View previous topic :: View next topic |
Author |
Message |
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Sat Jul 24, 2004 10:53 am Post subject: |
|
|
theonlymcc wrote: | Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question. |
The advantage is that your Gentoo machine now is a pretend Windows NT/2000 server which can let all of your domains users save their files etc. You do not have to create a linux username and password which is identical to the one in the domain - authentication is passed through the Gentoo samba server to your existing Windows Active Directory Server. 1 centralised place for authentication, 1 set of user/passwords.
So the more people in your organisation - the greater the benefit. You also do not require a licence for each user connecting to the Samba server afaik. |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Mon Jul 26, 2004 3:22 am Post subject: |
|
|
Martz wrote: | OMG I'm an idiot..
winbind can be started automagically by looking at the second line of /etc/conf.d/samba
Change:
Code: | daemon_list="smbd nmbd" |
To:
Code: | daemon_list="smbd nmbd winbind" |
And thats it, it works! |
You can have winbind start automagically by typing this simple command....
/etc/init.d/winbind add default
Much much simpler. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Mon Jul 26, 2004 3:27 am Post subject: |
|
|
Martz wrote: | theonlymcc wrote: | Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question. |
The advantage is that your Gentoo machine now is a pretend Windows NT/2000 server which can let all of your domains users save their files etc. You do not have to create a linux username and password which is identical to the one in the domain - authentication is passed through the Gentoo samba server to your existing Windows Active Directory Server. 1 centralised place for authentication, 1 set of user/passwords.
So the more people in your organisation - the greater the benefit. You also do not require a licence for each user connecting to the Samba server afaik. |
Couldn't have said it better myself. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Mon Jul 26, 2004 7:46 pm Post subject: |
|
|
maalth wrote: |
You can have winbind start automagically by typing this simple command....
/etc/init.d/winbind add default
Much much simpler. |
Hrm, for some reason I cannot add it though rc-update, On my home machine I can, but for some reason on my work Gentoo box I can't (which is why I spent some much time figuring out the work around! )
Code: | jupiter root # rc-update add winbind default
* /sbin/rc-update: /etc/init.d/winbind not found; aborting.
jupiter root # ls /etc/init.d/w* -lha
-rwxr-xr-x 1 root root 859 Jul 19 11:04 /etc/init.d/webmi
|
Code: |
jupiter root # rc-update -s
apache2 | default
bootmisc | boot
bootsplash |
checkfs | boot
checkroot | boot
clock | boot
consolefont | boot
crypto-loop |
cupsd |
dansguardian | default
domainname | boot default
hdparm |
hostname | boot
hotplug | default
iptables | default
keymaps | boot
local | default nonetwork
localmount | boot
mit-krb5kadmind |
mit-krb5kdc |
modules | boot
mysql | default
nagios |
net.eth0 | default
net.lo | boot
netmount | default
nrpe |
nsca |
nscd |
ntp-client |
ntpd | default
numlock | default
rmnologin | boot
rsyncd | default
samba | default
serial | boot
slapd |
slurpd |
snmpd |
squid | default
sshd | default
syslog-ng | default
urandom | boot
vixie-cron | default
webmin | default
|
|
|
Back to top |
|
|
Smilez:) n00b
Joined: 23 Jan 2004 Posts: 58 Location: Edmonton
|
Posted: Wed Jul 28, 2004 4:01 pm Post subject: |
|
|
i have a problem. I followed the guide and got most computers mapping the samba shares using ADS. however, only win2k and prior work, my winxp pro machines don't authenticate. I get
Failed to verify incoming ticket!
in the log for the machine.
I've checked everything over 3 times and I can't see anything wrong. Is there something I have to do different for the winxp pro machines to work?
SMilez:) |
|
Back to top |
|
|
lord_ph Tux's lil' helper
Joined: 18 Nov 2003 Posts: 97 Location: Portland,OR
|
Posted: Fri Aug 13, 2004 3:51 pm Post subject: |
|
|
I'm getting this error, what can i be doing wrong?
kinit(v5): KDC reply did not match expectations while getting initial credentials
any ideas?
thanks |
|
Back to top |
|
|
GenTimJS Guru
Joined: 03 May 2003 Posts: 406 Location: NH, USA
|
Posted: Mon Aug 16, 2004 3:16 pm Post subject: |
|
|
Everything configured exactly as described. kinit works, samba is up.
bash-2.05b$ sudo net ads join -U Administrator
Administrator's password:
[2004/08/16 11:13:06, 0] libads/kerberos.c:ads_kinit_password(136)
kerberos_kinit_password Administrator@DOMAIN.NET failed: KDC has no support for encryption type
? any tips? _________________ -Tim Smith |
|
Back to top |
|
|
annunaki2k2 Tux's lil' helper
Joined: 14 Oct 2003 Posts: 119 Location: Streatham, London, UK
|
Posted: Tue Aug 17, 2004 8:38 pm Post subject: |
|
|
Hi,
I've followed these instructions to the word, and haven't had a single error related to the process. I can list users and groups in the directory and have no errors returned using kinit. I can even mapped network drives.
But I can't browse them. Using gnome I get an error "The attempt to log in failed", and from the prompt you just get permission denied, regardless what user you try to access them with.
Is there anything I am doing wrong?
Thanx in advance _________________ The great thing about standards is there are so many to choose from..... |
|
Back to top |
|
|
lord_ph Tux's lil' helper
Joined: 18 Nov 2003 Posts: 97 Location: Portland,OR
|
Posted: Wed Aug 18, 2004 7:07 pm Post subject: |
|
|
i found out the answer to my own question... and to anybody else who is getting the error i had:
Quote: |
kinit(v5): KDC reply did not match expectations while getting initial credentials
|
The solution is really simple... so simple that you'll hit yourself on the head. When doing your kinit, make sure you do the realm in UPPER CASE.
Code: |
kinit lord_ph@EXAMPLE.COM
|
i hope this helps more people than me. |
|
Back to top |
|
|
thisboyiscrazy n00b
Joined: 06 Feb 2004 Posts: 9
|
Posted: Fri Aug 27, 2004 8:16 pm Post subject: DNS Name |
|
|
does anyone know how can I get samba to set the DNS Name property in AD to the FQDN instead of just the hostname when I do a "net join"?
Thanks |
|
Back to top |
|
|
m4chine Apprentice
Joined: 12 Mar 2003 Posts: 271 Location: Ventura, CA, USA
|
Posted: Thu Sep 02, 2004 4:56 pm Post subject: |
|
|
I thought Id document that I got this error because the time difference between my samba server and domain server was greater than 5min.
Code: | kinit(v5): Clock skew too great while getting initial credentials |
hope it helps someone. _________________ never trust a man who can count to 1023 on his fingers.
-m4chine |
|
Back to top |
|
|
zurd Apprentice
Joined: 17 Dec 2003 Posts: 228 Location: Canada, Montreal
|
Posted: Fri Sep 24, 2004 2:48 am Post subject: What to update next in the How-to |
|
|
In the middle of setting a Gentoo box with Samba/ldap/kerberos/winbind with a Windows 2000 Server acting as a PDC. Followed the guide and here's what I think should be updated in the How-to :
Step 2
In /etc/krb5.conf, the How-to doesn't say what to do about the [domain_realm] section.
Step 4
In /etc/samba/smb.conf the "socket address" field says "to match the IP address" but doesn't tell which IP address we're talking about. More clarification would be much appreciated about this option.
Step 6
After running the "net ads join -U Administrator" command, it took use 15 minutes here to see our samba server in the Active Directory Server, would be nice to say in the How-to that it might take some time to see it.
I also found the reason : "If your network has backup domain controllers, it will take up to 15 minutes for the new computer account to propagate to the BDCs." at this URL http://us3.samba.org/samba/docs/using_samba/ch09.html
Step 8
if "rc-update add winbind default" fails saying :
"/sbin/rc-update: /etc/init.d/winbind not found; aborting" just change /etc/conf.d/samba to show : daemon_list="smbd nmbd winbind"
I'm still struggling to make it all work, I just want 1 share where only 1 specific group from the Windows 2000 Active Directory can access, so maybe I'll find more updates. But in overall, great how-to, I love it |
|
Back to top |
|
|
zurd Apprentice
Joined: 17 Dec 2003 Posts: 228 Location: Canada, Montreal
|
Posted: Fri Sep 24, 2004 8:52 pm Post subject: Windows keeps asking for a password with a group [SOLVED] |
|
|
So, everything has been setup properly (I think so).
I can set in /etc/samba/smb.conf in the Share section the "valid users = " option to give access to the share to only 1 user and this has work just fine.
But I want to give access to the share to groups, not a user.
So I have set "valid users = TEST+My Group" in the Share section. But, in Windows XP when trying to access the share, even though I am in the group it keeps asking for a password. Since I am in the group, it shouldn't ask for a password, right? Because there is no password for groups, only for users !
Any help ?
[EDIT]
Ok found the solution, if you want to give access to group, use this syntax :
valid users = @WORKGROUP+"Your group here"
You have to use the "" after the + sign !
And do not forget the @ sign !
That would also be great to include in the How-to !
Last edited by zurd on Tue Feb 01, 2005 8:15 pm; edited 2 times in total |
|
Back to top |
|
|
magnesium Apprentice
Joined: 28 Oct 2003 Posts: 280 Location: Toronto, Canada
|
Posted: Fri Oct 08, 2004 4:25 pm Post subject: |
|
|
I used this guide as my main information as to how to share a directory on my linux box to AD users, but I've hit several issues. Here's what I'd appreciate clarification on.
1) Is the PAM stuff listed out in other people's posts vital to getting this work, or is this just another way of getting this to work?
2) How do I get this box to register with the AD DNS so that I can find this server through FQDN requests?
3) In my syslogs I see winbindd output the following which I think may be why this guide is not working for me:
Quote: | Ignoring unknown parameter "encrypt password" |
4) In my syslogs I also see the following which makes me think that stuff is wrong:
Quote: | Unable to open new log file /var/log/samba3/log.winbindd: No such file or directory
winbindd: idmap gid range missing or invalid
nsswitch/winbindd_util.c:winbindd_param_init(567)
winbindd: cannot continue, exiting. |
5) Does the MP3 user in this example exist in AD or local to the linux box? Do I even need a local account to manage the share? Does the "shared" directory need a certain chmod group set?
6) When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?
Help with these 6 questions would greatly be appreciated. _________________ Adopt an unanswered post |
|
Back to top |
|
|
zurd Apprentice
Joined: 17 Dec 2003 Posts: 228 Location: Canada, Montreal
|
Posted: Fri Oct 08, 2004 5:24 pm Post subject: A few solution |
|
|
I'm not an expert yet with all of this Samba+AD, but here's what I would try if I were you :
1) I guess you have to modify PAM, I didn't try if it would work if you don't modify it, but it would be a good thing to include the kerberos modules in some of the PAM file.
2) No idea on what is FQDN ... sorry
3) There is a password server string or encrypt password string in /etc/samba/smb.conf, make sure the syntax is right. In any case you have "encrypt password" written somewhere and causing this bug.
4) do a "touch /var/log/samba3/log.winbindd"
Also in /etc/samba.smb.conf you have options about GID and UID, you sure you got them right in the configuration file, because it says missing or invalid range.
5) If the user is call "mp3" then it is hosted on the Linux box. But if it is "WORKGROUP+mp3" then you can be sure it is hosted on the WIndows PDC machine. As shown by wbinfo -g and wbinfo -u which is all the user and group from the Windows PDC.
And yes for now do a chmod 777 on your directory, after it is working, you just chmod something else more secure.
6) Might be anything, of course the password is wrong would be the first answer if the usrename/password box just keeps popping up. But yes it also means that your linux box is not handling the authentication right, maybe you just need to modify the PAM file to include the kerberos module since Windows is using kerberos.
Hope it helps... |
|
Back to top |
|
|
magnesium Apprentice
Joined: 28 Oct 2003 Posts: 280 Location: Toronto, Canada
|
Posted: Fri Oct 08, 2004 6:36 pm Post subject: |
|
|
Thanks for the response zurd.
Basically my issues were that I screwed up following the guide. I had "encrypt password" instead of "encrypt passwords", I was missing the line for Code: | winbind enum users = yes
winbind gid = 10000-20000 | and I had samba3 instead of samba in my log file path (the guide said samba3 but I should have checked before posting).
I included minimal pam support and the above changes and now users can authenticate by mapping to \\netbiosname\sharename but still can't get there by \\server.full.domain.name\sharename because this server is not registering in AD DNS. This form of binding is said to use FQDN (a.k.a. Fully qualified domain names).
I also noticed that I was unable to authenticate to the samba share until my samba box became a local master browser.
Thanks all _________________ Adopt an unanswered post |
|
Back to top |
|
|
zurd Apprentice
Joined: 17 Dec 2003 Posts: 228 Location: Canada, Montreal
|
Posted: Fri Oct 08, 2004 7:31 pm Post subject: ping |
|
|
let's say the name of your PDC is test
can you do "ping test" instead of "ping 192.168.x.x" to ping it ?
If not modify /etc/hosts to make it working, seems like it is the issue here. |
|
Back to top |
|
|
magnesium Apprentice
Joined: 28 Oct 2003 Posts: 280 Location: Toronto, Canada
|
Posted: Fri Oct 08, 2004 8:46 pm Post subject: |
|
|
What I want to accomplish is to register my linux box into an AD DNS. I've been doing some reading and was hopeing that addind a line dhcpcd_eth0="-h myhostname" to the /etc/conf.d/net file would register my box in the AD DNS, but no dice.
I want other computers to be able to ping my linux box by using Code: | ping mylinuxhostname.my.dnsdomain.name |
I've got the domain name I want to register into in my /etc/dnsdomanname and I am a member server now in the domain. I don't know what else to do to register this server and was hopeing someone else here would know (or perhaps it's a samba configuration that I don't know about). _________________ Adopt an unanswered post |
|
Back to top |
|
|
CopterGuy85 n00b
Joined: 15 Aug 2003 Posts: 27
|
Posted: Fri Oct 08, 2004 10:54 pm Post subject: |
|
|
I'm still trying to go through MartinSt's guild to settings things up, so I can't report personal success/failure reports just yet.
But magnesium, I've set up a couple Samba boxes to work with AD, and the only way I was able to get the FQDN to work is to manually set them up in the server's DNS. Just go to Administrative Tools->DNS->$yourdnsserver->Forward Lookup Zones->$yourdomain and you should see a list of current entries in DNS (you should have at least 1 entry, the domain controller itself). Right click either on the domain name in the tree view or in the background behind the host list, select "New Host (A)...", and fill in the short name of your box (it lists the FQDN right below so you can check that) and the IP address (probably a good idea to use static IP on your Samba box, because if your IP changes you have to update it in the DNS settings again), and when you're all done click "Add Host."
EDIT: IIRC, my domain controller would sometimes take 15-20 minutes before the DNS service would reflect the changes, so it make take a bit before you'll be able to ping it, or have it show up in the Windows network browser.
Let me know how it turns out |
|
Back to top |
|
|
erratic n00b
Joined: 12 Dec 2004 Posts: 3
|
Posted: Sun Dec 12, 2004 1:23 pm Post subject: |
|
|
it might be worth pointing out that winbind is not built by default these days, and you need to add 'winbind' to your USE list to get it.
the build does mention that winbind is not enabled by default, which is fine, but as I was using it, and was just updating samba, I expected that the in-place upgrade would work fine. I didn't expect the winbind binarys going AWOL.
maybe a message stating that you should add the USE entry and a beepy pause drawing your attention and giving you the time to cancel would save you having fileserver downtime?... ;-/ |
|
Back to top |
|
|
cuban Guru
Joined: 23 Aug 2003 Posts: 448 Location: Houston, TX
|
Posted: Tue Dec 28, 2004 7:30 pm Post subject: |
|
|
Worked on the first try! _________________ Tell your ISP to support SPF/SASL AUTH (http://spf.pobox.com) today! |
|
Back to top |
|
|
cuban Guru
Joined: 23 Aug 2003 Posts: 448 Location: Houston, TX
|
Posted: Tue Dec 28, 2004 10:26 pm Post subject: |
|
|
Well it almost worked on my first try. When any users try to access the server by doing a \\server_name from their PC, they get a username/pw prompt.
Any idea why?
EDIT: This appears to be only from a Windows 2000 machine. From Win2k3 and XP it works great! _________________ Tell your ISP to support SPF/SASL AUTH (http://spf.pobox.com) today! |
|
Back to top |
|
|
Deathscythe n00b
Joined: 04 May 2004 Posts: 65
|
Posted: Tue Jan 04, 2005 10:31 pm Post subject: |
|
|
I still can't get any windows machine to browse the Samba server. I have already logged into the domain, everytime I try to access the Samba serve, it ask for the username and password. No matter what username and password I try, it still not authorising it.
Quote: | We can get a username from both the local linux server and the Active Directory server by typing in this command:
|
This supposted to print out a list of username from both linux server and AD. For some reason, it only print out username from the linux server. _________________ Deathscythe
http://www.revster.com |
|
Back to top |
|
|
unix l33t
Joined: 06 Jul 2003 Posts: 615 Location: Dürnten ZH Switzerland
|
Posted: Thu Jan 06, 2005 1:16 pm Post subject: |
|
|
Hi,
Nice documentation THX. But i had no winbind. The new samba need winbind as useflag
Code: |
USE="kerberos ldap winbind" emerge samba
|
regards,
UNIX _________________ Neue Funktionen in Portage 2.0.51 || BBCode Guide
Linux User #379064 |
|
Back to top |
|
|
lhurgoyf n00b
Joined: 11 Jun 2003 Posts: 34
|
Posted: Fri Jan 07, 2005 12:11 pm Post subject: |
|
|
GenTimJS wrote: | Everything configured exactly as described. kinit works, samba is up.
bash-2.05b$ sudo net ads join -U Administrator
Administrator's password:
[2004/08/16 11:13:06, 0] libads/kerberos.c:ads_kinit_password(136)
kerberos_kinit_password Administrator@DOMAIN.NET failed: KDC has no support for encryption type
? any tips? |
I got this to, but after using another account which is also an administrator in the AD it worked _________________ Nederlands linux forum? Flash @ http://www.nedlinux.nl |
|
Back to top |
|
|
|