View previous topic :: View next topic |
Author |
Message |
MartinSt n00b
Joined: 09 May 2002 Posts: 13 Location: Ceske Budejovice, Czech Rep.
|
Posted: Thu Apr 01, 2004 7:30 am Post subject: |
|
|
Hi, I have spent more than two weeks to find out the main bells and whistles of deploying Linux machine as Samba server in MS W2K3 AD environment, so I would like to share my experience here. I suppose, this could help to add some important details to the previous postings in this thread and to summarize the whole process. As I am not an expert in this area, I still do not understand thoroughly many relevant things, so please be tolerant.
Installation goals:
* use Kerberos for user authentication to the system and for access to the samba shared directories
* use encrypted access to the LDAP interface of the MS Active Directory
Useful debugging tools:
Ethereal - ** THIS IS MUST-HAVE TOOL HERE** - for tracing communication between your Linux machine and the AD Server
http://www.ethereal.com/
LDAP browser - for accessing the AD through ldap and viewing information stored there (you can see the same iformation in the MS ADSI Editor, too) You can use it to check directory structure and reading/editing of the information stored there. I am using the java LDAP browser from this page:
http://www.iit.edu/~gawojar/ldap/
Unfortunatelly, this browser doesn't play well wit the blackdown-jdk, but works fine with the sun-jdk.
strace (dev-util/strace) - debugging utility, which intercepts and records the system calls called by a process and the signals which are received by a process. For example, to find out, which files are opened during execution of the getent passwd command, you can use this command:
Code: |
strace -e open getent passwd
|
Windows Software
Microsoft Services For Unix, or SFU (current version is 3.5). You can download this software (approx. 350MB) on this site:
http://www.microsoft.com/windows/sfu/downloads/default.asp
(You have to be registered on the MS .net passport before downloading.) In previous posts, there was recommended the AD4UNIX software, but it seems to be abandoned now, while the MS SFU is for free now and still developping.
During the installation of the MS SFU choose only the "Server for NIS" option. This will extend the AD schema and install the MMC snap-in (similar to the AD4UNIX one). Verify, that you are able to create users with UNIX attributes and inspect those users from the LDAP side. When the installation is finished and the server is restarted, you can test functionality of the SFU MMC snap-in and verify the SFU attributes in the LDAP browser. As the NIS server will not be needed, stop the Server for NIS service and chnge it's startup type to Manual.
Note: The Server for NIS service among other things performs password synchronization between the Kerberos and LDAP msSFU30Password attribute. Synchronized passwords are however truncated to the 8 characters and they aren't well encrypted - that's another reason to stop te Server for NIS service.
Needed packages to emerge:
samba - make sure, that it's the 3.x version
openlssl - needed for ssl
openldap - we will need this for client ldap searches
cyrus-sasl - Simple Authentication and Security Layer - for basic encryption of ldap binds and searches
ntp - We will use the ntp-client for time synchronization (for proper Kerberos functioning)
mit-krb5 - the MIT Kerberos
pam - the Pluggable Authentication Module base
pam_krb5 - kerberos pam module (note, that pam_ldap module will not be needed). There are some problems to emerge the 1.0 version, see other posts on these forums. It seems to have problems with password change, too.
nss_ldap - LDAP module for name switch system (enables redirection of searches for users, groups, etc. to ldap)
Note: Make sure, that nss_ldap is compilled with the --enable-schema-mapping parameter enabled, otherwise it will be of no use here.
Let's assume following initial confguration:
MS Windows Server:
Servername: SFUSRV
AD Domain: DC=SFU,DC=ACME,DC=COM
DNS Name: sfusrv.sfu.acme.com
Server's IP address: 192.168.1.20
Configuration details:
* Windows 2003 Server
* Active Directory (Directory Master)
* DNS&DHCP integrated into AD
* WINS service
* Local clock synced to a ntp server
* If you plan to use SSL, also Enterprise Certification Authority would be handy (to issue certificates for SSL).
Sample users:
First Name: Tom
Last Name: Sawyer
User logon lame: toms@sfu.acme.com
Password: PASSword.
LDAP distinguished name: cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com
First Name: Huck
Last Name: Finn
User logon lame: huckf@sfu.acme.com
Password: PASSword.
