Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to integrate Samba into Active Directory (UPDATED).
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
MartinSt
n00b
n00b


Joined: 09 May 2002
Posts: 13
Location: Ceske Budejovice, Czech Rep.

PostPosted: Thu Apr 01, 2004 7:30 am    Post subject: Reply with quote

Hi, I have spent more than two weeks to find out the main bells and whistles of deploying Linux machine as Samba server in MS W2K3 AD environment, so I would like to share my experience here. I suppose, this could help to add some important details to the previous postings in this thread and to summarize the whole process. As I am not an expert in this area, I still do not understand thoroughly many relevant things, so please be tolerant.

Installation goals:
* use Kerberos for user authentication to the system and for access to the samba shared directories
* use encrypted access to the LDAP interface of the MS Active Directory

Useful debugging tools:
Ethereal - ** THIS IS MUST-HAVE TOOL HERE** - for tracing communication between your Linux machine and the AD Server
http://www.ethereal.com/

LDAP browser - for accessing the AD through ldap and viewing information stored there (you can see the same iformation in the MS ADSI Editor, too) You can use it to check directory structure and reading/editing of the information stored there. I am using the java LDAP browser from this page:
http://www.iit.edu/~gawojar/ldap/
Unfortunatelly, this browser doesn't play well wit the blackdown-jdk, but works fine with the sun-jdk.

strace (dev-util/strace) - debugging utility, which intercepts and records the system calls called by a process and the signals which are received by a process. For example, to find out, which files are opened during execution of the getent passwd command, you can use this command:

Code:

strace -e open getent passwd


Windows Software
Microsoft Services For Unix, or SFU (current version is 3.5). You can download this software (approx. 350MB) on this site:

http://www.microsoft.com/windows/sfu/downloads/default.asp

(You have to be registered on the MS .net passport before downloading.) In previous posts, there was recommended the AD4UNIX software, but it seems to be abandoned now, while the MS SFU is for free now and still developping.

During the installation of the MS SFU choose only the "Server for NIS" option. This will extend the AD schema and install the MMC snap-in (similar to the AD4UNIX one). Verify, that you are able to create users with UNIX attributes and inspect those users from the LDAP side. When the installation is finished and the server is restarted, you can test functionality of the SFU MMC snap-in and verify the SFU attributes in the LDAP browser. As the NIS server will not be needed, stop the Server for NIS service and chnge it's startup type to Manual.

Note: The Server for NIS service among other things performs password synchronization between the Kerberos and LDAP msSFU30Password attribute. Synchronized passwords are however truncated to the 8 characters and they aren't well encrypted - that's another reason to stop te Server for NIS service.


Needed packages to emerge:
samba - make sure, that it's the 3.x version
openlssl - needed for ssl
openldap - we will need this for client ldap searches
cyrus-sasl - Simple Authentication and Security Layer - for basic encryption of ldap binds and searches
ntp - We will use the ntp-client for time synchronization (for proper Kerberos functioning)
mit-krb5 - the MIT Kerberos
pam - the Pluggable Authentication Module base
pam_krb5 - kerberos pam module (note, that pam_ldap module will not be needed). There are some problems to emerge the 1.0 version, see other posts on these forums. It seems to have problems with password change, too.
nss_ldap - LDAP module for name switch system (enables redirection of searches for users, groups, etc. to ldap)
Note: Make sure, that nss_ldap is compilled with the --enable-schema-mapping parameter enabled, otherwise it will be of no use here.


Let's assume following initial confguration:

    MS Windows Server:
    Servername: SFUSRV
    AD Domain: DC=SFU,DC=ACME,DC=COM
    DNS Name: sfusrv.sfu.acme.com
    Server's IP address: 192.168.1.20

    Configuration details:
    * Windows 2003 Server
    * Active Directory (Directory Master)
    * DNS&DHCP integrated into AD
    * WINS service
    * Local clock synced to a ntp server
    * If you plan to use SSL, also Enterprise Certification Authority would be handy (to issue certificates for SSL).

    Sample users:
    First Name: Tom
    Last Name: Sawyer
    User logon lame: toms@sfu.acme.com
    Password: PASSword.
    LDAP distinguished name: cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com

    First Name: Huck
    Last Name: Finn
    User logon lame: huckf@sfu.acme.com
    Password: PASSword.
    LDAP distinguished name: cn=Huck Finn,cn=Users,dc=sfu,dc=acme,dc=com

    Gentoo Linux:
    Hostname: Gent
    DNS Name: gent.sfu.acme.com
    IP address: 192.168.1.28
    Configuration details:
    * USE settings: kerberos ldap samba sasl ssl (set them in the /etc/make.conf; I recommend to use the ufed tool for this)
    * ACCEPT_KEYWORDS="~x86" (set them in the /etc/make.conf, too) - in this way, the latest available packages for the intel platform will be installed.


