[Samba] CentOS 5 client in W2K3 AD Domain, getent only showslocalinfo

Lemire, David d.lemire at anassoc.com
Thu Mar 20 20:34:07 GMT 2008 

More progress:  by adding the Kerberos lines 

	krb5_auth = yes
	krb5_ccache = FILE

into /etc/security/pam_winbind.conf, the user can now access network
shares without re-entering their password.

Can anyone give me a pointer where to look to solve the lack of network
browsing?

	Dave


 

> -----Original Message-----
> From: samba-bounces+d.lemire=anassoc.com at lists.samba.org 
> [mailto:samba-bounces+d.lemire=anassoc.com at lists.samba.org] 
> On Behalf Of Lemire, David
> Sent: Wednesday, March 19, 2008 3:01 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] CentOS 5 client in W2K3 AD Domain, 
> getent only showslocalinfo
> 
> I decided to start over on my configuration, and this time I 
> used the GUI tools available in CentOS for configuring Samba, 
> Winbind, etc.  As a result I've made considerable progress.  I can:
> 
> - login using network credentials authenticated
>    by the domain controller
> 
> - automatically generate home directories on the
>    machine when new users login
> 
> - link to network shares for which I'm authorized
> 
> - link to a printer and print
> 
> 
> 
> What I don't have right now is:
> 
> - single sign-on -- once I login, I've got resubmit my 
> password once to connect to a network share.  Having done so 
> once, I don't need to do it again, but my login isn't sufficient.
> 
> - network browsing -- within Nautilus, if I double-click on 
> Network, I see two SFPT servers on the two Linux machines on 
> the wire, and a "Windows Network" icon.  If I double-click on 
> Windows Network, I get an empty Nautilus window, and none of 
> the network machines ever appear, even though they're part of 
> the domain and a number of them have visible shares.
> 
> I think what's happening is that somehow the network login 
> isn't resulting in a Kerberos ticket, but I'll admit that's a 
> guess.  So I'm hoping someone can help my trouble-shoot my 
> configuration files to overcome these last two items.  
> Configs are below.  Thanks much.
> 
> 	DaveL
> 
> 
> ======================== smb.conf ========================= [global]
>     workgroup = MYCOMPANY
>     realm = MYCOMPANY.LOCAL
> 	server string = Samba Server / LLINDELL01
>     security = ADS
> 	log file = /var/log/samba/%m.log
> 	max log size = 50
>     password server = mailserver.mycompany.local
>     idmap uid = 16777216-33554431
>     idmap gid = 16777216-33554431
>     template shell = /bin/bash
>     winbind use default domain = true
>     winbind enum users = true
>     winbind enum groups = true
>     template homedir = /home/%D/%U
> ============================ (end) smb.conf ================
> 
> 
> ========================= krb5.conf ======================== [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>   default_realm = MYCOMPANY.LOCAL
> 
> 
> [domain_realm]
>   .mycompany.local = MYCOMPANY.LOCAL
>   mycompany.local = MYCOMPANY.LOCAL
> 
> # added to try and achieve SSO (2008-03-11) [appdefaults] pam = {
>     debug = false
>     ticket_lifetime = 36000
>     renew_lifetime = 36000
>     forwardable = true
>     krb4_convert = false
> }
> ===================== (end) krb5.conf =======================
> 
> 
> ====================== nsswitch.conf ========================
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
> 
> hosts:      files dns
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> 
> netgroup:   files
> 
> publickey:  nisplus
> 
> automount:  files
> aliases:    files nisplus
> ======================(end) nsswitch.conf ===================
> 
> ========================== /etc/pam.d/system-auth ===========
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so likeauth nullok
> auth        sufficient    pam_winbind.so use_first_pass
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so
> account     sufficient    pam_winbind.so use_first_pass
> 
> password    required      pam_cracklib.so retry=3 type=
> # above line is complete, should end w/the equals sign
> password    sufficient    pam_unix.so nullok use_authtok md5 shadow
> password    sufficient    pam_winbind.so use_first_pass
> password    required      pam_deny.so
> 
> session     required      pam_mkhomedir.so skel=/etc/skel umask=0077
> session     required      pam_limits.so
> session     sufficient    pam_unix.so
> session     sufficient    pam_winbind.so use_first_pass
> ==================== (end) /etc/pam.d/system-auth ===========
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list