Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to integrate Samba into Active Directory (UPDATED).
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5, 6  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
maalth
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2003
Posts: 76
Location: Can't tell you...

PostPosted: Sat Dec 13, 2003 11:54 pm    Post subject: How to integrate Samba into Active Directory (UPDATED). Reply with quote

How to integrate Samba (file sharing) using Active Directory for authentication (basic stuff).- Updated 13 Apr 2004.

Alright, I'll have to go on my notes, I did this on Thanksgiving Day, so I may not remember everything I did. Anyway, here goes:

  • Active Directory should already be implemented and working. If you need help, there's plenty of help on the net.
  • Your Windows system should be secured and patched.
  • You have Gentoo Linux installed of course
  • With the config files, you need to change example.com to match your domain.

Okay, now the basics are done, let's begin the install process.

Step 1: Emerge openldap. No configuration is necessary. However, AD support will not be compiled into samba without it.
Step 2: Emerge mit-krb5. Configure the file /etc/krb5.conf as follows:
Code:
[libdefaults]
   default_realm = EXAMPLE.COM
 
   [realms]
   EXAMPLE.COM = {
        kdc = adserver.example.com
   }


Add this line to /etc/hosts:
Code:
1.2.3.4    adserver.example.com   adserver


You need this to make sure you can connect to the AD server, even when DNS is down.

Notes about this config file, do NOT change the case of EXAMPLE.COM because you will get the following error message: "Cannot find KDC for requested realm while getting initial credentials". Also, do NOT comment the config file because the kerberos client will not read the config file correctly.

Step 3: We will stop here and test kerberos to ensure you can see the AD domain type in this command:
Code:
kinit Administrator@EXAMPLE.COM

It will ask for the password; if you type in correctly; then you will be returned to the prompt which means it worked. Pat yourself on the back. You've done the easy part!

Step 4:
We are now going to emerge samba. You can do this one of two ways:

  1. Add kerberos and ldap to your USE flags make.conf file. Emerge samba using the following command:
    Code:
    emerge samba
    OR

  2. Type in the following command:
    Code:
    USE="kerberos ldap" emerge samba


IMPORTANT: kerberos and ldap MUST be included, winbind will NOT work without those flags!

Use the command
Code:
emerge -pv kerberos

The resulting line should look similar to this (this is on my system):
Code:
[ebuild   R   ] net-fs/samba-3.0.2a -acl +cups +kerberos +ldap +mysql -oav +pam +python +readline +xml  127 kb

Simply put, pick option 1 or 2; samba takes a little time to compile and install. Once samba is installed, you need to configure it. You can use this example samba file:
Code:
# Separate domain and username with '+', like DOMAIN+username
[global]
        netbios name = SERVERNAME <- I recommend the same name as the server.
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 <- Tweak this to get the best speed out of your connection
        idmap uid = 10000-20000 <- This is for mapping uids between linux server and AD
        winbind enum users = yes <- This allows you to bind users.
        winbind gid = 10000-20000 <- This is for mapping gids between linux server and AD
        workgroup = WORKGROUP <- Change to match the NETBIOS name of the AD domain.
        os level = 20 <- This is for the master browser priority.
        winbind enum groups = yes <- This allows you to use the Active Directory groups
        socket address = 1.2.3.4 <- Change this to match the IP address or remove it to listen to all addresses.
        password server = * <- I recommend this if you have more than one server; I do in my case.
        preferred master = no <- You do NOT want to be a master browser.
        winbind separator = + <- See the first line comment.
        max log size = 50 <- In K
        log file = /var/log/samba3/log.%m <- This allows logging activities for each machine.
        encrypt passwords = yes <- Active directory does NOT accept plaintext passwords.
        dns proxy = no <- You don't want anything to do with DNS.
        realm = EXAMPLE.COM <- This is for kerberos.
        security = ADS <- Active directory server provides security for the shared resources.
        wins server = 1.2.3.4 <- Change to IP address of your installed WINS server
        wins proxy = no <- You don't want to proxy WINS either.

# Shares section
[mp3]  <- Name of the share.
        comment = MP3 Repository <- A comment...
        writeable = yes <- If you want users to update the directory
        path = /home/mp3 <- Where is the share on the linux server
        force user = mp3 <- Should be the name of the user who is responsible for the share.


Step 5: Fire up samba; check to make sure it's running.
Code:
 /etc/init.d/samba start


Step 6: Join your samba server to your domain by typing in this command:
Code:
net ads join -U Administrator

It will ask you for a password, type your password in. If you typed it in correctly, you will see the message that says: Joined 'SERVERNAME' to realm 'EXAMPLE.COM.' If you check your AD server, the machine account for your system will appear under computers.

Step 7: We are going to test winbind to ensure windows authentication does indeed work. Winbind allows you to use Active Directory for user authentication (see link 2 for more info). The steps for using and testing winbind are gleaned from link 2.

You need to edit the file /etc/nsswitch.conf You need to change two lines to look like this (other lines removed to keep this post short as possible):
Code:
passwd:      compat winbind
shadow:      compat
group:       compat winbind

Let's test the winbindd daemon before we make it permanent. Fire up winbindd by typing
Code:
winbindd
You can also make winbindd run as two processes (which is faster; but for these purposes, let's run it as one). Winbindd runs in dual daemon mode by default.

Since there is no visual confirmation whether or not it's running, you can check with ps to ensure it is indeed running.
Code:
ps -ae | grep winbindd

The results should be something similar to this:
13324 ?        00:04:23 winbindd
13325 ?        00:00:00 winbindd

If you get an error message instead of the above, then you didn't compile kerberos and ldap support in and need to do that before anything will work

Let's make sure we can see the contents of Active Directory. Type in this command:
Code:
wbinfo -u

This is the results from my system (changed for integrity), yours should be similar.
Code:
EXAMPLE+test <- test account on AD
EXAMPLE+test2 <- test account on AD
EXAMPLE+Administrator
EXAMPLE+Guest
EXAMPLE+TsInternetUser
EXAMPLE+krbtgt
EXAMPLE+MACHINE1$ <- test machine 1
EXAMPLE+MACHINE2$ <- test machine 2
EXAMPLE+MACHINE3$ <- test machine 3
EXAMPLE+HOST/servername <- samba machine
EXAMPLE+DOMAINCONTROLLER$

To see the groups, use this command:
Code:
wbinfo -g

You should see a result similar to this:u should see a result similar to this:
Code:
EXAMPLE+Domain Computers
EXAMPLE+Domain Controllers
EXAMPLE+Schema Admins
EXAMPLE+Enterprise Admins
EXAMPLE+Cert Publishers
EXAMPLE+Domain Admins
EXAMPLE+Domain Users
EXAMPLE+Domain Guests
EXAMPLE+Group Policy Creator Owners
EXAMPLE+DnsUpdateProxy

We can get a username from both the local linux server and the Active Directory server by typing in this command:
Code:
getent passwd

I will not post the results of this command for security reasons, but you should see a list of local users with the Active Directory users appended.

For groups, type in getent group
I will not post the results of this command for security reasons, but you should see a list of local groups with the Active Directory groups appended.

I would suggest reading the info in link 2 for more things you can do with other authentication with AD.

If everything has worked as above, pat yourself on the back! Good job!

Step 8: If you didn't configure a share yet; do so now. You need to restart samba if you created a share.

You should join any machine you want to access the samba resources to your Active Directory Domain. Use a machine that's joined to the AD domain to see if your share appears via network neighborhood.

If you want samba and winbind to run on startup, type in the following commands:
Code:
rc-update add samba default
rc-update add winbind default


That's it for now, any problems, something is unclear, or questions, let me know and I will do my best to help you.

Resources:

The samba/ADS howto: http://us1.samba.org/samba/docs/man/domain-member.html#ads-member
Helpful info for winbind: http://us1.samba.org/samba/docs/man/winbind.html
_________________
Screw you guys, I'm going home...


Last edited by maalth on Tue Apr 13, 2004 4:58 pm; edited 5 times in total
Back to top
View user's profile Send private message
PoLiPiE
n00b
n00b


Joined: 25 May 2003
Posts: 15
Location: www.pckliniek.be

PostPosted: Sun Dec 14, 2003 12:11 am    Post subject: Reply with quote

and the rest????
_________________
www.pckliniek.be
Back to top
View user's profile Send private message
floam
Veteran
Veteran


Joined: 27 Oct 2002
Posts: 1067
Location: Vancouver, WA USA

PostPosted: Sun Dec 14, 2003 12:51 am    Post subject: Reply with quote

Nice.
_________________
Think about your breathing.
http://floam.sh.nu


Last edited by floam on Sun Dec 14, 2003 1:50 am; edited 1 time in total
Back to top
View user's profile Send private message
maalth
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2003
Posts: 76
Location: Can't tell you...

