ldap and active directory configuration
Malcolm Bodger
M.Bodger at westminster.ac.uk
Thu Jul 15 02:29:36 MDT 2010
Hi Scott,
Yes, I configured kerberos, but running 'getent passwd' only lists the local users.
The /etc/krb5.conf:
[libdefaults]
default_realm = INTRANET.WMIN.AC.UK
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
ticket_lifetime = 24000
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementia.org
kdc = kerberos2.dementia.org
admin_server = kerberos.dementia.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
INTRANET.WMIN.AC.UK = {
kdc = ISLS-INT-DC-6.WMIN.AC.UK
admin_server = ISLS-INT-DC-6.WMIN.AC.UK
default_domain = INTRANET.WMIN.AC.UK
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.intranet.wmin.ac.uk = INTRANET.WMIN.AC.UK
intranet.wmin.ac.uk = INTRANET.WMIN.AC.UK
[login]
krb4_convert = true
krb4_get_tickets = false
The /etc/nsswitch.conf:
passwd: files winbind
group: files winbind
shadow: files
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
The wbinfo -u and -g options does return the users and groups.
Thanks,
Malcolm.
This e-mail and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must not copy or show them to anyone, nor should you take any action based on them, other than to notify the error by replying to the sender.
________________________________
From: Scott Grizzard [mailto:scott at scottgrizzard.com]
Sent: Thu 15/07/2010 08:49
To: Malcolm Bodger
Cc: samba-technical at lists.samba.org
Subject: Re: RE: ldap and active directory configuration
Did you configure Kerberos for that server? What does your krb5.conf look like?
How about you nsswitch.conf file? When you run 'getent passwd', do your AD users show up?
On Jul 15, 2010 3:22 AM, "Malcolm Bodger" <M.Bodger at westminster.ac.uk> wrote:
Hi Scott,
I'm hoping yourself, or someone on this list, might be able to help me with this ongoing problem.
I've now moved on from ldap and have configured my server to authenticate to active directory. I can ssh to the box and login using AD and local accounts, but I get errors when trying to access my shared drive. On my PC the error contains the message: 'No process is on the other end of the pipe.' I'm not creating any samba users, but I've configured samba to create local home areas, which it does for any new users.
My smb.conf, it's been a bit mangled in attempt to get it to work:
[global]
realm = INTRANET.WMIN.AC.UK <http://intranet.wmin.ac.uk/>
workgroup = INTRANET
netbios name = isls-fs1
netbios aliases = isls-fs1
server string = %h server (Samba, Ubuntu)
map to guest = Never
obey pam restrictions = no
password server = isls-int-dc-6
passdb backend = tdbsam
security = ADS
pam password change = no
passwd program =
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = no
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
local master = No
domain master = No
dns proxy = No
wins server = isls-int-dc-6
#ldap ssl = yes
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
invalid users = root
idmap uid = 500-1000000
idmap gid = 500-1000000
#winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = yes
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
template homedir = /home/%D/%U
template shell = /bin/bash
#nt pipe support = no
#name resolve order = wins host bcast
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[PSI]
comment = psi shared area
path = /PSI
# public = No
# valid users = @"INTRANET+Domain Users"
#valid users = %S
read only = No
browseable = No
wide links = No
guest ok = yes
[homes]
comment = Unix homes
path = /home
# valid users = %S
read only = no
browseable = yes
It used to work when configured for local users, but now I'm not able to access the drive for local, nor AD users.
Thanks,
Malcolm.
This e-mail and its attachments are intended for the above named only and may be confidential. If t...
________________________________
From: Malcolm Bodger
Sent: Fri 02/07/2010 14:42
To: Scott Grizzard; Malcolm Bodger
Cc: samba-technical at lists.samba.org
Subject: RE: ldap and active directory configuration
Hi Scott,
Thanks for this very useful information and it's giving me an insight into Samba. Our eD...
--
The University of Westminster is a charity and a company limited by
guarantee. Registration number: 977818 England. Registered Office:
309 Regent Street, London W1B 2UW, UK.
More information about the samba-technical
mailing list