Kerberos configuration
Before the Kerberos is configured, make sure, that you have synchronized local clock wth the ntp server. You can do it using the ntp-client module. It's configuration file is the /etc/conf.d/ntp-client.

Code:

# /etc/conf.d/ntp-client
# Copyright 1999-2002 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License v2
# $Header: /home/cvsroot/gentoo-x86/net-misc/ntp/files/ntp-client.confd,v 1.2 2003/09/19 17:50:37 vapier Exp $

# Command to run to set the clock initially
NTPCLIENT_CMD="ntpdate"

# Options to pass to the above command
NTPCLIENT_OPTS="-b tik.cesnet.cz"


To configure the Kerberos client side, we need to make needed settings in the /etc/krb5.conf file:

Code:

# etc/krb5.conf
[libdefaults]
#       renew_lifetime = 18000
        default_realm = SFU.ACME.COM
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
        dns_lookup_realm = true
        dns_lookup_kdc = true
        clockskew = 120

[realms]
        SFU.ACME.COM = {
        kdc = sfusrv.sfu.acme.com:88
        admin_server = sfusrv.sfu.acme.com:464
        }

[domain_realm]
        .sfu.acme.com = SFU.ACME.COM
        sfu.acme.com = SFU.ACME.COM

[kdc]
        profile = /etc/krb5kdc/kdc.conf

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

[appdefaults]
 pam = {
   debug = false
   forwardable = true
   krb4_convert = false
 }


You cant thest the functionality of the Kerberos by requesting an initial ticket for a Windows user from the Kerberos server - using the kinit command:

Code:

gent root # kinit toms
Password for toms@SFU.ACME.COM:
gent root # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: toms@SFU.ACME.COM

Valid starting     Expires            Service principal
03/25/04 14:46:58  03/26/04 00:47:02  krbtgt/SFU.ACME.COM@SFU.ACME.COM
        renew until 03/26/04 14:46:58


Once you have a working Kerberos client configuation, you'll probably want to be able to log into your system using your Kerberos password. Since we don't have LDAP working yet, you should add a local entry for your username to the passwd and shadow files, but set your crypted password in /etc/shadow to *K*, the community standard to indicate that the password comes from Kerberos.

Code:

#/etc/passwd
.
.
huckf:x:10004:10004:Local AD user:/home/huckf:/bin/bash



Code:

#/etc/shadow
.
.
huckf:*K*:10004:0:::::


Kerberos principal and Kerberos keytab
Now, we need to create a Kerberos principal and corresponding keytab file for our Linux workstation on the Windows server. Let's choose one of Windows user accounts for this. There will be added the attribute Kerberos Service Principal for the Linux computer to this user account.

BEWARE: It is not tolerable to create Kerberos Service Principal with the same name in more user accounts. In such case, Kerberos would not be able to authenticate it correctly.

Following command has to performed for each Linux computer on a different user account:

Code:

C:> ktpass -princ nssldap/gent@SFU.ACME.COM -pass PASSword.
-mapuser toms@SFU.ACME.COM -out gent_keytab

Targeting domain controller: sfusrv.sfu.acme.com
Successfully mapped nssldap/linux to toms.
Key created.
Output keytab to gent_keytab:
Keytab version: 0x502
keysize 49 nssldap/linux@SFU.ACME.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (D
ES-CBC-MD5) keylength 8 (0xd34c57321fd334b5)
Account toms has been set for DES-only encryption.


The keytab file (in this case gent_keytab) resulting from this command must be securely transferred into the Linux computer. As the next step, it should be merged into the existing local keytab file:

Code:

gent root # ktutil
ktutil:  rkt gent_keytab
ktutil:  list
slot KVNO Principal
---- ---- -------------------------------------------------------
   1    3                    nssldap/gent@SFU.ACME.COM
ktutil:  wkt /etc/krb5.keytab
ktutil:  q


Automatic updating of the Kerberos ticket
Let's now create a script for automatic update of the Kerberos ticket for the LDAP. After the command execution, the root's Kerberos ticket cache (/tmp/krb5cc_0) will be updated.

/sbin/kerbinit.sh
Code:

#!/bin/sh
kinit -k -S ldap/sfusrv.sfu.acme.com nssldap/gent
chmod 600 /tmp/krb5cc_0


Check the results of this script. You can use the klist command to check the tickets in the Kerberos cache file. Note, that the default location of this file is /tmp/krb5cc_[uid] (here for the user root it is the file /tmp/krb5cc_0)

Code:

gent root # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nssldap/gent@SFU.ACME.COM

Valid starting     Expires            Service principal
03/25/04 16:10:27  03/26/04 02:10:26  ldap/sfusrv.sfu.acme.com@ SFU.ACME.COM
        renew until 03/26/04 16:10:27




You should add this script to the root's crontab file (/var/spool/cron/crontabs/root). Following example will call the kerbinit.sh every 2 hours:

Code:

# /var/spool/cron/crontabs/root
# /etc/crontab
.
.
* */2 * * *      sh /sbin/kerbinit.sh


Furthermore, it is necessary to run the kerbinit.sh in the boot of the computer. In this way, the Linux computer will have a valid Kerberos ticket for the access to the LDAP. So let's add it to the /etc/conf.d/local.start file:

Code:

.
.
# This is a good place to load any misc.
# programs on startup ( 1>&2 )
sh /sbin/kerbinit.sh


LDAP configuration
Another important step is to make correct settings in the LDAP config file. In the Gentoo Linux there are actually two LDAP config files - /etc/ldap.conf and /etc/openldap/ldap.conf respectively. If you want to use only one file for the LDAP configuration, (in this case there is nothing wrong about that), you can make a symbolic link between them - as for example:

Code:

ln -s /etc/ldap.conf /etc/openldap/ldap.conf


You can also try to set a system variable to determine, which file will be used for the LDAP configuration (by adding relevant line to the /etc/env.d/00basic file)

Code:

LDAPCONF="/etc/ldap.conf"


Following is an example of the /etc/ldap.conf file:

Code:

host sfusrv.sfu.acme.com
base dc=sfu,dc=acme,dc=com

# scope one
scope sub

# binddn cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com
# bindpw PASSword.
# rootbinddn cn= Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com
# rootbind password is in the /etc/ldap.secret

# nss_map_objectclass shadowAccount user
# nss_map_attribute userPassword msSFU30Password

nss_map_objectclass posixAccount user
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute uid msSFU30Name
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos msSFU30Gecos

nss_map_objectclass posixGroup group
nss_map_attribute gid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
# nss_map_attribute uniqueMember member
# nss_map_attribute memberUid msSFU30MemberUid

pam_login_attribute msSFU30Name
pam_filter objectclass=User
pam_password ad

nss_base_passwd cn=Users,dc=sfu,dc=acme,dc=com
# nss_base_passwd dc=sfu,dc=acme,dc=com

nss_base_shadow dc=sfu,dc=acme,dc=com

nss_base_group cn=Users,dc=sfu,dc=acme,dc=com
# nss_base_group dc=sfu,dc=acme,dc=com

nss_base_hosts Computers,dc=sfu,dc=acme,dc=com

use_sasl on
sasl start_tls
# ssl on
# tls_cacertfile /etc/ssl/certs/cacert.cer
# sslpath /etc/ssl/certs/
# krb5_ccname FILE:/etc/.ldapcache


In the ldap.conf file you can see lines beginning with "nss_map_attribute", which are used to map the internal unix attributes of users, groups, etc. to the attributes, available in the Active Directory after the expansion of it's schema by the MS Services for UNIX.

The lines beginning with "nss_base_passwd" and "nss_base_group" are determining the bases (or contexts in the LDAP tree), from which searches for users and groups are made. You can enter more than one base here. By the proper setting of the search bases, we can make LDAP searches more effective. Note, that if the nss_ldap was not compilled using the --enable-schema-mapping parameter, attributes mapping will not take place and the LDAP searches will be performed for the original unix parameters.

The lines containing the binddn, bindpw and rootbinddn (credentals for the authentifcation to the LDAP directory), are commented out here, as there will be used the Kerberos authentifcation.

The line beginning with scope determines, wheather the child parts of the LDAp contexts should be searched, too (sub - search in all sub-contexts, one - search only the current context).
Ending part of the ldap.conf file is containing settings for the sasl authentification (Simple Authentication and Security Layer) and basc encryption tls (Transport Layer Security).

To set up the ssl encryption, you have to make the Linux computer to trust the ssl certificate of the LDAP server, otherwise you can find the Unknown CA error message in the captured ssl handshake packets (use the Ethereal for it).

I am not sure, what is the proper procedure for making the Linux to trust to the ssl certificate. One of the promising solutions could be to copy the files named *.db from the working profile directory of the Mozilla browser to the /etc/ssl/certs directory. But first, you have to point the Mozilla to the secure LDAP port of the server and accept it's certificate permanently.

Testing LDAP access
You can test different modes of access to the LDAP directory using the ldapsearch command. Output of this command should be a list of LDAP objects (and their attributes), which are matched bz the LDAP request (in the following example it is the objectclass=user). In the beginning, try to enter most of the parameters explicitly on the command line - in this way the /etc/ldap.conf settings are bypassed. For debugging, you can also add the parameter -d N, where N is debug level (for example -d 5)

Code:

gent root # ldapsearch -x -s one -b " dc=sfu,dc=acme,dc=com" -D "cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com" \
> -w PASSword. objectclass=user


If your confguration file is correct, you can perform the same search without entering most of the parameters. Moreover, you can pipe it's output to the grep command, to write out only the lines containing for example the string msSFU30Name. In this way, the result will cotain only the lines containing login names of the matched users:

Code:

gent root # ldapsearch objectclass=user |grep msSFU30Name


The communication between the Linux computer and the LDAP serverem can be traced using the Ethereal. I am assuming, that Ethereal is run on the Windows server, as otherwise there is no need to install xfree on the Linux computer. It is convenient to filter captured packets in the Etherealu using the input filter - to capture only packets containing the ip address of the Linux computer:

Code:

ip host gent


You should investigate those packets to be sure, that there are no unencrypted data relating to the LDAP information in the packets. You can also check, if the LDAP bind is using the Kerberos authentication - by looking at the packet containing the bind request. Expand it's part named Lightweight Directory Access Protocol, Bind Request. If the Kerberos authentication was used, there should be present following sub-sections there:


    GSS-API Token
    GSS-API
    krb5_blob
    Kerberos
    Ticket

In the Ticket section, you can also check parameters of the Kerberos ticket (Realm, Service Name, Name)

The Name Switch System

Now, it is necessary to configure the Linux system to look for the user and group information in the LDAP directory, too. This should be made in the /etc/nsswitch.conf file by adding the keyword ldap to the lines for passwd a group.

Code:

# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $
passwd:      files ldap
shadow:      files
group:       files ldap

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns
services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files
automount:   files
aliases:     files


Note: The searches are made sequentially. Order of the searched databases is determined by their possition (from the left) on the line of the /etc/nsswitch.conf file. For example, if you put "passwd: files ldap" there, at first the /etc/passwd file is parsed and then a search is performed in the LDAP directory. The results of the search are reported in the same order.

You can test the functionality of the NSS by using for example the getent or id command:

Code:

gent root # getent passwd
root:x:0:0:root:/root:/bin/bash
.
.
toms:x:10003:10002:Tom Sawyer:/home/toms:/bin/sh

gent root # id toms
uid=10003(toms) gid=10002(tstgroup) groups=10002(tstgroup)


The getent passwd command should print the list of users extracted from the /etc/passwd file, followed by the list of users acquired from the LDAP directory.


The PAM configuration

To be able to authenticate users via the Kerberos, you have to add the Kerberos authentication module to the PAM configuration files. There are several configuration files, their names are corresponding to the names of the programs, which are performing the user authentication. I am listing here the most common PAM configuration files. These files are located in the /etc/pam.d directory. So you should append the lines referring to the pam_krb5.so module.
Note: The sufficient control token is defining, that for a successful authentication it is sufficient to be authenticated by the specified pam module (even in a case, when authentication made by previous "required" modules failed). The try_first_pass parameter is instructing the pam module, that the password supplied to the previous pam module should be tried first. In this way, there will not be invoked another prompt for the password. To debug the pam modules, you can also add the debug parameter, which will cause loggig of the debug messages into log file (/var/log/auth.log).

/etc/pam.d/login
Code:

#%PAM-1.0

auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_krb5.so try_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so

account    sufficient   /lib/security/pam_krb5.so
account    required     /lib/security/pam_stack.so service=system-auth

password   sufficient   /lib/security/pam_krb5.so
password   required     /lib/security/pam_stack.so service=system-auth

session    sufficient   /lib/security/pam_krb5.so
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so


/etc/pam.d/sshd
Code:

#%PAM-1.0
auth       sufficient   /lib/security/pam_krb5.so debug
auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   sufficient   /lib/security/pam_krb5.so debug
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_stack.so service=system-auth

session    sufficient     /lib/security/pam_krb5.so
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so


/etc/pam.d/system-auth
Code:

#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_krb5.so try_first_pass
auth       sufficient   /lib/security/pam_unix.so try_first_pass likeauth nullok
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_krb5.so debug
account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_krb5.so debug
password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    sufficient   /lib/security/pam_krb5.so



The samba configuration
The samba configuration is located in the main configuration file /etc/samba/smb.conf. Following is the example of the smb.conf for the example MS network and the SFUSRV Windows 2K3 server.

/etc/samba/smb.conf
Code:

# Separate domain and username with '+', like DOMAIN+username
[global]
        netbios name = GENT
        server string = %h server (Samba %v)
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind use default domain = yes
        template shell = /bin/bash
        template homedir = /home/%D/%U
        workgroup = SFU
        os level = 10
        winbind enum groups = yes
        socket address = 192.168.1.28
        preferred master = no
        winbind separator = +
        max log size = 512
        log file = /var/log/samba3/log.%m
        dns proxy = no
        realm = SFU.ACME.COM
        security = ADS
        encrypt passwords = yes
        password server = sfusrv.sfu.acme.com
        wins server = 192.168.1.20
        wins proxy = no

# Shares section
[SharedDir]
        comment = Shared directory
        writeable = yes
        path = /home/share
        force user = huckf


Before you can use the samba, you have to add your Linux computer to the Windows domain. It should be done by the net ads join command.

Code:

gent root # net ads join -U Administrator
Administrator password:
Using short domain name -- SFU
Joined 'GENT' to realm 'SFU.ACME.COM'


After the successful executio of this command, you can check, if the Linux computer is present in the list of the domain computers in the MMC (Active Directory Users and Computers) on the Windows 2003 server .

Final configuration

In the end, the needed services and daemons should be added to the list of the services launched at startup at the Linux computer. You should add these:


    * ntp-client - for the time synchroization
    * samba - for sharing files via the SMB protocol
    * nscd (Name Service Cache Daemon) - for alleviating the communication with the LDAP server and for speed-up of the LDAP searches


Use the rc-update command to accomplish this:

Code:

rc-update add ntp-client default
rc-update add samba default
rc-update add nscd default
Back to top
View user's profile Send private message
MartinSt
n00b
n00b


Joined: 09 May 2002
Posts: 13
Location: Ceske Budejovice, Czech Rep.

PostPosted: Wed Apr 07, 2004 7:26 am    Post subject: Creating home directories for AD users Reply with quote

I have found one more useful tip to add to my previous post. It was presented on the Novell Brainshare conference last week.

To automatically create home directories for the AD users in the time of their first login, you can add the following line to the /etc/pam.d/system-auth file (most pam.d configuration files point back to the system-auth file):

Code:

session   required lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022


You should have the skeleton /etc/skel directory, of course ;-)
Back to top
View user's profile Send private message
KsE
Apprentice
Apprentice


Joined: 18 Mar 2003
Posts: 269
Location: St. Cloud, MN

PostPosted: Tue Apr 13, 2004 5:59 pm    Post subject: Reply with quote

I've been following the posts here, and getting info from www.samba.org and I can't get it to work.

All I need is for users logging in to a linux box to be authenticated via an active directory server.

I can connect with kerberos and I can join the domain, but I get an error when I do this:

Code:

# wbinfo -u
Error looking up domain users


I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.

-KsE
Back to top
View user's profile Send private message
maalth
n00b
n00b


Joined: 06 Jun 2003
Posts: 56
Location: Can't tell you...

PostPosted: Tue Apr 13, 2004 9:57 pm    Post subject: Wbinfo troubles.... Reply with quote

Some questions first:

Did you remember to start samba and winbindd? Winbindd is the tool that handles the authentication. Without it, it won't work.

Do you have a file called system-auth-winbind in the directory /etc/pam.d?
It should have been installed when you emerged samba.

Did you edit /etc/nsswitch.conf?

I can't think of any other questions at the moment, but you can contact me. I will be home all night.


KsE wrote:
I've been following the posts here, and getting info from www.samba.org and I can't get it to work.

All I need is for users logging in to a linux box to be authenticated via an active directory server.

I can connect with kerberos and I can join the domain, but I get an error when I do this:

Code:

# wbinfo -u
Error looking up domain users


I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.

-KsE

_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
jcummins
n00b
n00b


Joined: 17 Jun 2003
Posts: 15
Location: Springfield, Mo

PostPosted: Tue Apr 13, 2004 11:12 pm    Post subject: Reply with quote

With this method, can permissions be placed on shares via Windows?
Back to top
View user's profile Send private message
KsE
Apprentice
Apprentice


Joined: 18 Mar 2003
Posts: 269
Location: St. Cloud, MN

PostPosted: Wed Apr 14, 2004 1:17 am    Post subject: Reply with quote

Yes, I started samba and winbind and they both start just fine. I have system-auth-winbind in /etc/pam.d and I also copied those contents to system-auth. I added this to /etc/nsswitch.conf

Code:

passwd:      compat winbind
shadow:      compat
group:       compat winbind


I can auth with kerberos and I can join the domain. Doing wbinfo -u doesn't work though.
Back to top
View user's profile Send private message
maalth
n00b
n00b


Joined: 06 Jun 2003
Posts: 56
Location: Can't tell you...

PostPosted: Thu Apr 15, 2004 2:47 am    Post subject: Windows permissions and shares.... Reply with quote

jcummins wrote:
With this method, can permissions be placed on shares via Windows?


To be honest, I'm not sure. I never though to use it that way. I did it so that I can listen to my mp3 collection from either my laptop or desktop. I don't see why it won't work. Obviously you can't see unix accounts from windows, but I don't see why setting up shares wouldn't work. I can test it next week. I can't this week because I'm leaving for NYC in two days to fill out paperwork for the NYPD and won't be home until Monday.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
maalth
n00b
n00b


Joined: 06 Jun 2003
Posts: 56
Location: Can't tell you...

PostPosted: Thu Apr 15, 2004 2:56 am    Post subject: Winbind... Reply with quote

KsE wrote:
Yes, I started samba and winbind and they both start just fine. I have system-auth-winbind in /etc/pam.d and I also copied those contents to system-auth. I added this to /etc/nsswitch.conf

Code:

passwd:      compat winbind
shadow:      compat
group:       compat winbind


I can auth with kerberos and I can join the domain. Doing wbinfo -u doesn't work though.

One more question, by chance are you running nscd? If you are, you need to stop and disable it. Winbind will not work if nscd is running. If not please PM me your config files... the files I would like to see are:
/etc/krb5
/etc/smb.conf
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
KsE
Apprentice
Apprentice


Joined: 18 Mar 2003
Posts: 269
Location: St. Cloud, MN

PostPosted: Thu Apr 15, 2004 6:31 pm    Post subject: Reply with quote

krb5.conf:

Code:

[libdefaults]
        #ticket_lifetime = 600
        ticket_lifetime = 24000
        default_realm = EXAMPLE.COM
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
        EXAMPLE.COM = {
        kdc = ads.example.com:88
        admin_server = ads.example.com:749
        #kdc = kerberos.example.com:88
        #kdc = kerberos2.example.com:88
        #admin_server = kerberos.example.com:749
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[kdc]
        profile = /etc/krb5kdc/kdc.conf

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

[appdefault]
        pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
        }


smb.conf:

Code:

[global]
   workgroup = EXAMPLE
   server string = Samba Server %v
   log file = /var/log/samba3/log.%m
   max log size = 50
hosts allow = 102.168.1.
  map to guest = bad user
   security = ads
   password server = *
  winbind uid = 10000-20000
  winbind gid = 10000-20000
  winbind separator = +
  winbind use default domain = yes
  realm = EXAMPLE.COM
  template homedir = /home/%D/%U
  obey pam restrictions = yes
  template shell = /bin/bash
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   dns proxy = no
[homes]
   comment = Home Directories
   browseable = no
   writable = yes


I changed my PDC with EXAMPLE. I got the smb.conf by "cat smb.conf | grep -v '#' | grep -v ';'"

I don't believe I'm using nscd. I didn't see it using "ps auxf". It's there, just not started.
Back to top
View user's profile Send private message
Diezel
l33t
l33t


Joined: 04 Feb 2003
Posts: 600
Location: Karjaa, Finland

PostPosted: Sun Jun 13, 2004 6:05 pm    Post subject: Reply with quote

KsE wrote:
I've been following the posts here, and getting info from www.samba.org and I can't get it to work.

All I need is for users logging in to a linux box to be authenticated via an active directory server.

I can connect with kerberos and I can join the domain, but I get an error when I do this:

Code:

# wbinfo -u
Error looking up domain users


I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.

-KsE


Did you find an sollution to this? I'm having the same problem.
_________________
A bus station is where a bus stops, a train station is where a train stops. On
my desk I have a work station..
Nixadmins.net
FLUG member 473
Back to top
View user's profile Send private message
Diezel
l33t
l33t


Joined: 04 Feb 2003
Posts: 600
Location: Karjaa, Finland

PostPosted: Sun Jun 13, 2004 11:00 pm    Post subject: Reply with quote

This i REALLY wierd. I got tired of trying so I shut down the computer. Tried to sleep but this kept bothering me, came back booted up and now it works. Don't have a clue why.
Anyway thanks.

//Diezel
_________________
A bus station is where a bus stops, a train station is where a train stops. On
my desk I have a work station..
Nixadmins.net
FLUG member 473
Back to top
View user's profile Send private message
Frozensun
Tux's lil' helper
Tux's lil' helper


Joined: 16 Oct 2003
Posts: 82

PostPosted: Fri Jun 25, 2004 4:14 pm    Post subject: Reply with quote

Code:
[/]> wbinfo -u
Error looking up domain users


EDIT: This is a win2003 domain controller

still doesn't work for me :-(

/etc/krb5.conf
Code:
[libdefaults]
   default_realm = SPARKS.CITY
 
   [realms]
   SPARKS.CITY = {
        kdc = CityNT1.SPARKS.CITY
   }


/etc/samba/smb.conf
Code:
# Separate domain and username with '+', like DOMAIN+username
[global]
        netbios name = cwit2
 # I recommend the same name as the server.
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
   # Tweak this to get the best speed out of your connection
        idmap uid = 10000-20000
    # This is for mapping uids between linux server and AD
        winbind enum users = yes
   # This allows you to bind users.
        winbind gid = 10000-20000
   # This is for mapping gids between linux server and AD
        workgroup = LANGROUP
   # Change to match the NETBIOS name of the AD domain.
        os level = 20
   # This is for the master browser priority.
        winbind enum groups = yes
   # This allows you to use the Active Directory groups
   #        socket address = 1.2.3.4
   # Change this to match the IP address or remove it to listen to all addresses.
        password server = *
   # I recommend this if you have more than one server; I do in my case.
        preferred master = no
   # You do NOT want to be a master browser.
        winbind separator = +
   # See the first line comment.
        max log size = 50
   # In K
        log file = /var/log/samba3/log.%m
   # This allows logging activities for each machine.
        encrypt passwords = yes
   # Active directory does NOT accept plaintext passwords.
        dns proxy = no
   # You don't want anything to do with DNS.
        realm = SPARKS.CITY
    # This is for kerberos.
        security = ADS
   # Active directory server provides security for the shared resources.
        #wins server = 1.2.3.4
   # Change to IP address of your installed WINS server
        wins proxy = no
   # You don't want to proxy WINS either.

# Shares section
[downloads]  # Name of the share.
        comment = downloads
   # A comment...
        writeable = yes
   # If you want users to update the directory
        path = /home/jason/Downloads
   # Where is the share on the linux server
        force user = jason
   # Should be the name of the user who is responsible for the share.


:-(
Back to top
View user's profile Send private message
arkane
l33t
l33t


Joined: 30 Apr 2002
Posts: 918
Location: Phoenix, AZ

PostPosted: Sat Jun 26, 2004 4:41 pm    Post subject: Reply with quote

Shame samba 3.x can't be an AD server on it's own :(
Back to top
View user's profile Send private message
kiko555
n00b
n00b


Joined: 13 Sep 2003
Posts: 6

PostPosted: Mon Jun 28, 2004 10:20 am    Post subject: Reply with quote

When I follow the step .....
do this command :kinit Administrator@mail.hcp.com
I got this:
Quote:
kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials


Anything I do wrong??
I had modify the /etc/krb5.conf like below:
Quote:
[libdefaults]
ticket_lifetime = 600
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
EXAMPLE.COM = {
kdc = mail.hcp.com:88
admin_server = mail.hcp.com:749
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[kdc]
profile = /etc/krb5kdc/kdc.conf

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
Back to top
View user's profile Send private message
rinacabj
Tux's lil' helper
Tux's lil' helper


Joined: 26 Dec 2003
Posts: 82
Location: Richmond, VA

PostPosted: Thu Jul 01, 2004 7:24 pm    Post subject: Reply with quote

I'm having an error when I do
Code:
ldapsearch -D "o=<top level of active directory>" -W "uid=Administrator" -h <IP address of the Active Directory server>


after I enter the correct password, I get
Code:
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece
Back to top
View user's profile Send private message
ElCondor
Guru
Guru


Joined: 10 Apr 2002
Posts: 520
Location: Vienna, Austria, Europe

PostPosted: Sun Jul 04, 2004 9:36 am    Post subject: Reply with quote

I'm stuck at Step 3 (trying if krb5 works) with the following error:
Code:
backup1 samba # kinit Administrator@MYCOMPANY.COM
kinit(v5): KRB5 error code 68 while getting initial credentials

Does anyone know how I can solve this? I googled around but found no solution that works here :(

* ElCondor pasa *
_________________
Here I am the victim of my own choices and I'm just starting!
Back to top
View user's profile Send private message
Martz
n00b
n00b


Joined: 04 Mar 2004
Posts: 72

PostPosted: Tue Jul 06, 2004 1:13 pm    Post subject: Reply with quote

I had problems getting this working too.

However, I changed in smb.conf:
password server = *

to

password server = CHOICE2K

(CHOICE2K being the NETBIOS name of the Windows 2000 domain controller). Also make sure you have a DNS entry in your /etc/hosts file.

I set mine to pa55w0rd (thinking that this entry was a PASSWORD for accessing the server.. or something.. obviously not :))

So yesterday I installed Gentoo from a stage 1, and today I have got Samba working using winbind against our existing Windows 2000 domain :)
Back to top
View user's profile Send private message
ElCondor
Guru
Guru


Joined: 10 Apr 2002
Posts: 520
Location: Vienna, Austria, Europe

PostPosted: Tue Jul 06, 2004 1:22 pm    Post subject: Reply with quote

Thanks for the hint, but the error happens with kinit, so it's not (yet) a samba problem, something with kerberos seems to be wrong. as far as I found at google, something with the "principals" - but I got no idea what I should enter there

* ElCondor pasa *
_________________
Here I am the victim of my own choices and I'm just starting!
Back to top
View user's profile Send private message
GenTimJS
Guru
Guru


Joined: 03 May 2003
Posts: 406
Location: NH, USA

PostPosted: Wed Jul 07, 2004 6:41 pm    Post subject: Reply with quote

I followed the directions as best I could in the original post.

I successfuly created a share, which is accessible via active directory.
I have admin access on both the linux box, the AD servers, and AD clients.

However, on the linux box running samba, the winbindd stuff doesnt seem to work, and doesnt generate any errors.

Furthermore, no winbindd script was created in /etc/init.d/

??
_________________
-Tim Smith
Back to top
View user's profile Send private message
bdraw
n00b
n00b


Joined: 24 Nov 2003
Posts: 21
Location: Tampa

PostPosted: Mon Jul 12, 2004 9:04 pm    Post subject: Reply with quote

ElCondor wrote:
I'm stuck at Step 3 (trying if krb5 works) with the following error:
Code:
backup1 samba # kinit Administrator@MYCOMPANY.COM
kinit(v5): KRB5 error code 68 while getting initial credentials

Does anyone know how I can solve this? I googled around but found no solution that works here *


I am getting the same error, the funny thing is that mine was working but now it's not.

Ben
_________________
If it's too easy it's boring.
Ben
Back to top
View user's profile Send private message
bdraw
n00b
n00b


Joined: 24 Nov 2003
Posts: 21
Location: Tampa

PostPosted: Mon Jul 12, 2004 9:21 pm    Post subject: Reply with quote

bdraw wrote:
ElCondor wrote:
I'm stuck at Step 3 (trying if krb5 works) with the following error:
Code:
backup1 samba # kinit Administrator@MYCOMPANY.COM
kinit(v5): KRB5 error code 68 while getting initial credentials

Does anyone know how I can solve this? I googled around but found no solution that works here *


I am getting the same error, the funny thing is that mine was working but now it's not.

Ben


I had the wrong domain name duh! Now it works
_________________
If it's too easy it's boring.
Ben
Back to top
View user's profile Send private message
ElForesto
n00b
n00b


Joined: 26 Feb 2004
Posts: 26
Location: Salt Lake City, UT USA

PostPosted: Wed Jul 14, 2004 11:11 pm    Post subject: Don't make this emerge world mistake! Reply with quote

I found this out the hard way.

If you didn't edit your make.conf to add ldap and kerberos and you run an emerge world, expect things to break. FAST. Just finished rebuilding it after I couldn't figure out what I did.
Back to top
View user's profile Send private message
Martz
n00b
n00b


Joined: 04 Mar 2004
Posts: 72

PostPosted: Thu Jul 22, 2004 11:24 am    Post subject: Reply with quote

GenTimJS wrote:

Furthermore, no winbindd script was created in /etc/init.d/

??


What is the best way to get winbind to startup with samba? I have to run prompt# winbindd from the shell each time from boot :(

Looking in /etc/conf.d/samba it has the following lines:

Code:

smbd_start_options="-D"
smbd_start="start-stop-daemon --start --quiet --exec /usr/sbin/smbd -- ${smbd_start_options}"
smbd_stop="start-stop-daemon --stop --quiet --pidfile /var/run/samba/smbd.pid"
smbd_reload="killall -HUP smbd"

nmbd_start_options="-D"
nmbd_start="start-stop-daemon --start --quiet --exec /usr/sbin/nmbd -- ${nmbd_start_options}"
nmbd_stop="start-stop-daemon --stop --quiet --pidfile /var/run/samba/nmbd.pid"
nmbd_reload="killall -HUP nmbd"

winbind_start_options=""
winbind_start="start-stop-daemon --start --quiet --exec /usr/sbin/winbindd -- ${winbind_start_options}"
winbind_stop="start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/winbindd"
winbind_reload="killall -HUP winbindd"


Is there anything I can tweak to make winbindd start from this script?
Back to top
View user's profile Send private message
Martz
n00b
n00b


Joined: 04 Mar 2004
Posts: 72

PostPosted: Thu Jul 22, 2004 11:30 am    Post subject: Reply with quote

OMG I'm an idiot..

winbind can be started automagically by looking at the second line of /etc/conf.d/samba

Change:
Code:
daemon_list="smbd nmbd"

To:
Code:
daemon_list="smbd nmbd winbind"

And thats it, it works! :)
Back to top
View user's profile Send private message
theonlymcc
Apprentice
Apprentice


Joined: 16 Sep 2003
Posts: 274
Location: NC

PostPosted: Fri Jul 23, 2004 1:57 pm    Post subject: Reply with quote

Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Page 2 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum