[Samba] CentOS Samba as Domain Member
Bjoern.Becker at easycash.de
Bjoern.Becker at easycash.de
Fri Feb 14 09:47:19 MST 2014
Uhhh, it's solved. I had to clear the winbind cache for sure:
/etc/init.d/winbind stop
rm /var/lib/samba/winbindd_*tdb
/etc/init.d/winbind start
Mit freundlichen Grüßen / Best regards
Björn
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Becker, Björn
Gesendet: Freitag, 14. Februar 2014 16:36
An: rowlandpenny at googlemail.com; samba at lists.samba.org
Betreff: Re: [Samba] CentOS Samba as Domain Member
> You are welcome, but be aware that without the RFC2307 attributes you could have different id numbers on different samba servers.
Thanks! These configuration are for workstation's only, I guess this will not become a problem there..hopefully :).
I now run into the next problem while try to login with a domain user against sshd. I receive this error messages:
Feb 14 16:27:33 PC3370CO sshd[18555]: Invalid user bb from Feb 14 16:27:33 PC3370CO sshd[18556]: input_userauth_request: invalid user bb Feb 14 16:27:37 PC3370CO sshd[18555]: pam_unix(sshd:auth): check pass; user unknown Feb 14 16:27:37 PC3370CO sshd[18555]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3214ub Feb 14 16:27:38 PC3370CO sshd[18555]: pam_succeed_if(sshd:auth): error retrieving information about user bb Feb 14 16:27:40 PC3370CO sshd[18555]: Failed password for invalid user bb port 39674 ssh2
My nsswitch.conf:
passwd: files winbind
shadow: files
group: files winbind
And this is my pam config:
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
I don't understand why the domain user is invalid. With getent passwd I can see my user.
Mit freundlichen Grüßen / Best regards
Björn
-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
Gesendet: Freitag, 14. Februar 2014 15:03
An: Becker, Björn; samba at lists.samba.org
Betreff: Re: AW: AW: [Samba] CentOS Samba as Domain Member
On 14/02/14 13:41, Bjoern.Becker at easycash.de wrote:
> On 14/02/14 12:38, Bjoern.Becker at easycash.de wrote:
>> Hi,
>>
>> yes, I installed it via yum. But the links under /lib were not available:
>>
>> rpm -qa | grep samba
>> samba-winbind-clients-3.6.9-167.el6_5.x86_64
>> samba-3.6.9-167.el6_5.x86_64
>> samba4-libs-4.0.0-60.el6_5.rc4.x86_64
>> samba-client-3.6.9-167.el6_5.x86_64
>> samba-winbind-3.6.9-167.el6_5.x86_64
>> samba-common-3.6.9-167.el6_5.x86_64
>>
>> Wondering a bit about samba4-libs....
>>> Did samba4-libs get installed automatically ?
> I would like to say yes, but I can't reproduce it. I got a really clean install and just install some basic packages. Puppet ensured that "samba" is present.
> I uninstall all and clean it up to reinstall it through puppet again and now The samba4-libs aren't installed....
Strange, but you dont need samba4-libs anyway.
>
>> I connecting against a active directory.
>>
>> # smb.conf
>> #======================= Global Settings
>> =====================================
>>
>> [global]
>>
>> workgroup = DOM_RAT
>> server string = Samba Server Version %M
>> security = ADS
>> realm = DOM.DE
>> workgroup = DOM_RAT
>> winbind separator = +
>> winbind enum users = yes
>> winbind enum groups = yes
>> template homedir = /home/%D/%U
>> template shell = /bin/bash
>> client use spnego = yes
>> client ntlmv2 auth = yes
>> encrypt passwords = yes
>> winbind use default domain = yes
>> restrict anonymous = 2
>> domain master = no
>> local master = no
>> preferred master = no
>> os level = 0
>> winbind offline logon = no
>>> OK, you need to add something like this:
>>> kerberos method = secrets and keytab
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind normalize names = Yes
>>> idmap config DOM_RAT:schema_mode = rfc2307
>>> idmap config DOM_RAT:range = 500-40000
>>> idmap config DOM_RAT:backend = ad
>>> idmap config *:range = 70001-80000
>>> idmap config *:backend = tdb Then restart samba, this will
>>> rely on the RFC2307 uidNumber & gidNumber attributes being available in AD, if not change 'idmap config DOM_RAT:backend = ad' to ' idmap config DOM_RAT:backend = rid'
> Yay! That's it. With backend = rid it works finaly!
>
> Thank you very much!
You are welcome, but be aware that without the RFC2307 attributes you could have different id numbers on different samba servers.
Rowland
>
>>> Also have you added 'winbind' to the passwd & group lines in /etc/nsswitch.conf ?
> Yes.
>
> Rowland
>
>> Mit freundlichen Grüßen / Best regards Björn
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Rowland Penny [mailto:rowlandpenny at googlemail.com]
>> Gesendet: Freitag, 14. Februar 2014 13:34
>> An: Becker, Björn; samba at lists.samba.org
>> Betreff: Re: [Samba] CentOS Samba as Domain Member
>>
>> On 14/02/14 11:54, Bjoern.Becker at easycash.de wrote:
>>> Hello,
>>>
>>> I use CentOS 6.5 and smbd 3.6.9-167.el6_5.
>>>
>>> I can successfully execute wbinfo -u and wbinfo -g, but getent passwd doesn't work.
>>>
>>> nsswitch.conf
>>> passwd: files winbind
>>> shadow: files
>>> group: files winbind
>>>
>>> I read in samba manual I have to link libnss_winbind.so to /lib, I did that but it doesn't work anyway:
>>>
>>> ls -ltr /lib/lib*
>>> lrwxrwxrwx. 1 root root 28 14. Feb 12:34 /lib/libnss_winbind.so ->
>>> /usr/lib64/libnss_winbind.so lrwxrwxrwx. 1 root root 26 14. Feb
>>> 12:38 /lib/libnss_files.so -> /usr/lib64/libnss_files.so lrwxrwxrwx.
>>> 1 root root 26 14. Feb 12:40 /lib/libnss_winbind.so.2 ->
>>> /lib64/libnss_winbind.so.2
>>>
>>> Can anyone help me out?
>>>
>>> Thanks!
>>>
>>> Mit freundlichen Grüßen / Best regards Björn
>>>
>>>
>> I take it that you are running the machine as I client and installed
>> samba 3.6.9 via yum? If so then you shouldn't have to create the
>> links, yum should have done it for you.
>>
>> What is the client connecting to ? and could you please post the
>> smb.conf from this client.
>>
>> Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list