View previous topic :: View next topic |
Author |
Message |
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Sat Dec 13, 2003 11:54 pm Post subject: How to integrate Samba into Active Directory (UPDATED). |
|
|
How to integrate Samba (file sharing) using Active Directory for authentication (basic stuff).- Updated 13 Apr 2004.
Alright, I'll have to go on my notes, I did this on Thanksgiving Day, so I may not remember everything I did. Anyway, here goes:
- Active Directory should already be implemented and working. If you need help, there's plenty of help on the net.
- Your Windows system should be secured and patched.
- You have Gentoo Linux installed of course
- With the config files, you need to change example.com to match your domain.
Okay, now the basics are done, let's begin the install process.
Step 1: Emerge openldap. No configuration is necessary. However, AD support will not be compiled into samba without it.
Step 2: Emerge mit-krb5. Configure the file /etc/krb5.conf as follows:
Code: | [libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = adserver.example.com
} |
Add this line to /etc/hosts:
Code: | 1.2.3.4 adserver.example.com adserver |
You need this to make sure you can connect to the AD server, even when DNS is down.
Notes about this config file, do NOT change the case of EXAMPLE.COM because you will get the following error message: "Cannot find KDC for requested realm while getting initial credentials". Also, do NOT comment the config file because the kerberos client will not read the config file correctly.
Step 3: We will stop here and test kerberos to ensure you can see the AD domain type in this command:
Code: | kinit Administrator@EXAMPLE.COM |
It will ask for the password; if you type in correctly; then you will be returned to the prompt which means it worked. Pat yourself on the back. You've done the easy part!
Step 4: We are now going to emerge samba. You can do this one of two ways:
- Add kerberos and ldap to your USE flags make.conf file. Emerge samba using the following command:
OR
Type in the following command: Code: | USE="kerberos ldap" emerge samba |
IMPORTANT: kerberos and ldap MUST be included, winbind will NOT work without those flags!
Use the command Code: | emerge -pv kerberos |
The resulting line should look similar to this (this is on my system):
Code: | [ebuild R ] net-fs/samba-3.0.2a -acl +cups +kerberos +ldap +mysql -oav +pam +python +readline +xml 127 kb |
Simply put, pick option 1 or 2; samba takes a little time to compile and install. Once samba is installed, you need to configure it. You can use this example samba file:
Code: | # Separate domain and username with '+', like DOMAIN+username
[global]
netbios name = SERVERNAME <- I recommend the same name as the server.
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 <- Tweak this to get the best speed out of your connection
idmap uid = 10000-20000 <- This is for mapping uids between linux server and AD
winbind enum users = yes <- This allows you to bind users.
winbind gid = 10000-20000 <- This is for mapping gids between linux server and AD
workgroup = WORKGROUP <- Change to match the NETBIOS name of the AD domain.
os level = 20 <- This is for the master browser priority.
winbind enum groups = yes <- This allows you to use the Active Directory groups
socket address = 1.2.3.4 <- Change this to match the IP address or remove it to listen to all addresses.
password server = * <- I recommend this if you have more than one server; I do in my case.
preferred master = no <- You do NOT want to be a master browser.
winbind separator = + <- See the first line comment.
max log size = 50 <- In K
log file = /var/log/samba3/log.%m <- This allows logging activities for each machine.
encrypt passwords = yes <- Active directory does NOT accept plaintext passwords.
dns proxy = no <- You don't want anything to do with DNS.
realm = EXAMPLE.COM <- This is for kerberos.
security = ADS <- Active directory server provides security for the shared resources.
wins server = 1.2.3.4 <- Change to IP address of your installed WINS server
wins proxy = no <- You don't want to proxy WINS either.
# Shares section
[mp3] <- Name of the share.
comment = MP3 Repository <- A comment...
writeable = yes <- If you want users to update the directory
path = /home/mp3 <- Where is the share on the linux server
force user = mp3 <- Should be the name of the user who is responsible for the share.
|
Step 5: Fire up samba; check to make sure it's running.
Code: | /etc/init.d/samba start |
Step 6: Join your samba server to your domain by typing in this command:
Code: | net ads join -U Administrator |
It will ask you for a password, type your password in. If you typed it in correctly, you will see the message that says: Joined 'SERVERNAME' to realm 'EXAMPLE.COM.' If you check your AD server, the machine account for your system will appear under computers.
Step 7: We are going to test winbind to ensure windows authentication does indeed work. Winbind allows you to use Active Directory for user authentication (see link 2 for more info). The steps for using and testing winbind are gleaned from link 2.
You need to edit the file /etc/nsswitch.conf You need to change two lines to look like this (other lines removed to keep this post short as possible):
Code: | passwd: compat winbind
shadow: compat
group: compat winbind |
Let's test the winbindd daemon before we make it permanent. Fire up winbindd by typing
You can also make winbindd run as two processes (which is faster; but for these purposes, let's run it as one). Winbindd runs in dual daemon mode by default.
Since there is no visual confirmation whether or not it's running, you can check with ps to ensure it is indeed running.
Code: | ps -ae | grep winbindd
The results should be something similar to this:
13324 ? 00:04:23 winbindd
13325 ? 00:00:00 winbindd |
If you get an error message instead of the above, then you didn't compile kerberos and ldap support in and need to do that before anything will work
Let's make sure we can see the contents of Active Directory. Type in this command:
This is the results from my system (changed for integrity), yours should be similar.
Code: | EXAMPLE+test <- test account on AD
EXAMPLE+test2 <- test account on AD
EXAMPLE+Administrator
EXAMPLE+Guest
EXAMPLE+TsInternetUser
EXAMPLE+krbtgt
EXAMPLE+MACHINE1$ <- test machine 1
EXAMPLE+MACHINE2$ <- test machine 2
EXAMPLE+MACHINE3$ <- test machine 3
EXAMPLE+HOST/servername <- samba machine
EXAMPLE+DOMAINCONTROLLER$ |
To see the groups, use this command:
You should see a result similar to this:u should see a result similar to this:
Code: | EXAMPLE+Domain Computers
EXAMPLE+Domain Controllers
EXAMPLE+Schema Admins
EXAMPLE+Enterprise Admins
EXAMPLE+Cert Publishers
EXAMPLE+Domain Admins
EXAMPLE+Domain Users
EXAMPLE+Domain Guests
EXAMPLE+Group Policy Creator Owners
EXAMPLE+DnsUpdateProxy |
We can get a username from both the local linux server and the Active Directory server by typing in this command:
I will not post the results of this command for security reasons, but you should see a list of local users with the Active Directory users appended.
For groups, type in getent group
I will not post the results of this command for security reasons, but you should see a list of local groups with the Active Directory groups appended.
I would suggest reading the info in link 2 for more things you can do with other authentication with AD.
If everything has worked as above, pat yourself on the back! Good job!
Step 8: If you didn't configure a share yet; do so now. You need to restart samba if you created a share.
You should join any machine you want to access the samba resources to your Active Directory Domain. Use a machine that's joined to the AD domain to see if your share appears via network neighborhood.
If you want samba and winbind to run on startup, type in the following commands:
Code: | rc-update add samba default
rc-update add winbind default |
That's it for now, any problems, something is unclear, or questions, let me know and I will do my best to help you.
Resources:
The samba/ADS howto: http://us1.samba.org/samba/docs/man/domain-member.html#ads-member
Helpful info for winbind: http://us1.samba.org/samba/docs/man/winbind.html _________________ Screw you guys, I'm going home...
Last edited by maalth on Tue Apr 13, 2004 4:58 pm; edited 5 times in total |
|
Back to top |
|
|
PoLiPiE n00b
Joined: 25 May 2003 Posts: 15 Location: www.pckliniek.be
|
Posted: Sun Dec 14, 2003 12:11 am Post subject: |
|
|
and the rest???? _________________ www.pckliniek.be |
|
Back to top |
|
|
floam Veteran
Joined: 27 Oct 2002 Posts: 1067 Location: Vancouver, WA USA
|
Posted: Sun Dec 14, 2003 12:51 am Post subject: |
|
|
Nice. _________________ Think about your breathing.
http://floam.sh.nu
Last edited by floam on Sun Dec 14, 2003 1:50 am; edited 1 time in total |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Sun Dec 14, 2003 1:21 am Post subject: |
|
|
Sorry, I was finishing up the doc. I had to move from the Windoze machine to my linux machine because my config files were there. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Sun Dec 14, 2003 1:21 am Post subject: |
|
|
PoLiPiE wrote: | and the rest???? |
It's done. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
Tom.Fischer n00b
Joined: 10 Dec 2003 Posts: 31 Location: Cologne, Germany
|
Posted: Mon Dec 15, 2003 4:21 pm Post subject: Userauthentification against the AD |
|
|
Okay, now it's ready
Hi,
complemental to Original-Poster here is my solution for authentificating Users against the Active Directory. First you need the ad4unix Kit. You can download it form http://www.padl.com/download/MKSADPlugins.msi Install it on your AD-Schema Server and everywhere where you add new Users. Make sure that you have the rights to update the Schema on the AD-Server. Here is a short Description on how to enable Schema-Update
Code: |
regsvr32 c:\winnt\system32\schmmgmt.dll
Open a new mmc an add Active-Directoy Schema
right-click on it an go to Operations Master
Activate the checkbox The Schema may be modified on this Domain Controller
|
Note: you have to install the Extensions only on the Schema-Master, the one who own the FSMO Role "Schema Master". The Snap-In you have to install on all Computers where you want to add New Users.
You must add a User for every host which should authenticate in your AD and run this command for getting a keytab file:
Code: | ktpass -princ nssldap/<hostname> -pass password -mapuser <account> -out <host>_keytab |
Copy the keytab on a secure way to your linux host.
On the Linux Side do the following, assuming that you followed the Hints in the first Post (If not install kerberos and openldap with the USE-Flags mentioned above. NOTE: You don't need Samba for the Authentfication to work)
Code: |
emerge pam
emerge nss_ldap
emerge pam_ldap
|
If you want sasl (for cyrus imapd for example) also emerge cyrus-sasl.
Code: |
USE="ldap kerberos pam" emerge cyrus-sasl
|
Edit /etc/krb5.conf to the following and change things to your need :
Code: |
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = dc.example.com:88
admin_server = dc.example.com:464
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
|
Now you shoul be able to obtain a ticket form the AD-Server. Test it with
Code: | kinit user
klist user
|
You should get back something like this:
Code: |
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@EXAMPLE.COM:
Valid starting Expires Service principal
07/16/02 13:01:03 07/16/02 23:01:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
|
If this works we install the teytab file created earlier on the AD-Server.
Code: |
ktutil
rkt <host>_keytab
list
wkt /etc/krb5.keytab
q
|
Place this line in crontab:
Code: |
0 */2 * * * /usr/bin/kinit -k -c /etc/.ldapcache -S ldap/dc.example.com nssldap/host && chmod a+r /etc/.ldapcache
|
Edit /etc/nsswitch.conf to look something like this:
Code: |
# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $
passwd: ldap files
group: ldap files
shadow: ldap files
|
Now edit /etc/ldap.conf:
Code: |
host dc.example.com
base dc=example,,dc=com
binddn cn=host,ou=OrganistaionUnit,dc=example,dc=com
scope one
#use_sasl on
# SASL authorization ID
sasl_auth_id nssldap/proxysrv
nss_base_passwd ou=OrganistaionUnit,dc=example,dc=com?one
nss_base_shadow ou=OrganistaionUnit,dc=example,dc=com?one
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
|
I have a Organisation Unit in AD for my Users so I'm not using the Users OU. Change this to your needs. Notice that I have disabled SASL here because i had problems with local logins and SASL, maybe I will have a deeper look at this later but saslauthd -a pam works without it!
Last but not least copy the necessary pamd COnfigurations from /usr/share/doc/pam_ldap/pam.d to your /etc/pam.d and gunzip then.
Note I'm still not able to log in over ssh. I don't know why, sshd returny always
Failed password for user from xxx.xxx.xxx.xxx port 44732 ssh2
login and imap works for me. Maybe later i will have a closer look, but i don't need it this time.
Have fun.
Most of this stuff is from: http://www.hut.fi/cc/docs/kerberos/nss_ldap.html |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Wed Dec 17, 2003 11:01 pm Post subject: Your solution |
|
|
While your solution is a good one, what I was writing was a doc to set up file sharing on a linux server, but using Active Directory to authtenticate. I apologize if what I wrote is misleading. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
Tom.Fischer n00b
Joined: 10 Dec 2003 Posts: 31 Location: Cologne, Germany
|
Posted: Wed Dec 17, 2003 11:13 pm Post subject: |
|
|
Thx, i saw it as an addition to yours. |
|
Back to top |
|
|
karwoski n00b
Joined: 30 Jun 2002 Posts: 16 Location: Columbia, MO
|
Posted: Tue Dec 23, 2003 8:18 pm Post subject: |
|
|
Thanks for the guide. I made it through all the steps and the gentoo machine shows up on my network now but when I try to view the shares on it I get prompted for login credentials. Is there another step or something I've missed? |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Sun Dec 28, 2003 10:14 pm Post subject: |
|
|
Actually, if you don't log on to the domain, it won't ask for credentials. I'll double check to be sure.
** Update **
Yes I am correct... you do have to log on to the domain for the credentials to be "pass through" You can always map a drive letter to the share and permanently remember the password, as long as group policy don't stop you from doing it. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
karwoski n00b
Joined: 30 Jun 2002 Posts: 16 Location: Columbia, MO
|
Posted: Wed Dec 31, 2003 6:44 pm Post subject: |
|
|
I'm not sure I follow you. Here's what I'm trying to do: My workstation is joined to an Active Directory domain and I've got a Linux box that I joined to the domain following the above instructions. When I browse from my Windows 2000 workstation to \\linuxbox\, I get prompted for a username and password. Regardless of what username/pass I give it (domain\username and pass; username and pass) I can't view the shares on the linux box. |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Thu Jan 01, 2004 1:19 am Post subject: |
|
|
Are you logged into the domain? Did you create a username/password on the AD server? Try that, it may help. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
karwoski n00b
Joined: 30 Jun 2002 Posts: 16 Location: Columbia, MO
|
Posted: Thu Jan 01, 2004 3:23 am Post subject: |
|
|
Yeah, I'm logged into the domain. What's type of environment are you using this setup in, anything similar to my previous post or is it a bit different? |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Fri Jan 02, 2004 12:47 am Post subject: |
|
|
My AD server is a vmware machine. It shouldn't make a difference though. As long as all the machines on the network can see it, you should be fine. In addition, the machine should be joined to the AD directory. Something definitely strange is going on. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
karwoski n00b
Joined: 30 Jun 2002 Posts: 16 Location: Columbia, MO
|
Posted: Fri Jan 02, 2004 1:21 am Post subject: |
|
|
OK. I'll keep playing with it as I have time and if I get it figured out I'll post what I find. Thanks. |
|
Back to top |
|
|
TheZog n00b
Joined: 17 Aug 2002 Posts: 57 Location: Sunny Seattle
|
Posted: Fri Jan 09, 2004 7:06 am Post subject: |
|
|
I'm attempting to convert an office from mostly Win2k to mostly Linux, however the servers have to Win2k. So I'm trying to use the Active Directory to authenticate all users regardless of OS.
I've been all through Goolge looking for an up-to-date step-by-step or at least some instructions, so far this is one of the best I've seen.
Is the ad4unix.msi really necessary? I'm loathe to make changes to our schema. Are there issues with using the default one?
I must say that although I've been using Linux as both workstation and server for the past 4 years I am unfamiliar with LDAP and modifing PAM or using NIS.
Oh, and I can't find the file "ktpass" even though I have mit-krb5 installed.
Any help would be great! |
|
Back to top |
|
|
Lightspeed n00b
Joined: 21 Feb 2003 Posts: 57 Location: UK
|
Posted: Sat Jan 10, 2004 10:50 pm Post subject: |
|
|
TheZog: the "ktpass" command is something to be executed on the windows server, not on the linux box, hence the reason you can't find it on the linux machine.
I'm trying to work my way through setting up AD authentication for linux clients as well but getting errors referring to:
"/lib/libnss_ldap.so.2: undefined symbol: __db185_open"
I thought I had gone through all the steps above, but this error appears all over the place now |
|
Back to top |
|
|
TheZog n00b
Joined: 17 Aug 2002 Posts: 57 Location: Sunny Seattle
|
Posted: Sun Jan 11, 2004 5:54 am Post subject: |
|
|
Ok thanks, I see that ktpass thing now that I've reread the the doc a few times.
However I'm still confused on some issues.
In the line:
ktpass -princ nssldap/<hostname> -pass password -mapuser <account> -out <host>_keytab
What exactly do the variables <hostname> <host> <account> stand for? The workstation's hostname? If so is that FQDN? I'm a bit lost.
I have kinda the same question in regards to the crontab section:
0 */2 * * * /usr/bin/kinit -k -c /etc/.ldapcache -S ldap/dc.example.com nssldap/host && chmod a+r /etc/.ldapcache
Should nssldap/host = nssldap/wkstn01 or whatever my workstation's hostname is?
Why do we need to create a USER account on the AD server for the workstation? Can't we just add it to the domain with Samba3?
Also I had to add "TLS_REQCERT allow" to my ldap.conf file because the SSL enabled ldapsearches would fail with a Could not find/connect to server error. I'm not sure if that's due to my not having the keytab file installed or not, probably...
I really do apprecitate the help. I have a limited amount of time to demo a working MS replacement desktop using Linux before the boss decides just to spend several tens of $k on MS licenses instead. Most of my tests are going ok except for
1) An easy way to map a user's homedir to their previous //win2kserver/userdata/{userid} share.
2) Getting an ODBC connection to a MS-SQL server to work for a Wine app.
It's gonna be a long weekend.... |
|
Back to top |
|
|
backjackII n00b
Joined: 19 Sep 2002 Posts: 44 Location: California, USA
|
Posted: Thu Mar 04, 2004 8:57 am Post subject: Error while trying to test whether password is accepted |
|
|
I get the following error while trying to to test whether password is accepted by the domain KDC:
Code: |
mojo:/etc # kinit Administrator
Administrator@mydomainname.com's Password:
kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP
|
Here is my configuration. I have, of course, changed mydomainname.com to my actual name.
Code: |
[libdefaults]
default_realm = MYDOMAINNAME.COM
#clockskew = 300
[realms]
MYDOMAINNAME.COM = {
kdc = ad.mydomainname.com
}
[domain_realm]
.mydomainname.com = mydomainname.com
#mydomainname.com = mydomainname.com
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
|
|
|
Back to top |
|
|
ritjobbie n00b
Joined: 04 Mar 2004 Posts: 10 Location: Rochester, NY
|
Posted: Thu Mar 04, 2004 6:11 pm Post subject: What did I forget? |
|
|
I followed the above tutorial. However, I still have problems... I have successfully joined the Linux box to the domain. I now am trying to create a share on the Linux box that can be accessed by users of our Win2k AD environment. When you try to map the share, it just keeps asking for the username and password over and over. kinit works fine on the Linux box. I can connect to a Windows share in the domain from the Linux box with transparant passthrough via smbclient, but what I really need to happen is in the opposite direction. I have no idea what the errors in my samba log mean (below).
Am I making a n00b mistake? Does Coyboyneal own me?
Blelow is my smb.conf, krb5.conf, and the output of /var/log/samba3/log.blah:
smb.conf
Code: | # Separate domain and username with '+', like DOMAIN+username
[global]
netbios name = PHASERTEST
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
workgroup = MAIN
os level = 20
winbind enum groups = yes
password server = *
preferred master = no
winbind separator = +
max log size = 512
log file = /var/log/samba3/log.%m
encrypt passwords = yes
dns proxy = no
realm = MAIN.AD.SOMEDOMAIN.EDU
security = ADS
wins server = ?.?.3.95
wins proxy = no
winbind use default domain = no
[pub]
comment = pub test
writeable = yes
path = /pub
|
krb5.conf
Code: |
[libdefaults]
default_realm = MAIN.AD.SOMEDOMAIN.EDU
[realms]
MAIN.AD.SOMEDOMAIN.EDU = {
kdc = svits03.SOMEDOMAIN.edu
kdc = svits04.SOMEDOMAIN.edu
kdc = svits15.SOMEDOMAIN.edu
}
|
/var/log/samba3/log.?.?.13.196 (these same messages repeat about 40 times a second for a few seconds). svits13 is the Windows machine that I was trying to map a share on. The share is shared from \\phasertest\pub. cosdss is my username (domain admin on AD).
Code: | [2004/03/04 09:23:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system
[2004/03/04 09:23:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system
[2004/03/04 09:23:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system
[2004/03/04 09:23:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system
[2004/03/04 09:23:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system
[2004/03/04 09:23:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)
Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system
|
This was in /var/log/samba3/log.svits13 (again, svits13 is the WINS name of a windows box)
Code: | [2004/03/04 09:25:56, 0] auth/auth_util.c:make_server_info_info3(1100)
make_server_info_info3: pdb_init_sam failed!
|
Again, I just want Windows users to be able to get to a share on this Linux box. Help?
~Jay |
|
Back to top |
|
|
ritjobbie n00b
Joined: 04 Mar 2004 Posts: 10 Location: Rochester, NY
|
Posted: Thu Mar 04, 2004 8:57 pm Post subject: |
|
|
WORD UP! I got it working. I had to add winbind to the /etc/pam.d/samba config file, duh.
*whew* |
|
Back to top |
|
|
xavior2180 n00b
Joined: 12 Apr 2003 Posts: 35 Location: dallas, tx
|
Posted: Sun Mar 14, 2004 1:54 am Post subject: |
|
|
ritjobbie: how did you configure your /etc/pam.d/samba file?
i've edited mine so now i have the following:
Code: |
auth required /lib/security/pam_winbind.so nodelay
account required /lib/security/pam_winbind.so service=system-auth
session required /lib/security/pam_winbind.so service=system-auth
password required /lib/security/pam_winbind.so nodelay smbconf=/etc/samba/smb.conf
|
i basically just changed where it had smbpass.so or pam_stack.so to pam_winbind.so but i have the same problem as you had initially, where it wouldn't accept a username from the windows domain. i don't think this is what i'm supposed to have in there exactly, and i couldn't find any documentation for what to put exactly, even on the samba manual. |
|
Back to top |
|
|
ritjobbie n00b
Joined: 04 Mar 2004 Posts: 10 Location: Rochester, NY
|
Posted: Sun Mar 14, 2004 3:29 pm Post subject: |
|
|
Code: | #%PAM-1.0
# pam_smbpass.so authenticates against the smbpasswd file
auth required pam_smbpass.so nodelay
auth sufficient /lib/security/pam_winbind.so try_first_pass
account required /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf
|
I still can't get /etc/pam.d/login right so that users can log in to a console. I haven't tried playing with /etc/pam.d/ssh yet. Also, for me it takes about 2 or 3 minutes before someone can access a samba share after winbind starts up. I restarted winbind and thought that I had broken something, but it just takes forever to do its business with AD or something...
~Jay |
|
Back to top |
|
|
xavior2180 n00b
Joined: 12 Apr 2003 Posts: 35 Location: dallas, tx
|
Posted: Mon Mar 15, 2004 8:40 pm Post subject: |
|
|
ritjobbie wrote: | Code: | #%PAM-1.0
# pam_smbpass.so authenticates against the smbpasswd file
auth required pam_smbpass.so nodelay
auth sufficient /lib/security/pam_winbind.so try_first_pass
account required /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf
|
I still can't get /etc/pam.d/login right so that users can log in to a console. I haven't tried playing with /etc/pam.d/ssh yet. Also, for me it takes about 2 or 3 minutes before someone can access a samba share after winbind starts up. I restarted winbind and thought that I had broken something, but it just takes forever to do its business with AD or something...
~Jay |
THANKS! it works like a charm now
i wasn't really concerned about the other services as i was the samba server tho. i don't get the delay that you're talking about, but if i set permissions on the AD server on a shared folder, it does seem to take a little while for the permissins to propagate. |
|
Back to top |
|
|
ritjobbie n00b
Joined: 04 Mar 2004 Posts: 10 Location: Rochester, NY
|
Posted: Mon Mar 15, 2004 8:54 pm Post subject: winbind for login |
|
|
If anyone does have a working /etc/pam.d/login that allows console logins, please let me know (or just post here). I have been trying to get it working for a while now, but I suck. This thread was a ton of help, but I am just missing something, I think...
I'm going to try netatalk next. =)
~Jay |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|