[Samba] CentOS 5 client in W2K3 AD Domain,
getent only showslocalinfo
Lemire, David
d.lemire at anassoc.com
Thu Mar 20 20:34:07 GMT 2008
More progress: by adding the Kerberos lines
krb5_auth = yes
krb5_ccache = FILE
into /etc/security/pam_winbind.conf, the user can now access network
shares without re-entering their password.
Can anyone give me a pointer where to look to solve the lack of network
browsing?
Dave
> -----Original Message-----
> From: samba-bounces+d.lemire=anassoc.com at lists.samba.org
> [mailto:samba-bounces+d.lemire=anassoc.com at lists.samba.org]
> On Behalf Of Lemire, David
> Sent: Wednesday, March 19, 2008 3:01 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] CentOS 5 client in W2K3 AD Domain,
> getent only showslocalinfo
>
> I decided to start over on my configuration, and this time I
> used the GUI tools available in CentOS for configuring Samba,
> Winbind, etc. As a result I've made considerable progress. I can:
>
> - login using network credentials authenticated
> by the domain controller
>
> - automatically generate home directories on the
> machine when new users login
>
> - link to network shares for which I'm authorized
>
> - link to a printer and print
>
>
>
> What I don't have right now is:
>
> - single sign-on -- once I login, I've got resubmit my
> password once to connect to a network share. Having done so
> once, I don't need to do it again, but my login isn't sufficient.
>
> - network browsing -- within Nautilus, if I double-click on
> Network, I see two SFPT servers on the two Linux machines on
> the wire, and a "Windows Network" icon. If I double-click on
> Windows Network, I get an empty Nautilus window, and none of
> the network machines ever appear, even though they're part of
> the domain and a number of them have visible shares.
>
> I think what's happening is that somehow the network login
> isn't resulting in a Kerberos ticket, but I'll admit that's a
> guess. So I'm hoping someone can help my trouble-shoot my
> configuration files to overcome these last two items.
> Configs are below. Thanks much.
>
> DaveL
>
>
> ======================== smb.conf ========================= [global]
> workgroup = MYCOMPANY
> realm = MYCOMPANY.LOCAL
> server string = Samba Server / LLINDELL01
> security = ADS
> log file = /var/log/samba/%m.log
> max log size = 50
> password server = mailserver.mycompany.local
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/bash
> winbind use default domain = true
> winbind enum users = true
> winbind enum groups = true
> template homedir = /home/%D/%U
> ============================ (end) smb.conf ================
>
>
> ========================= krb5.conf ======================== [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MYCOMPANY.LOCAL
>
>
> [domain_realm]
> .mycompany.local = MYCOMPANY.LOCAL
> mycompany.local = MYCOMPANY.LOCAL
>
> # added to try and achieve SSO (2008-03-11) [appdefaults] pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
> ===================== (end) krb5.conf =======================
>
>
> ====================== nsswitch.conf ========================
> passwd: files winbind
> shadow: files winbind
> group: files winbind
>
> hosts: files dns
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
>
> netgroup: files
>
> publickey: nisplus
>
> automount: files
> aliases: files nisplus
> ======================(end) nsswitch.conf ===================
>
> ========================== /etc/pam.d/system-auth ===========
> auth required pam_env.so
> auth sufficient pam_unix.so likeauth nullok
> auth sufficient pam_winbind.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_winbind.so use_first_pass
>
> password required pam_cracklib.so retry=3 type=
> # above line is complete, should end w/the equals sign
> password sufficient pam_unix.so nullok use_authtok md5 shadow
> password sufficient pam_winbind.so use_first_pass
> password required pam_deny.so
>
> session required pam_mkhomedir.so skel=/etc/skel umask=0077
> session required pam_limits.so
> session sufficient pam_unix.so
> session sufficient pam_winbind.so use_first_pass
> ==================== (end) /etc/pam.d/system-auth ===========
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list