[Samba] CentOS 5 client in W2K3 AD Domain,
getent only showslocal info
Lemire, David
d.lemire at anassoc.com
Wed Mar 5 20:18:01 GMT 2008
Well, I've continued to muck with this with no real progress to show. I still have a situation where "wbinfo -u" lists domain users but "getent passwd" only lists local users. Here are my configuration files for Samba, Kerberos, and NSSwitch. Maybe someone can see what's wrong / missing.
Right now I'll be happy to get to the point that a network user can log in on this CentOS machine based only on their network credentials.
Dave
================= smb.conf
[global]
workgroup = MYCOMPANY
realm = MYCOMPANY.LOCAL
server string = Samba Server / LLINDELL01
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
password server = mydc.mycompany.local
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = false
================= smb.conf (end)
================= krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYCOMPANY.LOCAL
[domain_realm]
.mycompany.local = MYCOMPANY.LOCAL
mycompany.local = MYCOMPANY.LOCAL
================= krb5.conf (end)
================= nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
================= nsswitch.conf (end)
-----Original Message-----
From: samba-bounces+d.lemire=anassoc.com at lists.samba.org on behalf of Lemire, David
Sent: Tue 2/19/2008 2:37 PM
To: samba at lists.samba.org
Subject: Re: [Samba] CentOS 5 client in W2K3 AD Domain, getent only showslocal info
One additional detail on my setup. In Chapter 7, Samba3-ByExample lists
Kerberos and Samba features needed for working with AD. Checking my
CentOS 5 installtion, I find one gap in each list.
For Kerberos, the guide shows:
root# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
HAVE_KRB5_ENCRYPT_DATA
HAVE_KRB5_FREE_DATA_CONTENTS
(missing) HAVE_KRB5_FREE_KTYPES
HAVE_KRB5_GET_PERMITTED_ENCTYPES
HAVE_KRB5_KEYTAB_ENTRY_KEY
HAVE_KRB5_LOCATE_KDC
HAVE_KRB5_MK_REQ_EXTENDED
HAVE_KRB5_PRINCIPAL2SALT
HAVE_KRB5_PRINC_COMPONENT
HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
HAVE_KRB5_SET_REAL_TIME
HAVE_KRB5_STRING_TO_KEY
HAVE_KRB5_TKT_ENC_PART2
HAVE_KRB5_USE_ENCTYPE
HAVE_LIBGSSAPI_KRB5
HAVE_LIBKRB5
For Samba, the guide shows:
root # smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
(missing) HAVE_LDAP_DOMAIN2HOSTLIST
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_SET_REBIND_PROC_ARGS
I'm not knowledgeable enough to know if missing either of
HAVE_KRB5_FREE_KTYPES or HAVE_LDAP_DOMAIN2HOSTLIST are showstoppers for me.
Dave
Lemire, David wrote:
>> Try comparing what you did to these articles. They worked very well
>> for me on a W2K AD domain.
>> To me, they're more easily understood than the official docs.
>>
>> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
>> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
>>
>
>
> They pretty much describe what I'd done to this point, +/- a couple of
> details (which I do realize may be important). One question they bring
> up for me is this: In describing krb5.conf, I've seen the
> [domain_realms] section shown two or three different ways:
>
> [domain_realms]
> .kerberos.server = DOMAIN.NET
>
>
> [domain_realms]
> .mydomain.domain = DOMAIN.NET
>
>
> [domain_realms]
> .mydomain.domain = DOMAIN.NET
> mydomain.domain = DOMAIN.NET
>
> The example on MIT kerberos site would seem to indicate that the third
> one of those is right (see
> <http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#domain_005frealm>),
> but I've definitely seen both of the others used as example configurations.
>
>
> The other thing I came across after posting my question to this list was
> a entry in Scott Lowe's block about problems w/CentOS 5 and Active
> Directory integration
> <http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/>.
> OTOH, he was having problems getting the machine to join the domain,
> whereas my roadblocks are a step or two beyond that. Still, it makes me
> wonder if I shouldn't just one or more pieces of this puzzle (starting
> w/samba).
>
>
> I need to double-check my samba build include the DOMAIN2HOSTLIST
> component; I can't check at the moment, but IIRC, that might not have
> been in the list when I checked before. Would missing that account for
> my winbind / getent disparity?
>
> Dave
>
>
>
>
>
>
>>
>> Lemire, David wrote:
>>> I'm trying to integrate a Linux machine into our
>>> Win2K3 ADS-based network. The machine must
>>> primarily serve as a user workstation (i.e., a
>>> Samba Client), although it also needs to serve at
>>> least one share for backup purposes. I'd like to
>>> emulate the behavior of our WinXP machines in that
>>> any user in our small company can login to any
>>> computer in the domain based on network
>>> username/password.
>>>
>>> I've been following the information in the
>>> "Samba3-By Example" guide (the on-line, PDF
>>> version, 28 Jan 2008), section 7.3.4. I've had
>>> success joining the network and accessing a share
>>> on a server, but then run into a snag where
>>> getent doesn't return equivalent information to
>>> wbinfo for users and groups. I've done scads of
>>> web searching, reading, tinkering with conf files,
>>> and have scanned about six months of this list's
>>> archive without finding a resolution, although my
>>> problem doesn't seem to be uncommon. Before I post conf files with
>>> specifics I'd like
>>> to ask a couple of basic questions:
>>>
>>> 1) Need I care that getent won't return equivalent
>>> results as wbinfo? The guide describes this is
>>> "to validate the full identity resolution is
>>> functional as required", so I've been taking it as
>>> gospel that I shouldn't tackle PAM until getent
>>> works.
>>>
>>> 2) Active Directory Configuration: Is it a
>>> requirement that I either make configuration
>>> changes in AD or install Microsoft Services for
>>> UNIX to accomplish what I want? The By-Example
>>> guide seems to indicate that I don't have to (1st
>>> page of 7.3.4), but at least one write-up I've
>>> found on-line states that AD mods are necessary
>>> (<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-
>>> details/>
>>> it is from Dec 2005, so could be out-of-date?).
>>>
>>> 3) My software versions are:
>>>
>>> * PDC and BDC are running Active Directory on
>>> Windows Server 2003 SP2 * Linux machine is running CentOS
>>> 5 with current updates * Samba software is 3.0.25b (supplied
>>> w/CentOS) * krb5 software is 1.6.1-17 (supplied w/CentOS) * nss
>>> is 3,11,7 (supplied w/CentOS) * nss_ldap is 253- 5 (supplied w/CentOS)
>>>
>>> Do I need to upgrade to newer versions? I've read
>>> of problems with Samba 3.0.23c on Red Hat, but
>>> nothing I've seen indicates a problem with
>>> 3.0.25b. If upgrading is recommended, I'd
>>> appreciate a pointer to an appropriate source of
>>> RPMs, as these are newest version in the CentOS
>>> Repositories, and I'm not too comfortable with building
>>> >From source yet.
>>>
>>> 4) If nsswitch.conf is configured for winbind, do
>>> I need to worry at all about LDAP configuration?
>>>
>>> 5) I've seen mention about letter case being a
>>> problem in configuring Kerberos and Samba. On our
>>> AD server, the domain appears as "DOMAIN.local",
>>> with the letter case as shown, so the FQDN of the
>>> server is SERVER.DOMAIN.local. Is this somehow
>>> causing me a problem? In the krb5.conf and
>>> smb5.conf files, I've identified the realm as
>>> DOMAIN.LOCAL.
>>>
>>> 6) One oddity: when I started working on this,
>>> after the machine joined the domain, wbinfo showed
>>> results as DOMAIN+username but somewhere along the
>>> line that change to just the username. Is that
>>> indicative of something I've misconfigured?
>>>
>>> Thanks for any insight. My gut tells me I'm not
>>> far off, but I've exceeded my "solve it myself"
>>> frustration level!
>>>
>>> Dave Lemire
>>>
>
--
David Lemire
Director of Technology
& Corporate Capabilties
A&N Associates, Inc.
999 Corporate Blvd, Suite 100
Linthicum, Maryland 21090
TEL: 410-859-5449 x111
FAX: 410-859-5292
d.lemire at anassoc.com
www.anassoc.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list