LDAP distinguished name: cn=Huck Finn,cn=Users,dc=sfu,dc=acme,dc=com
Gentoo Linux:
Hostname: Gent
DNS Name: gent.sfu.acme.com
IP address: 192.168.1.28
Configuration details:
* USE settings: kerberos ldap samba sasl ssl (set them in the /etc/make.conf; I recommend to use the ufed tool for this)
* ACCEPT_KEYWORDS="~x86" (set them in the /etc/make.conf, too) - in this way, the latest available packages for the intel platform will be installed.
Kerberos configuration
Before the Kerberos is configured, make sure, that you have synchronized local clock wth the ntp server. You can do it using the ntp-client module. It's configuration file is the /etc/conf.d/ntp-client.
Code: |
# /etc/conf.d/ntp-client
# Copyright 1999-2002 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License v2
# $Header: /home/cvsroot/gentoo-x86/net-misc/ntp/files/ntp-client.confd,v 1.2 2003/09/19 17:50:37 vapier Exp $
# Command to run to set the clock initially
NTPCLIENT_CMD="ntpdate"
# Options to pass to the above command
NTPCLIENT_OPTS="-b tik.cesnet.cz"
|
To configure the Kerberos client side, we need to make needed settings in the /etc/krb5.conf file:
Code: |
# etc/krb5.conf
[libdefaults]
# renew_lifetime = 18000
default_realm = SFU.ACME.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
clockskew = 120
[realms]
SFU.ACME.COM = {
kdc = sfusrv.sfu.acme.com:88
admin_server = sfusrv.sfu.acme.com:464
}
[domain_realm]
.sfu.acme.com = SFU.ACME.COM
sfu.acme.com = SFU.ACME.COM
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[appdefaults]
pam = {
debug = false
forwardable = true
krb4_convert = false
}
|
You cant thest the functionality of the Kerberos by requesting an initial ticket for a Windows user from the Kerberos server - using the kinit command:
Code: |
gent root # kinit toms
Password for toms@SFU.ACME.COM:
gent root # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: toms@SFU.ACME.COM
Valid starting Expires Service principal
03/25/04 14:46:58 03/26/04 00:47:02 krbtgt/SFU.ACME.COM@SFU.ACME.COM
renew until 03/26/04 14:46:58
|
Once you have a working Kerberos client configuation, you'll probably want to be able to log into your system using your Kerberos password. Since we don't have LDAP working yet, you should add a local entry for your username to the passwd and shadow files, but set your crypted password in /etc/shadow to *K*, the community standard to indicate that the password comes from Kerberos.
Code: |
#/etc/passwd
.
.
huckf:x:10004:10004:Local AD user:/home/huckf:/bin/bash
|
Code: |
#/etc/shadow
.
.
huckf:*K*:10004:0:::::
|
Kerberos principal and Kerberos keytab
Now, we need to create a Kerberos principal and corresponding keytab file for our Linux workstation on the Windows server. Let's choose one of Windows user accounts for this. There will be added the attribute Kerberos Service Principal for the Linux computer to this user account.
BEWARE: It is not tolerable to create Kerberos Service Principal with the same name in more user accounts. In such case, Kerberos would not be able to authenticate it correctly.
Following command has to performed for each Linux computer on a different user account:
Code: |
C:> ktpass -princ nssldap/gent@SFU.ACME.COM -pass PASSword.
-mapuser toms@SFU.ACME.COM -out gent_keytab
Targeting domain controller: sfusrv.sfu.acme.com
Successfully mapped nssldap/linux to toms.
Key created.
Output keytab to gent_keytab:
Keytab version: 0x502
keysize 49 nssldap/linux@SFU.ACME.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (D
ES-CBC-MD5) keylength 8 (0xd34c57321fd334b5)
Account toms has been set for DES-only encryption.
|
The keytab file (in this case gent_keytab) resulting from this command must be securely transferred into the Linux computer. As the next step, it should be merged into the existing local keytab file:
Code: |
gent root # ktutil
ktutil: rkt gent_keytab
ktutil: list
slot KVNO Principal
---- ---- -------------------------------------------------------
1 3 nssldap/gent@SFU.ACME.COM
ktutil: wkt /etc/krb5.keytab
ktutil: q
|
Automatic updating of the Kerberos ticket
Let's now create a script for automatic update of the Kerberos ticket for the LDAP. After the command execution, the root's Kerberos ticket cache (/tmp/krb5cc_0) will be updated.
/sbin/kerbinit.sh
Code: |
#!/bin/sh
kinit -k -S ldap/sfusrv.sfu.acme.com nssldap/gent
chmod 600 /tmp/krb5cc_0
|
Check the results of this script. You can use the klist command to check the tickets in the Kerberos cache file. Note, that the default location of this file is /tmp/krb5cc_[uid] (here for the user root it is the file /tmp/krb5cc_0)
Code: |
gent root # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nssldap/gent@SFU.ACME.COM
Valid starting Expires Service principal
03/25/04 16:10:27 03/26/04 02:10:26 ldap/sfusrv.sfu.acme.com@ SFU.ACME.COM
renew until 03/26/04 16:10:27
|
You should add this script to the root's crontab file (/var/spool/cron/crontabs/root). Following example will call the kerbinit.sh every 2 hours:
Code: |
# /var/spool/cron/crontabs/root
# /etc/crontab
.
.
* */2 * * * sh /sbin/kerbinit.sh
|
Furthermore, it is necessary to run the kerbinit.sh in the boot of the computer. In this way, the Linux computer will have a valid Kerberos ticket for the access to the LDAP. So let's add it to the /etc/conf.d/local.start file:
Code: |
.
.
# This is a good place to load any misc.
# programs on startup ( 1>&2 )
sh /sbin/kerbinit.sh
|
LDAP configuration
Another important step is to make correct settings in the LDAP config file. In the Gentoo Linux there are actually two LDAP config files - /etc/ldap.conf and /etc/openldap/ldap.conf respectively. If you want to use only one file for the LDAP configuration, (in this case there is nothing wrong about that), you can make a symbolic link between them - as for example:
Code: |
ln -s /etc/ldap.conf /etc/openldap/ldap.conf
|
You can also try to set a system variable to determine, which file will be used for the LDAP configuration (by adding relevant line to the /etc/env.d/00basic file)
Code: |
LDAPCONF="/etc/ldap.conf"
|
Following is an example of the /etc/ldap.conf file:
Code: |
host sfusrv.sfu.acme.com
base dc=sfu,dc=acme,dc=com
# scope one
scope sub
# binddn cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com
# bindpw PASSword.
# rootbinddn cn= Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com
# rootbind password is in the /etc/ldap.secret
# nss_map_objectclass shadowAccount user
# nss_map_attribute userPassword msSFU30Password
nss_map_objectclass posixAccount user
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute uid msSFU30Name
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos msSFU30Gecos
nss_map_objectclass posixGroup group
nss_map_attribute gid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
# nss_map_attribute uniqueMember member
# nss_map_attribute memberUid msSFU30MemberUid
pam_login_attribute msSFU30Name
pam_filter objectclass=User
pam_password ad
nss_base_passwd cn=Users,dc=sfu,dc=acme,dc=com
# nss_base_passwd dc=sfu,dc=acme,dc=com
nss_base_shadow dc=sfu,dc=acme,dc=com
nss_base_group cn=Users,dc=sfu,dc=acme,dc=com
# nss_base_group dc=sfu,dc=acme,dc=com
nss_base_hosts Computers,dc=sfu,dc=acme,dc=com
use_sasl on
sasl start_tls
# ssl on
# tls_cacertfile /etc/ssl/certs/cacert.cer
# sslpath /etc/ssl/certs/
# krb5_ccname FILE:/etc/.ldapcache
|
In the ldap.conf file you can see lines beginning with "nss_map_attribute", which are used to map the internal unix attributes of users, groups, etc. to the attributes, available in the Active Directory after the expansion of it's schema by the MS Services for UNIX.
The lines beginning with "nss_base_passwd" and "nss_base_group" are determining the bases (or contexts in the LDAP tree), from which searches for users and groups are made. You can enter more than one base here. By the proper setting of the search bases, we can make LDAP searches more effective. Note, that if the nss_ldap was not compilled using the --enable-schema-mapping parameter, attributes mapping will not take place and the LDAP searches will be performed for the original unix parameters.
The lines containing the binddn, bindpw and rootbinddn (credentals for the authentifcation to the LDAP directory), are commented out here, as there will be used the Kerberos authentifcation.
The line beginning with scope determines, wheather the child parts of the LDAp contexts should be searched, too (sub - search in all sub-contexts, one - search only the current context).
Ending part of the ldap.conf file is containing settings for the sasl authentification (Simple Authentication and Security Layer) and basc encryption tls (Transport Layer Security).
To set up the ssl encryption, you have to make the Linux computer to trust the ssl certificate of the LDAP server, otherwise you can find the Unknown CA error message in the captured ssl handshake packets (use the Ethereal for it).