PostPosted: Sun Dec 14, 2003 1:21 am    Post subject: Reply with quote

Sorry, I was finishing up the doc. I had to move from the Windoze machine to my linux machine because my config files were there.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
maalth
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2003
Posts: 76
Location: Can't tell you...

PostPosted: Sun Dec 14, 2003 1:21 am    Post subject: Reply with quote

PoLiPiE wrote:
and the rest????


It's done.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
Tom.Fischer
n00b
n00b


Joined: 10 Dec 2003
Posts: 31
Location: Cologne, Germany

PostPosted: Mon Dec 15, 2003 4:21 pm    Post subject: Userauthentification against the AD Reply with quote

Okay, now it's ready :oops:

Hi,

complemental to Original-Poster here is my solution for authentificating Users against the Active Directory. First you need the ad4unix Kit. You can download it form http://www.padl.com/download/MKSADPlugins.msi Install it on your AD-Schema Server and everywhere where you add new Users. Make sure that you have the rights to update the Schema on the AD-Server. Here is a short Description on how to enable Schema-Update
Code:

regsvr32 c:\winnt\system32\schmmgmt.dll
Open a new mmc an add Active-Directoy Schema
right-click on it an go to Operations Master
Activate the checkbox The Schema may be modified on this Domain Controller


Note: you have to install the Extensions only on the Schema-Master, the one who own the FSMO Role "Schema Master". The Snap-In you have to install on all Computers where you want to add New Users.

You must add a User for every host which should authenticate in your AD and run this command for getting a keytab file:

Code:
ktpass -princ nssldap/<hostname> -pass password -mapuser <account> -out <host>_keytab

Copy the keytab on a secure way to your linux host.

On the Linux Side do the following, assuming that you followed the Hints in the first Post (If not install kerberos and openldap with the USE-Flags mentioned above. NOTE: You don't need Samba for the Authentfication to work)

Code:

emerge pam
emerge nss_ldap
emerge pam_ldap

If you want sasl (for cyrus imapd for example) also emerge cyrus-sasl.
Code:

USE="ldap kerberos pam" emerge cyrus-sasl


Edit /etc/krb5.conf to the following and change things to your need 8) :
Code:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.COM = {
  kdc = dc.example.com:88
  admin_server = dc.example.com:464
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


Now you shoul be able to obtain a ticket form the AD-Server. Test it with
Code:
kinit user
klist user

You should get back something like this:
Code:

 Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@EXAMPLE.COM:

Valid starting     Expires            Service principal
07/16/02 13:01:03  07/16/02 23:01:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

If this works we install the teytab file created earlier on the AD-Server.
Code:

ktutil
  rkt <host>_keytab
  list
  wkt /etc/krb5.keytab
  q


Place this line in crontab:
Code:

0       */2     *       *       *       /usr/bin/kinit -k -c /etc/.ldapcache -S ldap/dc.example.com nssldap/host && chmod a+r /etc/.ldapcache


Edit /etc/nsswitch.conf to look something like this:
Code:

# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:     ldap files
group:      ldap files
shadow:     ldap files


Now edit /etc/ldap.conf:
Code:

host dc.example.com
base dc=example,,dc=com
binddn cn=host,ou=OrganistaionUnit,dc=example,dc=com
scope one
#use_sasl on

# SASL authorization ID
sasl_auth_id nssldap/proxysrv

nss_base_passwd ou=OrganistaionUnit,dc=example,dc=com?one
nss_base_shadow ou=OrganistaionUnit,dc=example,dc=com?one
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad

I have a Organisation Unit in AD for my Users so I'm not using the Users OU. Change this to your needs. Notice that I have disabled SASL here because i had problems with local logins and SASL, maybe I will have a deeper look at this later but saslauthd -a pam works without it! :D

Last but not least copy the necessary pamd COnfigurations from /usr/share/doc/pam_ldap/pam.d to your /etc/pam.d and gunzip then.

Note I'm still not able to log in over ssh. I don't know why, sshd returny always
Failed password for user from xxx.xxx.xxx.xxx port 44732 ssh2

login and imap works for me. Maybe later i will have a closer look, but i don't need it this time.

Have fun.

Most of this stuff is from: http://www.hut.fi/cc/docs/kerberos/nss_ldap.html
Back to top
View user's profile Send private message
maalth
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2003
Posts: 76
Location: Can't tell you...

PostPosted: Wed Dec 17, 2003 11:01 pm    Post subject: Your solution Reply with quote

While your solution is a good one, what I was writing was a doc to set up file sharing on a linux server, but using Active Directory to authtenticate. I apologize if what I wrote is misleading.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
Tom.Fischer
n00b
n00b


Joined: 10 Dec 2003
Posts: 31
Location: Cologne, Germany

PostPosted: Wed Dec 17, 2003 11:13 pm    Post subject: Reply with quote

Thx, i saw it as an addition to yours.
Back to top
View user's profile Send private message
karwoski
n00b
n00b


Joined: 30 Jun 2002
Posts: 16
Location: Columbia, MO

PostPosted: Tue Dec 23, 2003 8:18 pm    Post subject: Reply with quote

Thanks for the guide. I made it through all the steps and the gentoo machine shows up on my network now but when I try to view the shares on it I get prompted for login credentials. Is there another step or something I've missed?
Back to top
View user's profile Send private message
maalth
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2003
Posts: 76
Location: Can't tell you...

PostPosted: Sun Dec 28, 2003 10:14 pm    Post subject: Reply with quote

Actually, if you don't log on to the domain, it won't ask for credentials. I'll double check to be sure.

** Update **
Yes I am correct... you do have to log on to the domain for the credentials to be "pass through" You can always map a drive letter to the share and permanently remember the password, as long as group policy don't stop you from doing it.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
karwoski
n00b
n00b


Joined: 30 Jun 2002
Posts: 16
Location: Columbia, MO

PostPosted: Wed Dec 31, 2003 6:44 pm    Post subject: Reply with quote

I'm not sure I follow you. Here's what I'm trying to do: My workstation is joined to an Active Directory domain and I've got a Linux box that I joined to the domain following the above instructions. When I browse from my Windows 2000 workstation to \\linuxbox\, I get prompted for a username and password. Regardless of what username/pass I give it (domain\username and pass; username and pass) I can't view the shares on the linux box.
Back to top
View user's profile Send private message
maalth
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2003
Posts: 76
Location: Can't tell you...

PostPosted: Thu Jan 01, 2004 1:19 am    Post subject: Reply with quote

Are you logged into the domain? Did you create a username/password on the AD server? Try that, it may help.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
karwoski
n00b
n00b


Joined: 30 Jun 2002
Posts: 16
Location: Columbia, MO

PostPosted: Thu Jan 01, 2004 3:23 am    Post subject: Reply with quote

Yeah, I'm logged into the domain. What's type of environment are you using this setup in, anything similar to my previous post or is it a bit different?
Back to top
View user's profile Send private message
maalth
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2003
Posts: 76
Location: Can't tell you...

PostPosted: Fri Jan 02, 2004 12:47 am    Post subject: Reply with quote

My AD server is a vmware machine. It shouldn't make a difference though. As long as all the machines on the network can see it, you should be fine. In addition, the machine should be joined to the AD directory. Something definitely strange is going on.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
karwoski
n00b
n00b


Joined: 30 Jun 2002
Posts: 16
Location: Columbia, MO

PostPosted: Fri Jan 02, 2004 1:21 am    Post subject: Reply with quote

OK. I'll keep playing with it as I have time and if I get it figured out I'll post what I find. Thanks.
Back to top
View user's profile Send private message
TheZog
n00b
n00b


Joined: 17 Aug 2002
Posts: 57
Location: Sunny Seattle

PostPosted: Fri Jan 09, 2004 7:06 am    Post subject: Reply with quote

I'm attempting to convert an office from mostly Win2k to mostly Linux, however the servers have to Win2k. So I'm trying to use the Active Directory to authenticate all users regardless of OS.
I've been all through Goolge looking for an up-to-date step-by-step or at least some instructions, so far this is one of the best I've seen.
Is the ad4unix.msi really necessary? I'm loathe to make changes to our schema. Are there issues with using the default one?
I must say that although I've been using Linux as both workstation and server for the past 4 years I am unfamiliar with LDAP and modifing PAM or using NIS.

Oh, and I can't find the file "ktpass" even though I have mit-krb5 installed.

Any help would be great!
Back to top
View user's profile Send private message
Lightspeed
n00b
n00b


Joined: 21 Feb 2003
Posts: 57
Location: UK

PostPosted: Sat Jan 10, 2004 10:50 pm    Post subject: Reply with quote

TheZog: the "ktpass" command is something to be executed on the windows server, not on the linux box, hence the reason you can't find it on the linux machine.

