Sorry about the lengthy post - I'm putting as much in here as I can in
hopes that someone can help me ferret out the problem.
Basic problem is that domain users can't successfully log into the
linux box. I'm trying to set this box up as an ltsp server
authenticating against our existing AD (although this is actually in a
test lab - I didn't really want to trash anything real just yet). The
test lab is configured as follows to duplicate the basic layout of our
network:
LTSP-DC1: Win2k server ("more equal" than LTSP-DC2) running AD, DNS,
DHCP, etc
LTSP-DC2: Win2k server ("less equal" than LTSP-DC1) configured same
as
DC1
LTSP-FS1: Win2k server serving a share called "Staff" with all the
staff OU members' home directories
LTSP-STU: Win2k server serving a group of shares with the different
student OU members' home directories.
LTSPSRV: SuSE 8.2 Box with Samba 3.0, ultimately intended to be a
terminal services box.
Compiling Samba 3.0 went fine on LTSPSRV, passing the following flags
to the configure script:
--with-ads=yes --with-krb5=/usr/local/ --with-automount=yes
--with-smbmount=yes --with-winbind=yes --with-pam=yes
Here's my smb.conf:
[global]
realm = LTSP.FOO.BAR
workgroup = LTSP
security = ADS
encrypt passwords = yes
winbind separator = +
idmap uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
local master = no
(Note: the FOO.BAR isn't what's actually in there. It has a good FQDN)
Kerberos is the current version from MIT. Here's the krb5.conf
[libdefaults]
default_realm = LTSP.FOO.BAR
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
LTSP.FOO.BAR = {
kdc = ltsp-dc1
kdc = ltsp-dc2
default_domain = ltsp.foo.bar
}
[domain_realm]
.ltsp.foo.bar = LTSP.FOO.BAR
ltsp.foo.bar = LTSP.FOO.BAR
I can successfully join the domain using "net ads join -U username"
and all that. Net ads info looks right, and smbd, nmbd, and winbindd
start up successfully at boot (although winbindd shows up twice when I
do "ps -ae | grep winbindd").
kinit administrator@LTSP.FOO.BAR works as it should, I think. I get
prompted for a password, and then klist shows the ticket, although the
following also shows up with klist
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
wbinfo -u shows all my top-level users, and wbinfo shows all my
top-level groups - anyone in a secondary OU is not visible to wbinfo -
problem 1.
Now, as root, I can change users to any domain user I want to without
entering a password, using, for example:
su LTSP+fred
and "whoami" returns the correct value. However, if I log in as a
local non-root account and try the same thing, or if I attempt to
connect remotely using "ssh -l LTSP+fred" I get a failed password
error
even though I'm using a known-good password for that account. BIG
problem #2.
I'm sure there's something simple that needs to be changed and all will
suddenly Just Work. Once that happens, perhaps someone could answer
this: how do I automatically map the home directory of a domain user to
their AD-defined home directory (//ltsp-fs1/staff/fred <-->
/home/LTSP/fred, for example)? I want to have no local storage for
domain users on the linux box.
Thanks for reading this far, and I look forward to hearing an answer.
Regards,
Mike Ely
---
[This E-mail scanned for viruses by Declude Virus]
Sorry about the lengthy post - I'm putting as much in here as I can in
hopes that someone can help me ferret out the problem. If anyone has
an answer to any of this, I'd greatly appreciate it - we're a K-12
district and can't afford to pay a consultant, and we need to try to
get this implemented before state-mandated online testing begins
mid-November.
Basic problem is that domain users can't successfully log into the
linux box. I'm trying to set this box up as an ltsp server
authenticating against our existing AD (although this is actually in a
test lab - I didn't really want to trash anything real just yet). The
test lab is configured as follows to duplicate the basic layout of our
network:
LTSP-DC1: Win2k server ("more equal" than LTSP-DC2) running AD, DNS,
DHCP, etc
LTSP-DC2: Win2k server ("less equal" than LTSP-DC1) configured same
as
DC1
LTSP-FS1: Win2k server serving a share called "Staff" with all the
staff OU members' home directories
LTSP-STU: Win2k server serving a group of shares with the different
student OU members' home directories.
LTSPSRV: SuSE 8.2 Box with Samba 3.0, ultimately intended to be a
terminal services box.
Compiling Samba 3.0 went fine on LTSPSRV, passing the following flags
to the configure script:
--with-ads=yes --with-krb5=/usr/local/ --with-automount=yes
--with-smbmount=yes --with-winbind=yes --with-pam=yes
Here's my smb.conf:
[global]
realm = LTSP.FOO.BAR
workgroup = LTSP
security = ADS
encrypt passwords = yes
winbind separator = +
idmap uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
local master = no
(Note: the FOO.BAR isn't what's actually in there. It has a good FQDN)
Kerberos is the current version from MIT. Here's the krb5.conf
[libdefaults]
default_realm = LTSP.FOO.BAR
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
LTSP.FOO.BAR = {
kdc = ltsp-dc1
kdc = ltsp-dc2
default_domain = ltsp.foo.bar
}
[domain_realm]
.ltsp.foo.bar = LTSP.FOO.BAR
ltsp.foo.bar = LTSP.FOO.BAR
I can successfully join the domain using "net ads join -U username"
and all that. Net ads info looks right, and smbd, nmbd, and winbindd
start up successfully at boot (although winbindd shows up twice when I
do "ps -ae | grep winbindd").
kinit administrator@LTSP.FOO.BAR works as it should, I think. I get
prompted for a password, and then klist shows the ticket, although the
following also shows up with klist
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
wbinfo -u shows all my top-level users, and wbinfo shows all my
top-level groups - anyone in a secondary OU is not visible to wbinfo -
problem 1.
Now, as root, I can change users to any domain user I want to without
entering a password, using, for example:
su LTSP+fred
and "whoami" returns the correct value. However, if I log in as a
local non-root account and try the same thing, or if I attempt to
connect remotely using "ssh -l LTSP+fred" I get a failed password
error
even though I'm using a known-good password for that account. BIG
problem #2.
I'm sure there's something simple that needs to be changed and all will
suddenly Just Work. Once that happens, perhaps someone could answer
this: how do I automatically map the home directory of a domain user to
their AD-defined home directory (//ltsp-fs1/staff/fred <-->
/home/LTSP/fred, for example)? I want to have no local storage for
domain users on the linux box.
Thanks for reading this far, and I look forward to hearing an answer.
Regards,
Mike Ely
---
[This E-mail scanned for viruses by Declude Virus]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike Ely wrote:
| Basic problem is that domain users can't successfully log
| into the linux box. I'm trying to set this box up as
| an ltsp server authenticating against our existing AD
...
| [libdefaults]
| default_realm = LTSP.FOO.BAR
| dns_lookup_realm = false
| dns_lookup_kdc = true
Did you enable the DNS lookup during compile? If so then you can get
rid of the [realms] section below.
|
| [realms]
| LTSP.FOO.BAR = {
...
| I can successfully join the domain using "net ads join -U username"
and
| all that. Net ads info looks right, and smbd, nmbd, and winbindd start
| up successfully at boot (although winbindd shows up twice when I do "ps
| -ae | grep winbindd").
winbindd shoulod show up twice by default (in 3.0).
| kinit administrator@LTSP.FOO.BAR works as it should, I think. I get
| prompted for a password, and then klist shows the ticket, although the
| following also shows up with klist
|
| Kerberos 4 ticket cache: /tmp/tkt0
| klist: You have no tickets cached
That's fine as well.
| wbinfo -u shows all my top-level users, and wbinfo shows all my
| top-level groups - anyone in a secondary OU is not visible to wbinfo -
| problem 1.
How are the users/groups laid out in AD?
| Now, as root, I can change users to any domain user I want to without
| entering a password, using, for example:
| su LTSP+fred
| and "whoami" returns the correct value. However, if I log in as a
local
| non-root account and try the same thing, or if I attempt to connect
| remotely using "ssh -l LTSP+fred" I get a failed password error even
| though I'm using a known-good password for that account. BIG problem #2.
Have you setup pam_winbind.so ?
| I'm sure there's something simple that needs to be changed and all
will
| suddenly Just Work. Once that happens, perhaps someone could answer
| this: how do I automatically map the home directory of a domain user to
| their AD-defined home directory (//ltsp-fs1/staff/fred <-->
| /home/LTSP/fred, for example)? I want to have no local storage for
| domain users on the linux box.
See pam_mount.so and smbfs (or patches for the newer cifsvfs).
cheers, jerry
~ ----------------------------------------------------------------------
~ Hewlett-Packard ------------------------- http://www.hp.com
~ SAMBA Team ---------------------- http://www.samba.org
~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
~ "You can never go home again, Oatman, but I guess you can shop
there."
~ --John Cusack - "Grosse Point Blank"
(1997)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/oqMAIR7qMdg1EfYRAmjYAJ9nlN/TjGltrXHdiIOV7Zt6MFIJRgCdEyX0
u9O/L9HZ/c6nYLURfzbilAE=aHTM
-----END PGP SIGNATURE-----
> Mike Ely wrote: > | Ping! > > pong! > > Are you asking for something? > >Yeah. Sorry. Basically, I can see the winbind users on the linux box, but get a "login failed" error when I try to log in as them. Here's a paste of the current state of my hopelessness: ***************Paste Begins Here***************> > On Oct 31, 2003, at 9:59 AM, Gerald (Jerry) Carter wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Mike Ely wrote: >> >> | Basic problem is that domain users can't successfully log >> | into the linux box. I'm trying to set this box up as >> | an ltsp server authenticating against our existing AD >> >> ... >> >> | [libdefaults] >> | default_realm = LTSP.FOO.BAR >> | dns_lookup_realm = false >> | dns_lookup_kdc = true >> >> Did you enable the DNS lookup during compile? If so then you can get >> rid of the [realms] section below. > Unfortunately, no. So I'll have to keep the realms section below I > guess. >> >> | >> | [realms] >> | LTSP.FOO.BAR = { >> ... >> > ... >> How are the users/groups laid out in AD? > Well, that problem seems to have gone away - I reboot the machine and > see all my domain users in the KDM loginwindow. wbinfo -u confirms > this. > >> | Now, as root, I can change users to any domain user I want to >> without >> | entering a password, using, for example: >> | su LTSP+fred >> | and "whoami" returns the correct value. However, if I log in as a >> local >> | non-root account and try the same thing, or if I attempt to connect >> | remotely using "ssh -l LTSP+fred" I get a failed password error even >> | though I'm using a known-good password for that account. BIG >> problem #2. >> >> Have you setup pam_winbind.so ? > I have it copied to /lib/security/ where all the pam modules are. Is > there more to setting it up than that? >> >> | I'm sure there's something simple that needs to be changed and all >> will >> | suddenly Just Work. Once that happens, perhaps someone could answer >> | this: how do I automatically map the home directory of a domain >> user to >> | their AD-defined home directory (//ltsp-fs1/staff/fred <--> >> | /home/LTSP/fred, for example)? I want to have no local storage for >> | domain users on the linux box. >> >> See pam_mount.so and smbfs (or patches for the newer cifsvfs). > Thanks, I'll look that up. > > Mike >--- [This E-mail scanned for viruses by Declude Virus]