[Samba] setting default domain

Elijah Buck elijah at uchicago.edu
Mon Oct 5 15:36:13 MDT 2009


I'm attempting to use samba winbind for ssh authentication for users  
in Active Directory. Things are mostly working, but I'm looking for  
two things:

1.) I currently have to authenticate as ADLOCAL+elijah at concordia.uchicago.edu 
. I would like to authenticate as elijah at concordia.uchicago.edu

2.) I would like the uid of the elijah user to be pulled from an  
existing entry in /etc/passwd (or eventually ldap) instead of being  
generated by winbind.

====Active Directory Structure====
Groups, Computers, and administrative users are stored in the AD.UCHICAGO.EDU 
  domain. Users are stored in the AD.LOCAL domain. There is a  
transitive trust between the two domains. I have an administrative  
account in AD.UCHICAGO.EDU, and a normal user account in AD.LOCAL. The  
samba server is joined to AD.UCHICAGO.EDU and cannot be joined  
directly to AD.LOCAL.

Samba is running on Red Hat Enterprise Linux 5.4. Samba is version  
3.0.33-3.14 as packaged by redhat.

         workgroup = AD
         server string = Samba Server Version %v
         netbios name = concordia
         security = domain
         encrypt passwords = yes
         dns proxy = yes
         password server = ad1.ad.uchicago.edu
         winbind separator = +
         ;username map = /etc/samba/smbusers
         ;idmap uid = 15000-200000
         ;idmap gid = 15000-200000
         ;winbind enum users = yes
         ;winbind enum groups = yes
         template homedir = /home-ads/%U
         template shell = /bin/bash
         winbind use default domain = yes

         comment = Home Directories
         browseable = no
         writable = yes

  default_realm = AD.UCHICAGO.EDU
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes

   admin_server = ad1.ad.uchicago.edu
   kdc = ad1.ad.uchicago.edu
  AD.LOCAL = {
   admin_server = alfalfa.ad.local
   kdc = alfalfa.ad.local

  .ad.uchicago.edu = AD.UCHICAGO.EDU
  .ad.local = AD.LOCAL

auth        required      pam_env.so
auth        sufficient    pam_winbind.so
auth        sufficient    pam_unix.so nullok use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     sufficient    pam_winbind.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass  
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in  
crond quiet use_uid
session     required      pam_unix.so

I joined the domain by:  net rpc join -S ad1.ad.uchicago.edu -U _elijah

As I said, I can ssh in as ADLOCAL+elijah at concordia. I can also ssh in  
as _elijah at concordia (_elijah is the administrative account in AD.UCHICAGO.EDU 
). If I create a local account (e.g. in /etc/passwd) named ADLOCAL 
+elijah, I get that uid as the uid when I ssh in (instead of a uid  
that I believe was generated by idmap before I commented the idmap  
stuff out of smb.conf).

I've tried changing the workgroup to ADLOCAL in smb.conf, but that  
doesn't work (I assume because the computer account is in AD).

Any idea how I can get users in ADLOCAL to login without the prefix  
and inherit a uid from passwd? I'm not concerned about username  
collisions between ADLOCAL and AD.UCHICAGO.EDU



More information about the samba mailing list