I'm trying to work my way through setting up AD authentication for linux clients as well but getting errors referring to:

"/lib/libnss_ldap.so.2: undefined symbol: __db185_open"

I thought I had gone through all the steps above, but this error appears all over the place now :(
Back to top
View user's profile Send private message
TheZog
n00b
n00b


Joined: 17 Aug 2002
Posts: 57
Location: Sunny Seattle

PostPosted: Sun Jan 11, 2004 5:54 am    Post subject: Reply with quote

Ok thanks, I see that ktpass thing now that I've reread the the doc a few times.
However I'm still confused on some issues.
In the line:
ktpass -princ nssldap/<hostname> -pass password -mapuser <account> -out <host>_keytab

What exactly do the variables <hostname> <host> <account> stand for? The workstation's hostname? If so is that FQDN? I'm a bit lost.
I have kinda the same question in regards to the crontab section:
0 */2 * * * /usr/bin/kinit -k -c /etc/.ldapcache -S ldap/dc.example.com nssldap/host && chmod a+r /etc/.ldapcache

Should nssldap/host = nssldap/wkstn01 or whatever my workstation's hostname is?

Why do we need to create a USER account on the AD server for the workstation? Can't we just add it to the domain with Samba3?

Also I had to add "TLS_REQCERT allow" to my ldap.conf file because the SSL enabled ldapsearches would fail with a Could not find/connect to server error. I'm not sure if that's due to my not having the keytab file installed or not, probably...

I really do apprecitate the help. I have a limited amount of time to demo a working MS replacement desktop using Linux before the boss decides just to spend several tens of $k on MS licenses instead. Most of my tests are going ok except for
1) An easy way to map a user's homedir to their previous //win2kserver/userdata/{userid} share.
2) Getting an ODBC connection to a MS-SQL server to work for a Wine app.

It's gonna be a long weekend....
Back to top
View user's profile Send private message
backjackII
n00b
n00b


Joined: 19 Sep 2002
Posts: 44
Location: California, USA

PostPosted: Thu Mar 04, 2004 8:57 am    Post subject: Error while trying to test whether password is accepted Reply with quote

I get the following error while trying to to test whether password is accepted by the domain KDC:
Code:

mojo:/etc # kinit Administrator
Administrator@mydomainname.com's Password:
kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP


Here is my configuration. I have, of course, changed mydomainname.com to my actual name.

Code:

[libdefaults]
        default_realm = MYDOMAINNAME.COM
        #clockskew = 300

[realms]
        MYDOMAINNAME.COM = {
                kdc = ad.mydomainname.com
          }

[domain_realm]
        .mydomainname.com = mydomainname.com
        #mydomainname.com = mydomainname.com

[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                debug = false
        }
Back to top
View user's profile Send private message
ritjobbie
n00b
n00b


Joined: 04 Mar 2004
Posts: 10
Location: Rochester, NY

PostPosted: Thu Mar 04, 2004 6:11 pm    Post subject: What did I forget? Reply with quote

I followed the above tutorial. However, I still have problems... I have successfully joined the Linux box to the domain. I now am trying to create a share on the Linux box that can be accessed by users of our Win2k AD environment. When you try to map the share, it just keeps asking for the username and password over and over. kinit works fine on the Linux box. I can connect to a Windows share in the domain from the Linux box with transparant passthrough via smbclient, but what I really need to happen is in the opposite direction. I have no idea what the errors in my samba log mean (below).

Am I making a n00b mistake? Does Coyboyneal own me?

Blelow is my smb.conf, krb5.conf, and the output of /var/log/samba3/log.blah:

smb.conf
Code:
# Separate domain and username with '+', like DOMAIN+username
[global]
netbios name = PHASERTEST
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = MAIN
os level = 20
winbind enum groups = yes
password server = *
preferred master = no
winbind separator = +
max log size = 512
log file = /var/log/samba3/log.%m
encrypt passwords = yes
dns proxy = no
realm = MAIN.AD.SOMEDOMAIN.EDU
security = ADS
wins server = ?.?.3.95
wins proxy = no
winbind use default domain = no
 
[pub]
        comment = pub test
        writeable = yes
        path = /pub



krb5.conf
Code:

[libdefaults]
        default_realm = MAIN.AD.SOMEDOMAIN.EDU
 
[realms]
        MAIN.AD.SOMEDOMAIN.EDU = {
                kdc = svits03.SOMEDOMAIN.edu
                kdc = svits04.SOMEDOMAIN.edu
                kdc = svits15.SOMEDOMAIN.edu
        }


/var/log/samba3/log.?.?.13.196 (these same messages repeat about 40 times a second for a few seconds). svits13 is the Windows machine that I was trying to map a share on. The share is shared from \\phasertest\pub. cosdss is my username (domain admin on AD).
Code:
[2004/03/04 09:23:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system
[2004/03/04 09:23:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system
[2004/03/04 09:23:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system
[2004/03/04 09:23:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system
[2004/03/04 09:23:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system
[2004/03/04 09:23:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
  Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system


This was in /var/log/samba3/log.svits13 (again, svits13 is the WINS name of a windows box)
Code:
[2004/03/04 09:25:56, 0] auth/auth_util.c:make_server_info_info3(1100)
  make_server_info_info3: pdb_init_sam failed!


