Mark A. Holm
2005-Jun-08 08:05 UTC
[Samba] Problems with Samba and Windows 2003 Active Domain Server
Can somebody with experience making a RedHat Fedora Core 3 server with Samba
installed work in a Windows 2003 Active Domain please
give me some pointers? I have a small installation with one Windows 2003 Server
running as a domain controller for about 10 Windows
XP machines. This is working just fine. I decided that I wanted to add a RedHat
Fedora Core 3 server as a Mail server, running Cyrus
IMAP and Open Group Ware. The first thing that I wanted to do was get the Fedora
machine working as a member of the domain and
authenticating users from the domain for local login for mail and SSH access. I
found several different tutorials on the web,
including the one in the documentation on the samba.org site, about doing this
and followed as close as I could to their
instructions. For the file samples included below, I have started with the files
as supply by RedHat and for the most part stripped
out the comments for brevity here. Also changed some names to protect the
innocent.
My smb.conf file looks like the following:
Smb.conf
[global]
log file = /var/log/samba/%m.log
load printers = yes
idmap gid = 16777216-33554431
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind trusted domains only = yes
realm = PORTLAND-INT.CLIENT.COM
winbind use default domain = yes
template primary group = "Staff"
template homedir = /home/%U
template shell = /bin/bash
dns proxy = no
netbios name = mail
cups options = raw
server string = Mail Linux Samba Server
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = server.portland-int.client.com
workgroup = SKYLINE
os level = 20
os level = 20
printcap name = /etc/printcap
security = ads
preferred master = no
max log size = 50
[homes]
comment = Home Directories
browseable = no
writeable = yes
; [netlogon]
; comment = Network Logon Service
; path = /home/netlogon
; guest ok = yes
; writable = no
; share modes = no
;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
[public]
comment = Public Stuff
path = /home/samba
public = yes
read only = no
; write list = @staff
EOF
The KRB5.conf file contains:
Krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = PORTLAND-INT.CLIENT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
PORTLAND-INT.CLIENT.COM = {
kdc = server.portland-int.client.com:88
admin_server = server.portland-int.client.com:749
default_domain = portland-int.client.com
}
[domain_realm]
.portland-int.client.com = PORTLAND-INT.CLIENT.COM
portland-int.client.com = PORTLAND-INT.CLIENT.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
EOF
After doing "/etc/init.d/smb restart; /etc/init.d/winbind restart", I
was able to issue a "net ads -U administrator join CLIENT"
command and received the Welcome to the CLIENT domain message. At this point I
can do either of:
wbinfo -a "CLIENT\\markh%MYPASSWD"
wbinfo -a "markh%MYPASSWD"
And receive the response:
plaintext password authentication succeeded
challenge/response password authentication succeeded
The next steps I tried, was to do a wbinfo -u and a wbinfo -g. These looked
close to the examples given, but lacked the Domain
specifier for the users that the other examples gave. Example output given
below:
Wbinfo -u:
taaron
pfraser
DEBRA-DESKTOP$
markh
SALES-MGR$
ROGER-PC$
WAREHOUSE2$
kaycee
WAREHOUSE$
seanj
seane
amy
mail$
Wbinfo -g:
BUILTIN#System Operators
BUILTIN#Replicators
BUILTIN#Guests
BUILTIN#Power Users
BUILTIN#Print Operators
BUILTIN#Administrators
BUILTIN#Account Operators
BUILTIN#Backup Operators
BUILTIN#Users
Domain Admins
Domain Users
Domain Guests
Sales
QuickBooks Users
Act Users
QuoteWerks Users