I am not sure, what is the proper procedure for making the Linux to trust to the ssl certificate. One of the promising solutions could be to copy the files named *.db from the working profile directory of the Mozilla browser to the /etc/ssl/certs directory. But first, you have to point the Mozilla to the secure LDAP port of the server and accept it's certificate permanently.
Testing LDAP access
You can test different modes of access to the LDAP directory using the ldapsearch command. Output of this command should be a list of LDAP objects (and their attributes), which are matched bz the LDAP request (in the following example it is the objectclass=user). In the beginning, try to enter most of the parameters explicitly on the command line - in this way the /etc/ldap.conf settings are bypassed. For debugging, you can also add the parameter -d N, where N is debug level (for example -d 5)
Code: |
gent root # ldapsearch -x -s one -b " dc=sfu,dc=acme,dc=com" -D "cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com" \
> -w PASSword. objectclass=user
|
If your confguration file is correct, you can perform the same search without entering most of the parameters. Moreover, you can pipe it's output to the grep command, to write out only the lines containing for example the string msSFU30Name. In this way, the result will cotain only the lines containing login names of the matched users:
Code: |
gent root # ldapsearch objectclass=user |grep msSFU30Name
|
The communication between the Linux computer and the LDAP serverem can be traced using the Ethereal. I am assuming, that Ethereal is run on the Windows server, as otherwise there is no need to install xfree on the Linux computer. It is convenient to filter captured packets in the Etherealu using the input filter - to capture only packets containing the ip address of the Linux computer:
You should investigate those packets to be sure, that there are no unencrypted data relating to the LDAP information in the packets. You can also check, if the LDAP bind is using the Kerberos authentication - by looking at the packet containing the bind request. Expand it's part named Lightweight Directory Access Protocol, Bind Request. If the Kerberos authentication was used, there should be present following sub-sections there:
GSS-API Token
GSS-API
krb5_blob
Kerberos
Ticket
In the Ticket section, you can also check parameters of the Kerberos ticket (Realm, Service Name, Name)
The Name Switch System
Now, it is necessary to configure the Linux system to look for the user and group information in the LDAP directory, too. This should be made in the /etc/nsswitch.conf file by adding the keyword ldap to the lines for passwd a group.
Code: |
# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $
passwd: files ldap
shadow: files
group: files ldap
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
|
Note: The searches are made sequentially. Order of the searched databases is determined by their possition (from the left) on the line of the /etc/nsswitch.conf file. For example, if you put "passwd: files ldap" there, at first the /etc/passwd file is parsed and then a search is performed in the LDAP directory. The results of the search are reported in the same order.
You can test the functionality of the NSS by using for example the getent or id command:
Code: |
gent root # getent passwd
root:x:0:0:root:/root:/bin/bash
.
.
toms:x:10003:10002:Tom Sawyer:/home/toms:/bin/sh
gent root # id toms
uid=10003(toms) gid=10002(tstgroup) groups=10002(tstgroup)
|
The getent passwd command should print the list of users extracted from the /etc/passwd file, followed by the list of users acquired from the LDAP directory.
The PAM configuration
To be able to authenticate users via the Kerberos, you have to add the Kerberos authentication module to the PAM configuration files. There are several configuration files, their names are corresponding to the names of the programs, which are performing the user authentication. I am listing here the most common PAM configuration files. These files are located in the /etc/pam.d directory. So you should append the lines referring to the pam_krb5.so module.
Note: The sufficient control token is defining, that for a successful authentication it is sufficient to be authenticated by the specified pam module (even in a case, when authentication made by previous "required" modules failed). The try_first_pass parameter is instructing the pam module, that the password supplied to the previous pam module should be tried first. In this way, there will not be invoked another prompt for the password. To debug the pam modules, you can also add the debug parameter, which will cause loggig of the debug messages into log file (/var/log/auth.log).
/etc/pam.d/login
Code: |
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_krb5.so try_first_pass
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_krb5.so
account required /lib/security/pam_stack.so service=system-auth
password sufficient /lib/security/pam_krb5.so
password required /lib/security/pam_stack.so service=system-auth
session sufficient /lib/security/pam_krb5.so
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
|
/etc/pam.d/sshd
Code: |
#%PAM-1.0
auth sufficient /lib/security/pam_krb5.so debug
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password sufficient /lib/security/pam_krb5.so debug
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_stack.so service=system-auth
session sufficient /lib/security/pam_krb5.so
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
|
/etc/pam.d/system-auth
Code: |
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_krb5.so try_first_pass
auth sufficient /lib/security/pam_unix.so try_first_pass likeauth nullok
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_krb5.so debug
account required /lib/security/pam_unix.so
password required /lib/security/pam_krb5.so debug
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session sufficient /lib/security/pam_krb5.so
|
The samba configuration
The samba configuration is located in the main configuration file /etc/samba/smb.conf. Following is the example of the smb.conf for the example MS network and the SFUSRV Windows 2K3 server.