Again, I just want Windows users to be able to get to a share on this Linux box. Help?

~Jay
Back to top
View user's profile Send private message
ritjobbie
n00b
n00b


Joined: 04 Mar 2004
Posts: 10
Location: Rochester, NY

PostPosted: Thu Mar 04, 2004 8:57 pm    Post subject: Reply with quote

WORD UP! I got it working. I had to add winbind to the /etc/pam.d/samba config file, duh.

*whew*
Back to top
View user's profile Send private message
xavior2180
n00b
n00b


Joined: 12 Apr 2003
Posts: 35
Location: dallas, tx

PostPosted: Sun Mar 14, 2004 1:54 am    Post subject: Reply with quote

ritjobbie: how did you configure your /etc/pam.d/samba file?

i've edited mine so now i have the following:

Code:

auth       required     /lib/security/pam_winbind.so nodelay
account    required     /lib/security/pam_winbind.so service=system-auth
session    required     /lib/security/pam_winbind.so service=system-auth
password   required     /lib/security/pam_winbind.so nodelay smbconf=/etc/samba/smb.conf


i basically just changed where it had smbpass.so or pam_stack.so to pam_winbind.so but i have the same problem as you had initially, where it wouldn't accept a username from the windows domain. i don't think this is what i'm supposed to have in there exactly, and i couldn't find any documentation for what to put exactly, even on the samba manual.
Back to top
View user's profile Send private message
ritjobbie
n00b
n00b


Joined: 04 Mar 2004
Posts: 10
Location: Rochester, NY

PostPosted: Sun Mar 14, 2004 3:29 pm    Post subject: Reply with quote

Code:
#%PAM-1.0
# pam_smbpass.so authenticates against the smbpasswd file
auth       required     pam_smbpass.so nodelay
auth       sufficient   /lib/security/pam_winbind.so try_first_pass
account    required     /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf


I still can't get /etc/pam.d/login right so that users can log in to a console. I haven't tried playing with /etc/pam.d/ssh yet. Also, for me it takes about 2 or 3 minutes before someone can access a samba share after winbind starts up. I restarted winbind and thought that I had broken something, but it just takes forever to do its business with AD or something...

~Jay
Back to top
View user's profile Send private message
xavior2180
n00b
n00b


Joined: 12 Apr 2003
Posts: 35
Location: dallas, tx

PostPosted: Mon Mar 15, 2004 8:40 pm    Post subject: Reply with quote

ritjobbie wrote:
Code:
#%PAM-1.0
# pam_smbpass.so authenticates against the smbpasswd file
auth       required     pam_smbpass.so nodelay
auth       sufficient   /lib/security/pam_winbind.so try_first_pass
account    required     /lib/security/pam_winbind.so
account    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf


I still can't get /etc/pam.d/login right so that users can log in to a console. I haven't tried playing with /etc/pam.d/ssh yet. Also, for me it takes about 2 or 3 minutes before someone can access a samba share after winbind starts up. I restarted winbind and thought that I had broken something, but it just takes forever to do its business with AD or something...

~Jay


THANKS! it works like a charm now :)

i wasn't really concerned about the other services as i was the samba server tho. i don't get the delay that you're talking about, but if i set permissions on the AD server on a shared folder, it does seem to take a little while for the permissins to propagate.
Back to top
View user's profile Send private message
ritjobbie
n00b
n00b


Joined: 04 Mar 2004
Posts: 10
Location: Rochester, NY

PostPosted: Mon Mar 15, 2004 8:54 pm    Post subject: winbind for login Reply with quote

If anyone does have a working /etc/pam.d/login that allows console logins, please let me know (or just post here). I have been trying to get it working for a while now, but I suck. This thread was a ton of help, but I am just missing something, I think...

I'm going to try netatalk next. =)
~Jay
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2, 3, 4, 5, 6  Next
Page 1 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum