[Samba] Active Directory member server

James Osbourn james.osbourn at citrix.com
Thu Jun 16 06:13:21 MDT 2011 

Hi Steven,

Thanks for the feedback.  I made some changes based on your config files and was still able to add the client to the domain using a local domain admin account.  However, I am still unable to connect to the server from a windows machine and authenticate using an account from either domain.  Wbinfo -u does not seem to list users from our authentication domain which may be the cause of the problem.

Just to update I am running Debian (Lenny) for the server.

Thanks

James

> -----Original Message-----
> From: Steven Schlegel [mailto:steven.schlegel1988 at googlemail.com]
> Sent: 14 June 2011 17:37
> To: James Osbourn
> Subject: Re: [Samba] Active Directory member server
> 
> Hi James,
> 
> maybe the following configuration (examples) helps you out.
> 
> I have the following packages installed:
> rpm -qa | grep -e samba -e krb5* | sort
> =>
> output:
>   krb5-auth-dialog-0.7-1
>   krb5-devel-1.6.1-36.el5
>   krb5-libs-1.6.1-36.el5
>   krb5-libs-1.6.1-36.el5
>   krb5-workstation-1.6.1-36.el5
>   ldb-tools-3.4.9-42.el5
>   libwbclient0-3.4.9-42.el5
>   libwbclient-devel-3.4.9-42.el5
>   libsmbclient0-3.4.9-42.el5
>   libsmbclient-devel-3.4.9-42.el5
>   pam_krb5-2.2.14-10
>   pam_krb5-2.2.14-10
>   samba3-3.4.9-42.el5
>   samba-cifsmount-3.4.9-42.el5
>   samba3-client-3.4.9-42.el5
>   samba3-doc-3.4.9-42.el5
>   samba3-utils-3.4.9-42.el5
>   samba3-winbind-3.4.9-42.el5
> 
> 
> My krb5.conf looks like this:
> 
> [logging]
>  default = FILE:/var/log/kerberos/krb5libs.log
>  kdc = FILE:/var/log/kerberos/krb5kdc.log
>  admin_server = FILE:/var/log/kerberos/kadmind.log
> 
> [libdefaults]
>  default_realm = WIREDBRAIN.LCL
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  ticket_lifetime = 600
>  forwardable = true
>  proxiable = true
>  default_keytab_name = FILE:/etc/krb5.keytab
> 
> [realms]
>  WIREDBRAIN.LCL = {
>   kdc = dchh01.wiredbrain.lcl
>   master_kdc = dchh01.wiredbrain.lcl
>   admin_server = dchh01.wiredbrain.lcl
>   #default_domain = WIREDBRAIN.LCL
> }
>  TRIPEDBRAIN.LCL = {
>   kdc = rootdc01.tripedbrain.lcl
> }
> 
> [domain_realm]
>  .wiredbrain.lcl = WIREDBRAIN.LCL
>  wiredbrain.lcl = WIREDBRAIN.LCL
>  .tripedbrain.lcl = TRIPEDBRAIN.LCL
>  tripedbrain.lcl = TRIPEDBRAIN.LCL
> 
> [login]
>  krb4_convert = true
>  krb4_get_tickets = true
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = true
>  }
> 
> And my smb.conf looks like this:
> 
> [global]
>   workgroup = WIREDBRAIN
>   realm = WIREDBRAIN.LCL
>   password server = *
>   preferred master = no
>   server string = Linux AD Member-Server
>   security = ads
>   encrypt passwords = yes
>   local master = no
>   log level = 1
>   log file = /var/log/samba/%m
>   max log size = 50
>   #printcap name = cups
>   #printcap = cups
>   winbind enum users = Yes
>   winbind enum groups = Yes
>   winbind use default domain = Yes
>   winbind nested groups = Yes
>   winbind separator = "\""\"
>   winbind refresh tickets = yes
>   winbind offline logon = true
>   winbind trusted domains only = no
>   map untrusted to domain = Yes
>   allow trusted domains = yes
>   obey pam restrictions = no
>   idmap backend = tdb
>   idmap uid = 10000-600000
>   idmap gid = 10000-600000
>   passdb backend = tdbsam
>   ;template primary group = "domain users"
>   template shell = /bin/bash
>   winbind nss info = rfc2307
>   client use spnego = yes
>   client ntlmv2 auth = yes
>   restrict anonymous = 2
> 
> As you can see I have two domains in my environment, named as
> WIREDBRAIN.LCL and TRIPEDBRAIN.LCL.
> Between those domains, an interdomain-trust has been created.
> 
> After your configurations you need to initiate the net ads join command:
> net ads join -U Administrator
> 
> and if this was successfull you need to create a kerberos keytab:
> net ads keytab create
> 
> Now you can test your setup with the following commands:
> wbinfo -u -> should give you a list of all users in your domains wbinfo -g ->
> same like wbinfo -u (for groups)
> 
> ----
> For my environment, I also need to edit the nsswitch.conf:
> passwd: files winbind
> shadow: files winbind
> group: files winbind
> ----
> 
> Try kinit and smbclient to see if kerberos works and of course with samba.
> 
> Best regards,
> 
> Steven
> 
> 
> 2011/6/14 James Osbourn <james.osbourn at citrix.com>:
> > I am trying to setup samba as a Windows front end to a CUPS print
> server.  We seem to be having some problems getting the server registered
> in the domain and for users to be able to connect to the server.  Our
> problems seems to stem from the fact that we add our machines to one
> domain which has a one way trust to a different domain which is where all of
> the user account reside and authentication is handled.  I was able to get the
> net adc join command to work by using the primary domain administrator
> credentials.
> >
> > Any help on getting the correct runes into my smb.conf and krb5.conf
> > files greatly appreciated.  My krb5.conf file is as follows
> >
> > [libdefaults]
> >        default_realm = X.NET
> >        dns_lookup_realm = false
> >        dns_lookup_kdc = false
> >        ticket_lifetime = 24h
> >        forwardable = yes
> >
> > [realms]
> > A.X.NET = {
> >        kdc = dc01.a.x.net
> >        kdc = dc02.a.x.net
> >        admin_server = dc02.a.x.net
> > }
> >
> >  [domain_realm]
> >        .a.x.net = A.X.NET
> >
> > My smb.conf file is as follows
> >
> > [global]
> >   workgroup = A
> >   realm = a.x.net
> >   security = ADS
> >   encrypt passwords = yes
> >
> > Many Thanks
> >
> > James
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >

More information about the samba mailing list