/etc/samba/smb.conf
Code: |
# Separate domain and username with '+', like DOMAIN+username
[global]
netbios name = GENT
server string = %h server (Samba %v)
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/%D/%U
workgroup = SFU
os level = 10
winbind enum groups = yes
socket address = 192.168.1.28
preferred master = no
winbind separator = +
max log size = 512
log file = /var/log/samba3/log.%m
dns proxy = no
realm = SFU.ACME.COM
security = ADS
encrypt passwords = yes
password server = sfusrv.sfu.acme.com
wins server = 192.168.1.20
wins proxy = no
# Shares section
[SharedDir]
comment = Shared directory
writeable = yes
path = /home/share
force user = huckf
|
Before you can use the samba, you have to add your Linux computer to the Windows domain. It should be done by the net ads join command.
Code: |
gent root # net ads join -U Administrator
Administrator password:
Using short domain name -- SFU
Joined 'GENT' to realm 'SFU.ACME.COM'
|
After the successful executio of this command, you can check, if the Linux computer is present in the list of the domain computers in the MMC (Active Directory Users and Computers) on the Windows 2003 server .
Final configuration
In the end, the needed services and daemons should be added to the list of the services launched at startup at the Linux computer. You should add these:
* ntp-client - for the time synchroization
* samba - for sharing files via the SMB protocol
* nscd (Name Service Cache Daemon) - for alleviating the communication with the LDAP server and for speed-up of the LDAP searches
Use the rc-update command to accomplish this:
Code: |
rc-update add ntp-client default
rc-update add samba default
rc-update add nscd default
|
|
|
Back to top |
|
|
MartinSt n00b
Joined: 09 May 2002 Posts: 13 Location: Ceske Budejovice, Czech Rep.
|
Posted: Wed Apr 07, 2004 7:26 am Post subject: Creating home directories for AD users |
|
|
I have found one more useful tip to add to my previous post. It was presented on the Novell Brainshare conference last week.
To automatically create home directories for the AD users in the time of their first login, you can add the following line to the /etc/pam.d/system-auth file (most pam.d configuration files point back to the system-auth file):
Code: |
session required lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
|
You should have the skeleton /etc/skel directory, of course |
|
Back to top |
|
|
KsE Apprentice
Joined: 18 Mar 2003 Posts: 269 Location: St. Cloud, MN
|
Posted: Tue Apr 13, 2004 5:59 pm Post subject: |
|
|
I've been following the posts here, and getting info from www.samba.org and I can't get it to work.
All I need is for users logging in to a linux box to be authenticated via an active directory server.
I can connect with kerberos and I can join the domain, but I get an error when I do this:
Code: |
# wbinfo -u
Error looking up domain users
|
I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.
-KsE |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Tue Apr 13, 2004 9:57 pm Post subject: Wbinfo troubles.... |
|
|
Some questions first:
Did you remember to start samba and winbindd? Winbindd is the tool that handles the authentication. Without it, it won't work.
Do you have a file called system-auth-winbind in the directory /etc/pam.d?
It should have been installed when you emerged samba.
Did you edit /etc/nsswitch.conf?
I can't think of any other questions at the moment, but you can contact me. I will be home all night.
KsE wrote: | I've been following the posts here, and getting info from www.samba.org and I can't get it to work.
All I need is for users logging in to a linux box to be authenticated via an active directory server.
I can connect with kerberos and I can join the domain, but I get an error when I do this:
Code: |
# wbinfo -u
Error looking up domain users
|
I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.
