[Samba] help with AD integration
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Oct 4 11:19:30 MDT 2010
Presumably Ben is able to ssh / telnet in for NON-Samba accounts
FYI- I did need to update my /etc/pam.conf on Solaris 10 clients when I
moved to LDAP backend for unix accounts. I had to add an entry to allow
ldap authentication. (I don't think I had to do this for Solaris 9.)
I don't use samba for ssh login authentication. But it make sense-
since "root" can access "shadow" info in /etc files (or NIS) but not in
LDAP.
At some point I had tried out allowing ssh logins using samba
credentials- but I think this was on Solaris 9. At least with ldap
logins, Solaris 10 requires more configuration that Solaris 9.
My /etc/pam.conf includes the following ....
----------------------------------------------------------------------------------------------------------------
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
...
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
----------------------------------------------------------------------------------------------------------------
I would guess a similar entry with pam_smb (?) might do the trick.
I think that even if pam.conf is not configure correctly you can still
try the following -
ssh in as a local user (e.g. ben)
su to the samba user (e.g. "su - benvin" or "su benvin") - it
should prompt you for a password but ssh and telnet are not involved.
If this works then you know that the problem is probably a pam+ssh or
pam+telnet issue.
PS- You shouldn't use telnet anyway. It sends passwords in the clear.
...
On 10/04/2010 12:35 PM, Max León wrote:
> You need to ensure that pam is allowing ssh or telnet access, not sure
> in Solaris but in RedHat based sistems is inside /etc/pam.d
>
> You will have to allow access through pam only enabled accounts since
> usually the access is restricted to shadow by default.
>
> On 10/4/10 7:11 AM, Gaiseric Vandal wrote:
>> According to your page
>>
>> "getent passwd" is showing the domain users.
>>
>>
>> If you try to ssh into your linux machine as "ben", with the way
>> nsswitch.conf is configured, it will try to authenticated you as the
>> "ben" in /etc/passwd not the one in the AD domain.
>>
>> I suggest you try the following
>> comment out "ben" from /etc/passwd and /etc/shadow.
>>
>> Make sure that the /export/Home/ben directory is owned by the SRE+ben
>> user. See if you can ssh into linux as "ben." (I think you can
>> specify "ben" and not "SRE+ben" for the ssh user.) Keep an eye on
>> the log files e.g in /var/samba/log or /var/log/samba.
>>
>> You have still not clarified why nsswitch.conf has entries for ldap.
>>
>>
>>
>>
>> On 10/04/2010 05:17 AM, Ben George wrote:
>>>
>>> please check this link
>>>
>>> http://bentgeorge.com/samba/
>>> all are mentioned here
>>>
>>>
>>> Thanks
>>> Ben.T.George
>>>
>>>
>>>
>>> On Thu, Sep 30, 2010 at 10:16 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>
>>> Hi
>>>
>>> Please clarify the following
>>> - Did you run "truss getent passwd" command and look for lines
>>> with nss_winbind- just in case it is looking for a file with a
>>> different version.
>>> - Why does nsswitch.conf have ldap references- are you using
>>> ldap?
>>>
>>>
>>> You should also look through the samba logs- it may provide some
>>> information.
>>>
>>>
>>>
>>> On 09/30/2010 12:14 PM, Ben George wrote:
>>>>
>>>>
>>>>
>>>> yes client has Solaris and a windows xp machine under the AD
>>>> domain
>>>>
>>>> yes i exported the paths to the newly installed
>>>> /usr/local/samba/lib
>>>>
>>>> me using the new packahes and disabled the default packages
>>>>
>>>>
>>>> On Thu, Sep 30, 2010 at 6:16 PM, Gaiseric Vandal
>>>> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>>
>>>> So to clarify the customer has a Sun Solaris 10 UNIX machine
>>>> and a Linux workstation?
>>>>
>>>> FOR SOLARIS
>>>>
>>>> I had problems with getting nsswitch+winbind working with the
>>>> samba from sunfreeware- I had to recompile from scratch
>>>> (major headache.) In hindsight this may not have been
>>>> necessary for winbind- although I had to recompile anyway
>>>> for ZFS support.
>>>>
>>>> On solaris, you should have a file called
>>>> /usr/lib/nss_winbind.so.1 - which is the nsswitcher winbind
>>>> library provided by the samba that sun bundles with solaris
>>>> 10 (but this is samba 3.0.x and too old to be much use.)
>>>>
>>>> In /usr/local/samba/lib - do you see an nss_winbind.so.1
>>>> file? How is your PATH and LD_LIBRARY_PATH set- you want
>>>> to make sure you are using the /usr/local/samba/bin and
>>>> /usr/local/samba/lib first.
>>>>
>>>> If you run "truss getent passwd | tee log1.txt" you should
>>>> see it looking for nss_winbind.so.1 - ideally it will look
>>>> in /usr/local/samba/lib before /usr/lib. If it uses
>>>> /usr/lib/nss_winbind.so.1 that will probably NOT work. You
>>>> may want to rename that file just to make sure.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 09/30/2010 10:57 AM, Ben George wrote:
>>>>>
>>>>> Sun Solaris 10 (under SPARC)
>>>>>
>>>>> local users in /etc/passwd
>>>>>
>>>>> samba 3.4.2 from sunfreeware.com <http://sunfreeware.com>
>>>>>
>>>>>
>>>>> getent passwd
>>>>>
>>>>> */ramana:x:100:1::/export/home/ramana:/bin/sh
>>>>> teju:x:101:1::/export/home/teju:/bin/sh
>>>>> user1:x:102:1::/export/home/user1:/bin/sh
>>>>> ben:x:103:1::/home/ben:/bin/sh
>>>>>
>>>>> /*like this*/
>>>>>
>>>>> /*/
>>>>> /Thanks
>>>>> Ben.T.George*/
>>>>> /*
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
>>>>> <gaiseric.vandal at gmail.com
>>>>> <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>>>
>>>>> Then it sounds like you need the AD integration. If the
>>>>> user's also login to the linux workstation directly (or
>>>>> via ssh) then you will need to configure winbind and
>>>>> nsswitch to support unix logins.
>>>>>
>>>>> Why does nsswitch.conf include ldap? Is this the only
>>>>> linux/unix machine? Are local users in ldap or
>>>>> /etc/passwd?
>>>>>
>>>>> What version of samba? What version of linux?
>>>>>
>>>>> Ideally "getent passwd" woudl show something like
>>>>>
>>>>>
>>>>>
>>>>> ben:*:10001:10001:Ben
>>>>> George:/export/Home/SRE/ben/:bin/tcsh
>>>>>
>>>>> or
>>>>>
>>>>> SRE+ben:*:10001:10001:Ben
>>>>> George:/export/Home/SRE/ben:/bin/bash
>>>>>
>>>>>
>>>>>
>>>>> I don't think you need a huge amount of AD experience to
>>>>> make this work but I think you have to have general
>>>>> understanding of what WIndows domains are about.
>>>>>
>>>>> You should also review the smb.conf man page for the
>>>>> section on idmap_ad.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 09/30/2010 09:24 AM, Ben George wrote:
>>>>>>
>>>>>>
>>>>>> Thanks for your replay..
>>>>>>
>>>>>> yes my client told me like this that's Y..and the
>>>>>> manager gave that work to newly joined me.. :(
>>>>>>
>>>>>> i don't have any AD and core unix experience..i have
>>>>>> only experience in linux.not much
>>>>>>
>>>>>> may this project will affect my job.. :(
>>>>>>
>>>>>> my nsswitch.conf
>>>>>>
>>>>>> */passwd: files ldap winbind
>>>>>> group: files ldap winbind
>>>>>> hosts: dns files
>>>>>> ipnodes: dns files/*
>>>>>>
>>>>>>
>>>>>> "*nsswitch+winbind (which I do) or the smb pam
>>>>>> module*"..? :(
>>>>>>
>>>>>> i don't know..my client's need is he has a linux
>>>>>> machine..also a ADS..from the unix machine, he want to
>>>>>> share secure folder's to the AD user's..so eash user
>>>>>> can only access that particular shared folder..when the
>>>>>> password of user changed in AD, that will affect to the
>>>>>> smbpassword...means without changing that particular
>>>>>> user's smb password in the unix machine..
