRB5
      HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
      HAVE_KRB5_ENCRYPT_DATA
      HAVE_KRB5_FREE_DATA_CONTENTS
(missing)     HAVE_KRB5_FREE_KTYPES
      HAVE_KRB5_GET_PERMITTED_ENCTYPES
      HAVE_KRB5_KEYTAB_ENTRY_KEY
      HAVE_KRB5_LOCATE_KDC
      HAVE_KRB5_MK_REQ_EXTENDED
      HAVE_KRB5_PRINCIPAL2SALT
      HAVE_KRB5_PRINC_COMPONENT
      HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
      HAVE_KRB5_SET_REAL_TIME
      HAVE_KRB5_STRING_TO_KEY
      HAVE_KRB5_TKT_ENC_PART2
      HAVE_KRB5_USE_ENCTYPE
      HAVE_LIBGSSAPI_KRB5
      HAVE_LIBKRB5

For Samba, the guide shows:

root # smbd -b | grep LDAP
      HAVE_LDAP_H
      HAVE_LDAP
(missing)     HAVE_LDAP_DOMAIN2HOSTLIST
      HAVE_LDAP_INIT
      HAVE_LDAP_INITIALIZE
      HAVE_LDAP_SET_REBIND_PROC
      HAVE_LIBLDAP
      LDAP_SET_REBIND_PROC_ARGS

I'm not knowledgeable enough to know if missing either of 
HAVE_KRB5_FREE_KTYPES or HAVE_LDAP_DOMAIN2HOSTLIST are showstoppers for me.


	Dave





Lemire, David wrote:
>> Try comparing what you did to these articles.  They worked very well 
>> for me on a W2K AD domain.
>> To me, they're more easily understood than the official docs.
>>
>> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
>> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1 
>>
> 
> 
> They pretty much describe what I'd done to this point, +/- a couple of 
> details (which I do realize may be important).  One question they bring 
> up for me is this:  In describing krb5.conf, I've seen the 
> [domain_realms] section shown two or three different ways:
> 
>  [domain_realms]
>         .kerberos.server = DOMAIN.NET
> 
> 
>  [domain_realms]
>         .mydomain.domain = DOMAIN.NET
> 
> 
>  [domain_realms]
>         .mydomain.domain = DOMAIN.NET
>         mydomain.domain = DOMAIN.NET
> 
> The example on MIT kerberos site would seem to indicate that the third 
> one of those is right (see 
> <http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#domain_005frealm>), 
> but I've definitely seen both of the others used as example configurations.
> 
> 
> The other thing I came across after posting my question to this list was 
> a entry in Scott Lowe's block about problems w/CentOS 5 and Active 
> Directory integration 
> <http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/>. 
>  OTOH, he was having problems getting the machine to join the domain, 
> whereas my roadblocks are a step or two beyond that.  Still, it makes me 
> wonder if I shouldn't just one or more pieces of this puzzle (starting 
> w/samba).
> 
> 
> I need to double-check my samba build include the DOMAIN2HOSTLIST 
> component; I can't check at the moment, but IIRC, that might not have 
> been in the list when I checked before.  Would missing that account for 
> my winbind / getent disparity?
> 
> Dave
> 
> 
> 
> 
> 
> 
>>
>> Lemire, David wrote:
>>> I'm trying to integrate a Linux machine into our
>>> Win2K3 ADS-based network.  The machine must
>>> primarily serve as a user workstation (i.e., a
>>> Samba Client), although it also needs to serve at
>>> least one share for backup purposes.  I'd like to
>>> emulate the behavior of our WinXP machines in that
>>> any user in our small company can login to any
>>> computer in the domain based on network
>>> username/password.
>>>
>>> I've been following the information in the
>>> "Samba3-By Example" guide (the on-line, PDF
>>> version, 28 Jan 2008), section 7.3.4.  I've had
>>> success joining the network and accessing a share
>>> on a server, but then run into a snag where
>>> getent doesn't return equivalent information to
>>> wbinfo for users and groups. I've done scads of
>>> web searching, reading, tinkering with conf files,
>>> and have scanned about six months of this list's
>>> archive without finding a resolution, although my
>>> problem doesn't seem to be uncommon. Before I post conf files with 
>>> specifics I'd like
>>> to ask a couple of basic questions:
>>>
>>> 1) Need I care that getent won't return equivalent
>>> results as wbinfo?  The guide describes this is
>>> "to validate the full identity resolution is
>>> functional as required", so I've been taking it as
>>> gospel that I shouldn't tackle PAM until getent
>>> works.
>>>
>>> 2) Active Directory Configuration:  Is it a
>>> requirement that I either make configuration
>>> changes in AD or install Microsoft Services for
>>> UNIX to accomplish what I want?  The By-Example
>>> guide seems to indicate that I don't have to (1st
>>> page of 7.3.4), but at least one write-up I've
>>> found on-line states that AD mods are necessary
>>> (<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-
>>> details/>
>>> it is from Dec 2005, so could be out-of-date?).
>>>
>>> 3) My software versions are:
>>>
>>> *   PDC and BDC are running Active Directory on
>>>           Windows Server 2003 SP2 *   Linux machine is running CentOS 
>>> 5 with current updates *   Samba software is 3.0.25b (supplied 
>>> w/CentOS) *   krb5 software is 1.6.1-17 (supplied w/CentOS) *   nss 
>>> is 3,11,7 (supplied w/CentOS) *   nss_ldap is 253- 5 (supplied w/CentOS)
>>>
>>> Do I need to upgrade to newer versions?  I've read
>>> of problems with Samba 3.0.23c on Red Hat, but
>>> nothing I've seen indicates a problem with
>>> 3.0.25b.  If upgrading is recommended, I'd
>>> appreciate a pointer to an appropriate source of
>>> RPMs, as these are newest version in the CentOS
>>> Repositories, and I'm not too comfortable with building
>>> >From source yet.
>>>
>>> 4)  If nsswitch.conf is configured for winbind, do
>>> I need to worry at all about LDAP configuration?
>>>
>>> 5)  I've seen mention about letter case being a
>>> problem in configuring Kerberos and Samba. On our
>>> AD server, the domain appears as "DOMAIN.local",
>>> with the letter case as shown, so the FQDN of the
>>> server is SERVER.DOMAIN.local.  Is this somehow
>>> causing me a problem?  In the krb5.conf  and
>>> smb5.conf files, I've identified the realm as
>>> DOMAIN.LOCAL.
>>>
>>> 6)  One oddity:  when I started working on this,
>>> after the machine joined the domain, wbinfo showed
>>> results as DOMAIN+username but somewhere along the
>>> line that change to just the username.  Is that
>>> indicative of something I've misconfigured?
>>>
>>> Thanks for any insight.  My gut tells me I'm not
>>> far off, but I've exceeded my "solve it myself"
>>> frustration level!
>>>
>>> Dave Lemire
>>>   
> 

-- 

David Lemire
Director of Technology
   & Corporate Capabilties
A&N Associates, Inc.
999 Corporate Blvd, Suite 100
Linthicum, Maryland 21090

TEL: 410-859-5449 x111
FAX: 410-859-5292
d.lemire at anassoc.com
www.anassoc.com

More information about the samba mailing list