-KsE |
_________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
jcummins n00b
Joined: 17 Jun 2003 Posts: 15 Location: Springfield, Mo
|
Posted: Tue Apr 13, 2004 11:12 pm Post subject: |
|
|
With this method, can permissions be placed on shares via Windows? |
|
Back to top |
|
|
KsE Apprentice
Joined: 18 Mar 2003 Posts: 269 Location: St. Cloud, MN
|
Posted: Wed Apr 14, 2004 1:17 am Post subject: |
|
|
Yes, I started samba and winbind and they both start just fine. I have system-auth-winbind in /etc/pam.d and I also copied those contents to system-auth. I added this to /etc/nsswitch.conf
Code: |
passwd: compat winbind
shadow: compat
group: compat winbind
|
I can auth with kerberos and I can join the domain. Doing wbinfo -u doesn't work though. |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Thu Apr 15, 2004 2:47 am Post subject: Windows permissions and shares.... |
|
|
jcummins wrote: | With this method, can permissions be placed on shares via Windows? |
To be honest, I'm not sure. I never though to use it that way. I did it so that I can listen to my mp3 collection from either my laptop or desktop. I don't see why it won't work. Obviously you can't see unix accounts from windows, but I don't see why setting up shares wouldn't work. I can test it next week. I can't this week because I'm leaving for NYC in two days to fill out paperwork for the NYPD and won't be home until Monday. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Thu Apr 15, 2004 2:56 am Post subject: Winbind... |
|
|
KsE wrote: | Yes, I started samba and winbind and they both start just fine. I have system-auth-winbind in /etc/pam.d and I also copied those contents to system-auth. I added this to /etc/nsswitch.conf
Code: |
passwd: compat winbind
shadow: compat
group: compat winbind
|
I can auth with kerberos and I can join the domain. Doing wbinfo -u doesn't work though. |
One more question, by chance are you running nscd? If you are, you need to stop and disable it. Winbind will not work if nscd is running. If not please PM me your config files... the files I would like to see are:
/etc/krb5
/etc/smb.conf _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
KsE Apprentice
Joined: 18 Mar 2003 Posts: 269 Location: St. Cloud, MN
|
Posted: Thu Apr 15, 2004 6:31 pm Post subject: |
|
|
krb5.conf:
Code: |
[libdefaults]
#ticket_lifetime = 600
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = ads.example.com:88
admin_server = ads.example.com:749
#kdc = kerberos.example.com:88
#kdc = kerberos2.example.com:88
#admin_server = kerberos.example.com:749
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[appdefault]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
|
smb.conf:
Code: |
[global]
workgroup = EXAMPLE
server string = Samba Server %v
log file = /var/log/samba3/log.%m
max log size = 50
hosts allow = 102.168.1.
map to guest = bad user
security = ads
password server = *
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = yes
realm = EXAMPLE.COM
template homedir = /home/%D/%U
obey pam restrictions = yes
template shell = /bin/bash
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
[homes]
comment = Home Directories
browseable = no
writable = yes
|
I changed my PDC with EXAMPLE. I got the smb.conf by "cat smb.conf | grep -v '#' | grep -v ';'"
I don't believe I'm using nscd. I didn't see it using "ps auxf". It's there, just not started. |
|
Back to top |
|
|
Diezel l33t
Joined: 04 Feb 2003 Posts: 600 Location: Karjaa, Finland
|
Posted: Sun Jun 13, 2004 6:05 pm Post subject: |
|
|
KsE wrote: | I've been following the posts here, and getting info from www.samba.org and I can't get it to work.
All I need is for users logging in to a linux box to be authenticated via an active directory server.
I can connect with kerberos and I can join the domain, but I get an error when I do this:
Code: |
# wbinfo -u
Error looking up domain users
|
I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.
-KsE |
Did you find an sollution to this? I'm having the same problem. _________________ A bus station is where a bus stops, a train station is where a train stops. On
my desk I have a work station..
Nixadmins.net
FLUG member 473 |
|
Back to top |
|
|
Diezel l33t
Joined: 04 Feb 2003 Posts: 600 Location: Karjaa, Finland
|
Posted: Sun Jun 13, 2004 11:00 pm Post subject: |
|
|
This i REALLY wierd. I got tired of trying so I shut down the computer. Tried to sleep but this kept bothering me, came back booted up and now it works. Don't have a clue why.
Anyway thanks.
//Diezel _________________ A bus station is where a bus stops, a train station is where a train stops. On
my desk I have a work station..