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Next step it said to do was to issue a "getent passwd" and a
"getent group". The Passwd version only shows what is on the local
Linux server, while the Group version shows the local groups and the BUILTIN
groups from the active directory. None of the Active
Directory users or local groups are shown. Example output below:
Getent passwd:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
marktest:x:500:500:Mark Test Login:/home/marktest:/bin/bash
clamav:x:501:501:CLAM AV User:/home/clamav:/bin/bash
dspam:x:502:502:DSPAM User:/home/dspam:/bin/bash
Getent group:
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
dbus:x:81:
floppy:x:19:
vcsa:x:69:
nscd:x:28:
rpm:x:37:
haldaemon:x:68:
utmp:x:22:
netdump:x:34:
slocate:x:21:
sshd:x:74:
rpc:x:32:
rpcuser:x:29:
nfsnobody:x:65534:
mailnull:x:47:
smmsp:x:51:
pcap:x:77:
apache:x:48:
squid:x:23:
webalizer:x:67:
xfs:x:43:
ntp:x:38:
gdm:x:42:
named:x:25:
mailman:x:41:
mysql:x:27:
marktest:x:500:
clamav:x:501:
dspam:x:502:
BUILTIN#System Operators:x:16777216:
BUILTIN#Replicators:x:16777217:
BUILTIN#Guests:x:16777218:
BUILTIN#Power Users:x:16777219:
BUILTIN#Print Operators:x:16777220:
BUILTIN#Administrators:x:16777221:
BUILTIN#Account Operators:x:16777222:
BUILTIN#Backup Operators:x:16777223:
BUILTIN#Users:x:16777224:
Until I can get past that last step and see more than the BUILTIN groups and
actually see users from the domain, I know that I
cannot get authorization to work. Can somebody point out what I missed or help
walk me through what is needed to make this work?
The one thing I have noted is that the profile file defined for the kdc in
krb5.conf doesn't exist. Should it and if so what should
it contain?
Any and all help greatly appreciated. It shouldn't be this hard to make
Windows and Linux work together. sigh!
markh
===================================================Mark A. Holm
President
InfoArch, Inc.
7456 SW Baseline, PMB#123. Phone: (503) 750-9741
Hillsboro, OR 97123 Fax: (503) 591-8584
http://www.infoarch.com <mailto:markh@infoarch.com>
Michael Andrewjeski
2005-Jun-08 20:36 UTC
[Samba] Problems with Samba and Windows 2003 Active Domain Server
Need more info..
What version of samba and kerberos are you running?
What does your /etc/nsswitch.conf look like?
How about your /etc/pam.d/login did u modify it?
Have you tried kinit? Klist? If so what was the output?
-----Original Message-----
From: samba-bounces+mandrewjeski=zonelabs.com@lists.samba.org
[mailto:samba-bounces+mandrewjeski=zonelabs.com@lists.samba.org] On
Behalf Of Mark A. Holm
Sent: Wednesday, June 08, 2005 1:05 AM
To: samba@lists.samba.org
Subject: [Samba] Problems with Samba and Windows 2003 Active Domain
Server
Can somebody with experience making a RedHat Fedora Core 3 server with
Samba installed work in a Windows 2003 Active Domain please give me some
pointers? I have a small installation with one Windows 2003 Server
running as a domain controller for about 10 Windows XP machines. This is
working just fine. I decided that I wanted to add a RedHat Fedora Core 3
server as a Mail server, running Cyrus IMAP and Open Group Ware. The
first thing that I wanted to do was get the Fedora machine working as a
member of the domain and authenticating users from the domain for local
login for mail and SSH access. I found several different tutorials on
the web, including the one in the documentation on the samba.org site,
about doing this and followed as close as I could to their instructions.
For the file samples included below, I have started with the files as
supply by RedHat and for the most part stripped out the comments for
brevity here. Also changed some names to protect the innocent.
My smb.conf file looks like the following:
Smb.conf
[global]
log file = /var/log/samba/%m.log
load printers = yes
idmap gid = 16777216-33554431
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind trusted domains only = yes
realm = PORTLAND-INT.CLIENT.COM
winbind use default domain = yes
template primary group = "Staff"
template homedir = /home/%U
template shell = /bin/bash
dns proxy = no
netbios name = mail
cups options = raw
server string = Mail Linux Samba Server
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = server.portland-int.client.com
workgroup = SKYLINE
os level = 20
os level = 20
printcap name = /etc/printcap
security = ads
preferred master = no
max log size = 50
[homes]
comment = Home Directories
browseable = no
writeable = yes
; [netlogon]
; comment = Network Logon Service
; path = /home/netlogon
; guest ok = yes
; writable = no
; share modes = no
;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
[public]
comment = Public Stuff
path = /home/samba
public = yes
read only = no
; write list = @staff
EOF
The KRB5.conf file contains:
Krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = PORTLAND-INT.CLIENT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
PORTLAND-INT.CLIENT.COM = {
kdc = server.portland-int.client.com:88
admin_server = server.portland-int.client.com:749
default_domain = portland-int.client.com
}
[domain_realm]
.portland-int.client.com = PORTLAND-INT.CLIENT.COM
portland-int.client.com = PORTLAND-INT.CLIENT.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
EOF
After doing "/etc/init.d/smb restart; /etc/init.d/winbind restart", I
was able to issue a "net ads -U administrator join CLIENT" command and
received the Welcome to the CLIENT domain message. At this point I can
do either of:
wbinfo -a "CLIENT\\markh%MYPASSWD"
wbinfo -a "markh%MYPASSWD"
And receive the response:
plaintext password authentication succeeded
challenge/response password authentication succeeded
The next steps I tried, was to do a wbinfo -u and a wbinfo -g. These
looked close to the examples given, but lacked the Domain specifier for
the users that the other examples gave. Example output given below:
Wbinfo -u:
taaron
pfraser
DEBRA-DESKTOP$
markh
SALES-MGR$
ROGER-PC$
WAREHOUSE2$
kaycee
WAREHOUSE$
seanj
seane
amy
mail$
Wbinfo -g:
BUILTIN#System Operators
BUILTIN#Replicators
BUILTIN#Guests
BUILTIN#Power Users
BUILTIN#Print Operators
BUILTIN#Administrators
BUILTIN#Account Operators
BUILTIN#Backup Operators
BUILTIN#Users
Domain Admins
Domain Users
Domain Guests
Sales
QuickBooks Users
Act Users
QuoteWerks Users
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Next step it said to do was to issue a "getent passwd" and a
"getent
group". The Passwd version only shows what is on the local Linux server,
while the Group version shows the local groups and the BUILTIN groups
from the active directory. None of the Active Directory users or local
groups are shown. Example output below:
Getent passwd:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual
console memory owner:/dev:/sbin/nologin nscd:x:28:28:NSCD
Daemon:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin netdump:x:34:34:Network
Crash Dump user:/var/crash:/bin/bash sshd:x:74:74:Privilege-separated
SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC
user:/:/sbin/nologin rpcuser:x:29:29:RPC Service
User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS
User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
marktest:x:500:500:Mark Test Login:/home/marktest:/bin/bash
clamav:x:501:501:CLAM AV User:/home/clamav:/bin/bash
dspam:x:502:502:DSPAM User:/home/dspam:/bin/bash
Getent group:
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
dbus:x:81:
floppy:x:19:
vcsa:x:69:
nscd:x:28:
rpm:x:37:
haldaemon:x:68:
utmp:x:22:
netdump:x:34:
slocate:x:21:
sshd:x:74:
rpc:x:32:
rpcuser:x:29:
nfsnobody:x:65534:
mailnull:x:47:
smmsp:x:51:
pcap:x:77:
apache:x:48:
squid:x:23:
webalizer:x:67:
xfs:x:43:
ntp:x:38:
gdm:x:42:
named:x:25:
mailman:x:41:
mysql:x:27:
marktest:x:500:
clamav:x:501:
dspam:x:502:
BUILTIN#System Operators:x:16777216:
BUILTIN#Replicators:x:16777217:
BUILTIN#Guests:x:16777218:
BUILTIN#Power Users:x:16777219:
BUILTIN#Print Operators:x:16777220:
BUILTIN#Administrators:x:16777221:
BUILTIN#Account Operators:x:16777222:
BUILTIN#Backup Operators:x:16777223:
BUILTIN#Users:x:16777224:
Until I can get past that last step and see more than the BUILTIN groups
and actually see users from the domain, I know that I cannot get
authorization to work. Can somebody point out what I missed or help walk
me through what is needed to make this work?
