Milton Calnek
2008-Jan-31 20:51 UTC
[CentOS] Help with authenticating against Active Directory.
Hello all, I'm trying to authenticate shell login's against an MS-ADS. I don't have admin access to the ADS, but I can talk to the admins. I have gotten as far as getting authentication working, but the uid's depend on the order of login. ie: the first guy to login gets 10000, the next gets 10001, etc. The problem I have with this is that I want to share the home directories via nfs, which means everyone has to have the same id. Is anyone else doing this? My smb.conf and nsswitch.conf files are below. TIA -- Milton Calnek BSc, A/Slt(Ret.) milton at calnek.com 306-717-8737 smb.conf [global] workgroup = example_com realm = example.COM server string = %h server (Samba %v) security = ADS map to guest = Bad Password passdb backend = tdbsam passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . log level = 2 winbind:10 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No wins server = ldap ldap ssl = no panic action = /usr/share/samba/panic-action %d idmap uid = 10000-20000 idmap gid = 10000-20000 idmap backend = ldap:ldap://ldap.example.com:3268 ldap admin dn = cn=Manager,dc=example,dc=COM ldap idmap suffix = ou=Idmap ldap suffix = dc=example,dc=COM template homedir = /home/%U template shell = /bin/bash winbind separator = + winbind use default domain = Yes winbind nested groups = Yes invalid users = root nsswitch.confpasswd: files compat winbind shadow: files compat group: files compat winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Michael Semcheski
2008-Jan-31 21:22 UTC
[CentOS] Help with authenticating against Active Directory.
What I did was create the users in /etc/passwd with the same username as you would find in the AD. Then, its just a matter of enabling Kerberos authentication, and using the Domain Controllers as KDC's. Maybe not what you're looking for, but its simple and effective. No samba involved. On Jan 31, 2008 3:51 PM, Milton Calnek <milton at calnek.com> wrote:> Hello all, > > I'm trying to authenticate shell login's against an MS-ADS. I don't > have admin access to the ADS, but I can talk to the admins. > > I have gotten as far as getting authentication working, but the uid's > depend on the order of login. ie: the first guy to login gets 10000, > the next gets 10001, etc. The problem I have with this is that I want > to share the home directories via nfs, which means everyone has to have > the same id. > > Is anyone else doing this? > > My smb.conf and nsswitch.conf files are below. > > TIA > > -- > Milton Calnek BSc, A/Slt(Ret.) > milton at calnek.com > 306-717-8737 > > > smb.conf > [global] > workgroup = example_com > realm = example.COM > server string = %h server (Samba %v) > security = ADS > map to guest = Bad Password > passdb backend = tdbsam > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n . > log level = 2 winbind:10 > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > dns proxy = No > wins server = ldap > ldap ssl = no > panic action = /usr/share/samba/panic-action %d > idmap uid = 10000-20000 > idmap gid = 10000-20000 > idmap backend = ldap:ldap://ldap.example.com:3268 > ldap admin dn = cn=Manager,dc=example,dc=COM > ldap idmap suffix = ou=Idmap > ldap suffix = dc=example,dc=COM > template homedir = /home/%U > template shell = /bin/bash > winbind separator = + > winbind use default domain = Yes > winbind nested groups = Yes > invalid users = root > > nsswitch.confpasswd: files compat winbind > shadow: files compat > group: files compat winbind > > #hosts: db files nisplus nis dns > hosts: files dns > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > > netgroup: nisplus > > publickey: nisplus > > automount: files nisplus > aliases: files nisplus > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Jeff Larsen
2008-Feb-01 02:29 UTC
[CentOS] Help with authenticating against Active Directory.
On Jan 31, 2008 2:51 PM, Milton Calnek <milton at calnek.com> wrote:> Hello all, > > I'm trying to authenticate shell login's against an MS-ADS. I don't > have admin access to the ADS, but I can talk to the admins. > > I have gotten as far as getting authentication working, but the uid's > depend on the order of login. ie: the first guy to login gets 10000, > the next gets 10001, etc. The problem I have with this is that I want > to share the home directories via nfs, which means everyone has to have > the same id.Don't use Samba. Microsoft Services For UNIX or 2003R2 support UNIX attributes in Active Directory. It adds a new tab in the user account properties where you can specify login shell, home directory, uid, gid. On the CentOS side use nss_ldap. This is a true single sign-on configuration with no /etc/passwd monkey business. We use it for database application auth and limited shell access. It just works, failures are rare. Configuration details are left as an exercise for the OP as I have had a long day and a couple glasses of wine.... -- Jeff
Toby Bluhm
2008-Feb-01 18:02 UTC
[CentOS] Help with authenticating against Active Directory.
Milton Calnek wrote:> Hello all, > > I'm trying to authenticate shell login's against an MS-ADS. I don't > have admin access to the ADS, but I can talk to the admins. > > I have gotten as far as getting authentication working, but the uid's > depend on the order of login. ie: the first guy to login gets 10000, > the next gets 10001, etc. The problem I have with this is that I want > to share the home directories via nfs, which means everyone has to > have the same id. > > Is anyone else doing this? > > My smb.conf and nsswitch.conf files are below. > > TIA >You can get samba to be a single sign on using MS AD & issue predictable uids in linux. The smb.conf option: idmap backend = idmap_rid:DOMAIN=100000-3000000 will take the users' RID in AD, add 100000 to it, use that for the uid in Linux. This smb.conf worked for me a couple years ago at my former employer, on RH4 type machines. Note I did not have an ldap server defined. This is the entire global section I used in all linux boxes that I joined to the domain. [global] workgroup = DOMAIN realm = DOMAIN.EXAMPLE.COM server string = Samba Server security = ads # log level = 0 vfs:2 log file = /var/log/samba/ALL.log max log size = 500 socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768 load printers = No preferred master = No domain master = No dns proxy = No wins server = 192.168.1.1 netbios name = LINUX999 netbios aliases = host999 ldap ssl = no idmap uid = 10000-3000000 idmap gid = 10000-3000000 template homedir = /users/%U template shell = /bin/bash winbind enum users = No winbind enum groups = No idmap backend = idmap_rid:DOMAIN=100000-3000000 allow trusted domains = no username map = /etc/samba/smbusers name resolve order = wins bcast cups options = raw disable spoolss = Yes show add printer wizard = No os level = 1 winbind use default domain = yes host msdfs = Yes admin users = DOMAIN\admin20 DOMAIN\admin22 -- Toby Bluhm Alltech Medical Systems America, Inc. 30825 Aurora Road Suite 100 Solon Ohio 44139 440-424-2240
Apparently Analagous Threads
- Linux Active Directory Login
- Samba / AD authentication - one machine only !!!!
- Authentication stops working after approx 5 mins -getent passwd fixes it for 5-10 mins
- getent not showing domain users and groups with winbind but works with sssd
- wbinfo_group.pl / wbinfo -r not working!