Nixadmins.net
FLUG member 473 |
|
Back to top |
|
|
Frozensun Tux's lil' helper
Joined: 16 Oct 2003 Posts: 82
|
Posted: Fri Jun 25, 2004 4:14 pm Post subject: |
|
|
Code: | [/]> wbinfo -u
Error looking up domain users
|
EDIT: This is a win2003 domain controller
still doesn't work for me
/etc/krb5.conf
Code: | [libdefaults]
default_realm = SPARKS.CITY
[realms]
SPARKS.CITY = {
kdc = CityNT1.SPARKS.CITY
} |
/etc/samba/smb.conf
Code: | # Separate domain and username with '+', like DOMAIN+username
[global]
netbios name = cwit2
# I recommend the same name as the server.
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
# Tweak this to get the best speed out of your connection
idmap uid = 10000-20000
# This is for mapping uids between linux server and AD
winbind enum users = yes
# This allows you to bind users.
winbind gid = 10000-20000
# This is for mapping gids between linux server and AD
workgroup = LANGROUP
# Change to match the NETBIOS name of the AD domain.
os level = 20
# This is for the master browser priority.
winbind enum groups = yes
# This allows you to use the Active Directory groups
# socket address = 1.2.3.4
# Change this to match the IP address or remove it to listen to all addresses.
password server = *
# I recommend this if you have more than one server; I do in my case.
preferred master = no
# You do NOT want to be a master browser.
winbind separator = +
# See the first line comment.
max log size = 50
# In K
log file = /var/log/samba3/log.%m
# This allows logging activities for each machine.
encrypt passwords = yes
# Active directory does NOT accept plaintext passwords.
dns proxy = no
# You don't want anything to do with DNS.
realm = SPARKS.CITY
# This is for kerberos.
security = ADS
# Active directory server provides security for the shared resources.
#wins server = 1.2.3.4
# Change to IP address of your installed WINS server
wins proxy = no
# You don't want to proxy WINS either.
# Shares section
[downloads] # Name of the share.
comment = downloads
# A comment...
writeable = yes
# If you want users to update the directory
path = /home/jason/Downloads
# Where is the share on the linux server
force user = jason
# Should be the name of the user who is responsible for the share.
|
|
|
Back to top |
|
|
arkane l33t
Joined: 30 Apr 2002 Posts: 918 Location: Phoenix, AZ
|
Posted: Sat Jun 26, 2004 4:41 pm Post subject: |
|
|
Shame samba 3.x can't be an AD server on it's own |
|
Back to top |
|
|
kiko555 n00b
Joined: 13 Sep 2003 Posts: 6
|
Posted: Mon Jun 28, 2004 10:20 am Post subject: |
|
|
When I follow the step .....
do this command :kinit Administrator@mail.hcp.com
I got this:
Quote: | kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials |
Anything I do wrong??
I had modify the /etc/krb5.conf like below:
Quote: | [libdefaults]
ticket_lifetime = 600
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = mail.hcp.com:88
admin_server = mail.hcp.com:749
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
|
|
|
Back to top |
|
|
rinacabj Tux's lil' helper
Joined: 26 Dec 2003 Posts: 82 Location: Richmond, VA
|
Posted: Thu Jul 01, 2004 7:24 pm Post subject: |
|
|
I'm having an error when I do
Code: | ldapsearch -D "o=<top level of active directory>" -W "uid=Administrator" -h <IP address of the Active Directory server> |
after I enter the correct password, I get
Code: | ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece |
|
|
Back to top |
|
|
ElCondor Guru
Joined: 10 Apr 2002 Posts: 520 Location: Vienna, Austria, Europe
|
Posted: Sun Jul 04, 2004 9:36 am Post subject: |
|
|
I'm stuck at Step 3 (trying if krb5 works) with the following error:
Code: | backup1 samba # kinit Administrator@MYCOMPANY.COM
kinit(v5): KRB5 error code 68 while getting initial credentials
|
Does anyone know how I can solve this? I googled around but found no solution that works here
* ElCondor pasa * _________________ Here I am the victim of my own choices and I'm just starting! |
|
Back to top |
|
|
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Tue Jul 06, 2004 1:13 pm Post subject: |
|
|
I had problems getting this working too.
However, I changed in smb.conf:
password server = *
to
password server = CHOICE2K
(CHOICE2K being the NETBIOS name of the Windows 2000 domain controller). Also make sure you have a DNS entry in your /etc/hosts file.
I set mine to pa55w0rd (thinking that this entry was a PASSWORD for accessing the server.. or something.. obviously not )
So yesterday I installed Gentoo from a stage 1, and today I have got Samba working using winbind against our existing Windows 2000 domain |
|
Back to top |
|
|
ElCondor Guru
Joined: 10 Apr 2002 Posts: 520 Location: Vienna, Austria, Europe
|
Posted: Tue Jul 06, 2004 1:22 pm Post subject: |
|
|
Thanks for the hint, but the error happens with kinit, so it's not (yet) a samba problem, something with kerberos seems to be wrong. as far as I found at google, something with the "principals" - but I got no idea what I should enter there
* ElCondor pasa * _________________ Here I am the victim of my own choices and I'm just starting! |
|
Back to top |
|
|
GenTimJS Guru
Joined: 03 May 2003 Posts: 406 Location: NH, USA
|
Posted: Wed Jul 07, 2004 6:41 pm Post subject: |
|
|
I followed the directions as best I could in the original post.