>>>>>>
>>>>>> for this need which method is useful..from your
>>>>>> experience
>>>>>>
>>>>>> "*Does "getent passwd" show the windows users?*"
>>>>>>
>>>>>> please check the output ..i think getent password only
>>>>>> shows unix system password
>>>>>>
>>>>>> */bash-3.00# getent passwd
>>>>>> root:x:0:0:Super-User:/:/sbin/sh
>>>>>> daemon:x:1:1::/:
>>>>>> bin:x:2:2::/usr/bin:
>>>>>> sys:x:3:3::/:
>>>>>> adm:x:4:4:Admin:/var/adm:
>>>>>> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
>>>>>> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
>>>>>> nuucp:x:9:9:uucp
>>>>>> Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
>>>>>> smmsp:x:25:25:SendMail Message Submission Program:/:
>>>>>> listen:x:37:4:Network Admin:/usr/net/nls:
>>>>>> gdm:x:50:50:GDM Reserved UID:/:
>>>>>> webservd:x:80:80:WebServer Reserved UID:/:
>>>>>> postgres:x:90:90:PostgreSQL Reserved
>>>>>> UID:/:/usr/bin/pfksh
>>>>>> svctag:x:95:12:Service Tag UID:/:
>>>>>> nobody:x:60001:60001:NFS Anonymous Access User:/:
>>>>>> noaccess:x:60002:60002:No Access User:/:
>>>>>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access
>>>>>> User:/:
>>>>>> ramana:x:100:1::/export/home/ramana:/bin/sh
>>>>>> teju:x:101:1::/export/home/teju:/bin/sh
>>>>>> user1:x:102:1::/export/home/user1:/bin/sh
>>>>>> ben:x:103:1::/home/ben:/bin/sh/*
>>>>>>
>>>>>>
>>>>>> "you already have a "unix" ben and a "ADS" ben defined?"
>>>>>>
>>>>>> Yes i defined the ben user in Unix and ADS...bcoz i
>>>>>> don't have much knowledge about that sorry
>>>>>>
>>>>>> Hope u will help me
>>>>>> Thanks
>>>>>> Ben.T.George
>>>>>>
>>>>>>
>>>>>> On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
>>>>>> <gaiseric.vandal at gmail.com
>>>>>> <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>>>>
>>>>>>
>>>>>> disclaimer: I don't use Samba as an ADS member
>>>>>> server. I use samba as PDC with trusts to an ADS
>>>>>> domain. So my observations may not be valuid.
>>>>>>
>>>>>> Did you try updating nsswitch.conf
>>>>>>
>>>>>>
>>>>>> passwd: files winbind
>>>>>> group: files winbind
>>>>>>
>>>>>>
>>>>>> If you are using a Windows domain and have a user
>>>>>> defined in the domain, you generally don't want to
>>>>>> add the user as a local user. Since the
>>>>>> underlying unix OS needs to know about the domain
>>>>>> users you need to either use nsswitch+winbind
>>>>>> (which I do) or the smb pam module (which I don't
>>>>>> use, and not sure if it really is the correct
>>>>>> approach.)
>>>>>>
>>>>>> If you use nsswitch.conf+winbind you can then also
>>>>>> OPTIONALLY allow "windows" users "unix" access like
>>>>>> ssh. My samba server is a PDC- I have a domain
>>>>>> trust with windows domains BUT the default shell
>>>>>> is "/bin/false." (It is still a little flaky...)
>>>>>>
>>>>>> Does "getent passwd" show the windows users? It
>>>>>> should show something like
>>>>>>
>>>>>> ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>>>>>
>>>>>> or
>>>>>>
>>>>>> SRE+ben:*:10001:10001:Ben
>>>>>> George:/home/SRE/ben/bin/false
>>>>>>
>>>>>>
>>>>>>
>>>>>> It looks like = you already have a "unix" ben and a
>>>>>> "ADS" ben defined?
>>>>>>
>>>>>> "wbinfo -s" and "wbinfo -n" are also useful for
>>>>>> making sure that the name-to-sid and sid-to-name
>>>>>> mappings are correct for domain users.
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
More information about the samba
mailing list