The one thing I have noted is that the profile file defined for the kdc
in krb5.conf doesn't exist. Should it and if so what should it contain?
Any and all help greatly appreciated. It shouldn't be this hard to make
Windows and Linux work together. sigh!
markh
===================================================Mark A. Holm
President
InfoArch, Inc.
7456 SW Baseline, PMB#123. Phone: (503) 750-9741
Hillsboro, OR 97123 Fax: (503) 591-8584
http://www.infoarch.com <mailto:markh@infoarch.com>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
M Maki
2005-Jun-09 17:09 UTC
[Samba] Re: Problems with Samba and Windows 2003 Active Domain Server
> Any and all help greatly appreciated. It shouldn't be this hard to make > Windows and Linux work together. sigh! > > markhMark, This is how I do it for a WIN2K3 Active Directory domain. I only have rights to add computers to our domain and this has worked great for me. Took me a few days to get it right. It's not Fedora, maybe it will convert you to Debian! I have this documented internally. I should post it somewhere public. Samba Install on Debian Sarge (now Stable!) from Net Install http://www.debian.org/CD/netinst/ Install Debian. Don't add any packages during install: Run command: apt-get install sudo libkrb5-dev krb5-user libldap2-dev acl libacl1-dev quota quotatool rdate I use sudo that's why it is included. I guess you can do it all as root. You don't need the quota packages if your not using quotas. I use rdate to keep my clocks in sync. Run the commands: wget http://us2.samba.org/samba/ftp/samba-latest.tar.gz tar xvzf samba-latest.tar.gz cd samba-3.0.14a/source ./configure --with-winbind --with-ads --with-quotas --with-acl-support --with-mandir=/usr/share/man make && sudo make install cp samba-3.0.14a/source/nsswitch/libnss_winbind.so /lib ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 touch /etc/ld.so.conf sbin/ldconfig -v | grep winbind My /usr/local/samba/lib/smb.conf [global] workgroup = PWR realm = PWR.INT.XYZ.COM security = ADS password server = pwroakdc1.pwr.int.xyz.com log file = /usr/local/samba/var/%m.log preferred master = No local master = No domain master = No wins server = 192.168.1.22 idmap uid = 10000-40000 idmap gid = 10000-40000 # winbind use default domain = Yes winbind enum users = No winbind enum groups = No winbind nested groups = Yes socket options = TCP_NODELAY socket options = SO_RCVBUF=8192 [users] path = /home/users read only = No admin users = "PWR\mmaki" I don't use winbind enum users because we have over 20K users in our domain. ONLY changes to my /etc/nsswitch.conf passwd: files compat winbind group: files compat winbind shadow: compat My COMPLETE /etc/krb5.conf [libdefaults] default_realm = PWR.INT.xyz.com [realms] PWR.INT.xyz.com = { kdc = pwroakdc1.pwr.int.xyz.com kdc = inppwrodc.pwr.int.xyz.com } [domain_realm] .pwr.int.xyz.com = PWR.INT.XYZ.COM My /etc/fstab for using quotas: /dev/sda1 /home/users ext3 defaults,acl,usrquota,grpquota 0 2 My hosts (/etc/hosts) add 192.168.1.12 sambaserver.pwr.int.xyz.com sambaserver and remove sambaserver from localhost My /etc/init.d/samba # Not the best but it works #!/bin/sh # # Start the Samba daemons (nmbd and smbd). # /usr/local/samba/sbin/nmbd -D /usr/local/samba/sbin/smbd -D /usr/local/samba/sbin/winbindd -B Run the commands: ln -s /etc/init.d/samba /etc/rc2.d/S80samba chmod go+x /etc/init.d/samba Run command: /usr/local/samba/bin/net ads join -U adminuser@PWR.INT.XYZ.COM If sucsessfully joined you should be on your way! Good Luck, Mike