I successfuly created a share, which is accessible via active directory.
I have admin access on both the linux box, the AD servers, and AD clients.
However, on the linux box running samba, the winbindd stuff doesnt seem to work, and doesnt generate any errors.
Furthermore, no winbindd script was created in /etc/init.d/
?? _________________ -Tim Smith |
|
Back to top |
|
|
bdraw n00b
Joined: 24 Nov 2003 Posts: 21 Location: Tampa
|
Posted: Mon Jul 12, 2004 9:04 pm Post subject: |
|
|
ElCondor wrote: | I'm stuck at Step 3 (trying if krb5 works) with the following error:
Code: | backup1 samba # kinit Administrator@MYCOMPANY.COM
kinit(v5): KRB5 error code 68 while getting initial credentials
|
Does anyone know how I can solve this? I googled around but found no solution that works here * |
I am getting the same error, the funny thing is that mine was working but now it's not.
Ben _________________ If it's too easy it's boring.
Ben |
|
Back to top |
|
|
bdraw n00b
Joined: 24 Nov 2003 Posts: 21 Location: Tampa
|
Posted: Mon Jul 12, 2004 9:21 pm Post subject: |
|
|
bdraw wrote: | ElCondor wrote: | I'm stuck at Step 3 (trying if krb5 works) with the following error:
Code: | backup1 samba # kinit Administrator@MYCOMPANY.COM
kinit(v5): KRB5 error code 68 while getting initial credentials
|
Does anyone know how I can solve this? I googled around but found no solution that works here * |
I am getting the same error, the funny thing is that mine was working but now it's not.
Ben |
I had the wrong domain name duh! Now it works _________________ If it's too easy it's boring.
Ben |
|
Back to top |
|
|
ElForesto n00b
Joined: 26 Feb 2004 Posts: 26 Location: Salt Lake City, UT USA
|
Posted: Wed Jul 14, 2004 11:11 pm Post subject: Don't make this emerge world mistake! |
|
|
I found this out the hard way.
If you didn't edit your make.conf to add ldap and kerberos and you run an emerge world, expect things to break. FAST. Just finished rebuilding it after I couldn't figure out what I did. |
|
Back to top |
|
|
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Thu Jul 22, 2004 11:24 am Post subject: |
|
|
GenTimJS wrote: |
Furthermore, no winbindd script was created in /etc/init.d/
?? |
What is the best way to get winbind to startup with samba? I have to run prompt# winbindd from the shell each time from boot
Looking in /etc/conf.d/samba it has the following lines:
Code: |
smbd_start_options="-D"
smbd_start="start-stop-daemon --start --quiet --exec /usr/sbin/smbd -- ${smbd_start_options}"
smbd_stop="start-stop-daemon --stop --quiet --pidfile /var/run/samba/smbd.pid"
smbd_reload="killall -HUP smbd"
nmbd_start_options="-D"
nmbd_start="start-stop-daemon --start --quiet --exec /usr/sbin/nmbd -- ${nmbd_start_options}"
nmbd_stop="start-stop-daemon --stop --quiet --pidfile /var/run/samba/nmbd.pid"
nmbd_reload="killall -HUP nmbd"
winbind_start_options=""
winbind_start="start-stop-daemon --start --quiet --exec /usr/sbin/winbindd -- ${winbind_start_options}"
winbind_stop="start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/winbindd"
winbind_reload="killall -HUP winbindd"
|
Is there anything I can tweak to make winbindd start from this script? |
|
Back to top |
|
|
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Thu Jul 22, 2004 11:30 am Post subject: |
|
|
OMG I'm an idiot..
winbind can be started automagically by looking at the second line of /etc/conf.d/samba
Change:
Code: | daemon_list="smbd nmbd" |
To:
Code: | daemon_list="smbd nmbd winbind" |
And thats it, it works! |
|
Back to top |
|
|
theonlymcc Apprentice
Joined: 16 Sep 2003 Posts: 274 Location: NC
|
Posted: Fri Jul 23, 2004 1:57 pm Post subject: |
|
|
Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|