CentOS - Jan 2008 - Help with authenticating against Active Directory.

Hello all,

I'm trying to authenticate shell login's against an MS-ADS.  I don't
have admin access to the ADS, but I can talk to the admins.

I have gotten as far as getting authentication working, but the uid's 
depend on the order of login.  ie: the first guy to login gets 10000, 
the next gets 10001, etc.  The problem I have with this is that I want 
to share the home directories via nfs, which means everyone has to have 
the same id.

Is anyone else doing this?

My smb.conf and nsswitch.conf files are below.

TIA

-- 
Milton Calnek BSc, A/Slt(Ret.)
milton at calnek.com
306-717-8737


smb.conf
[global]
         workgroup = example_com
         realm = example.COM
         server string = %h server (Samba %v)
         security = ADS
         map to guest = Bad Password
         passdb backend = tdbsam
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
         log level = 2 winbind:10
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000
         dns proxy = No
         wins server = ldap
         ldap ssl = no
         panic action = /usr/share/samba/panic-action %d
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         idmap backend = ldap:ldap://ldap.example.com:3268
         ldap admin dn = cn=Manager,dc=example,dc=COM
         ldap idmap suffix = ou=Idmap
         ldap suffix = dc=example,dc=COM
         template homedir = /home/%U
         template shell = /bin/bash
         winbind separator = +
         winbind use default domain = Yes
         winbind nested groups = Yes
         invalid users = root

nsswitch.confpasswd:     files compat winbind
shadow:     files compat
group:      files compat winbind

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

What I did was create the users in /etc/passwd with the same username
as you would find in the AD.

Then, its just a matter of enabling Kerberos authentication, and using
the Domain Controllers as KDC's.

Maybe not what you're looking for, but its simple and effective.  No
samba involved.


On Jan 31, 2008 3:51 PM, Milton Calnek <milton at calnek.com>
wrote:
> Hello all,
>
> I'm trying to authenticate shell login's against an MS-ADS.  I
don't
> have admin access to the ADS, but I can talk to the admins.
>
> I have gotten as far as getting authentication working, but the uid's
> depend on the order of login.  ie: the first guy to login gets 10000,
> the next gets 10001, etc.  The problem I have with this is that I want
> to share the home directories via nfs, which means everyone has to have
> the same id.
>
> Is anyone else doing this?
>
> My smb.conf and nsswitch.conf files are below.
>
> TIA
>
> --
> Milton Calnek BSc, A/Slt(Ret.)
> milton at calnek.com
> 306-717-8737
>
>
> smb.conf
> [global]
>          workgroup = example_com
>          realm = example.COM
>          server string = %h server (Samba %v)
>          security = ADS
>          map to guest = Bad Password
>          passdb backend = tdbsam
>          passwd program = /usr/bin/passwd %u
>          passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
>          log level = 2 winbind:10
>          syslog = 0
>          log file = /var/log/samba/log.%m
>          max log size = 1000
>          dns proxy = No
>          wins server = ldap
>          ldap ssl = no
>          panic action = /usr/share/samba/panic-action %d
>          idmap uid = 10000-20000
>          idmap gid = 10000-20000
>          idmap backend = ldap:ldap://ldap.example.com:3268
>          ldap admin dn = cn=Manager,dc=example,dc=COM
>          ldap idmap suffix = ou=Idmap
>          ldap suffix = dc=example,dc=COM
>          template homedir = /home/%U
>          template shell = /bin/bash
>          winbind separator = +
>          winbind use default domain = Yes
>          winbind nested groups = Yes
>          invalid users = root
>
> nsswitch.confpasswd:     files compat winbind
> shadow:     files compat
> group:      files compat winbind
>
> #hosts:     db files nisplus nis dns
> hosts:      files dns
>
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
>
> netgroup:   nisplus
>
> publickey:  nisplus
>
> automount:  files nisplus
> aliases:    files nisplus
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

On Jan 31, 2008 2:51 PM, Milton Calnek <milton at calnek.com>
wrote:
> Hello all,
>
> I'm trying to authenticate shell login's against an MS-ADS.  I
don't
> have admin access to the ADS, but I can talk to the admins.
>
> I have gotten as far as getting authentication working, but the uid's
> depend on the order of login.  ie: the first guy to login gets 10000,
> the next gets 10001, etc.  The problem I have with this is that I want
> to share the home directories via nfs, which means everyone has to have
> the same id.
Don't use Samba.

Microsoft Services For UNIX or 2003R2 support UNIX attributes in
Active Directory. It adds a new tab in the user account properties
where you can specify login shell, home directory, uid, gid.

On the CentOS side use nss_ldap.

This is a true single sign-on configuration with no /etc/passwd monkey
business. We use it for   database application auth and limited shell
access. It just works, failures are rare.

Configuration details are left as an exercise for the OP as I have had
a long day and a couple glasses of wine....

--
Jeff

Milton Calnek wrote:
> Hello all,
>
> I'm trying to authenticate shell login's against an MS-ADS.  I
don't
> have admin access to the ADS, but I can talk to the admins.
>
> I have gotten as far as getting authentication working, but the uid's 
> depend on the order of login.  ie: the first guy to login gets 10000, 
> the next gets 10001, etc.  The problem I have with this is that I want 
> to share the home directories via nfs, which means everyone has to 
> have the same id.
>
> Is anyone else doing this?
>
> My smb.conf and nsswitch.conf files are below.
>
> TIA
>
You can get samba to be a single sign on using MS AD & issue predictable 
uids in linux. The smb.conf option:

   idmap backend = idmap_rid:DOMAIN=100000-3000000

will take the users' RID in AD, add 100000 to it, use that for the uid 
in Linux.

This smb.conf worked for me a couple years ago at my former employer, on 
RH4 type machines. Note I did not have an ldap server defined. This is 
the entire global section I used in all linux boxes that I joined to the 
domain.

[global]
        workgroup = DOMAIN
        realm = DOMAIN.EXAMPLE.COM
        server string = Samba Server
        security = ads
        # log level = 0 vfs:2
        log file = /var/log/samba/ALL.log
        max log size = 500
        socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768
        load printers = No
        preferred master = No
        domain master = No
        dns proxy = No
        wins server = 192.168.1.1
        netbios name = LINUX999
        netbios aliases = host999
        ldap ssl = no
        idmap uid = 10000-3000000
        idmap gid = 10000-3000000
        template homedir = /users/%U
        template shell = /bin/bash
        winbind enum users = No
        winbind enum groups = No
        idmap backend = idmap_rid:DOMAIN=100000-3000000
        allow trusted domains = no
        username map = /etc/samba/smbusers
        name resolve order = wins bcast
        cups options = raw
        disable spoolss = Yes
        show add printer wizard = No
        os level = 1
        winbind use default domain = yes
        host msdfs = Yes
        admin users = DOMAIN\admin20 DOMAIN\admin22
 

-- 
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240