Melfi.Marcello@hydro.qc.ca
2004-Oct-18 21:22 UTC
[Samba] Issues/Questions about Samba 3.x.x versus it's Working Status
Hi, I have been trying to setup Samba with ADS for a while now without success. I compiled Samba 3.0.7, along with MIT Kerberos 1.3.5 and OpenLDAP 2.2.17. I did not compiled PAM since I do not need to have Windows users to log on the Unix box. Although not necessary, I setup the krb5.conf file. I was able to do a "net join ads" after performing a "kinit" with the Win2K3 server's Administrator's username and password. With the "klist", I validated that tickets were issued, therefore the Kerberos installation seems to work correctly, at least without Samba. My success ends there. When trying to make this works with Samba, it doesn't. It looks like NTLM is used as a fallback... What am I missing here? Here are some questions I have which could shed some lights to the overall problem: 1. I once asked if it was possible not to use winbindd and just use the "username map" parameter/file. I never got any answer to that... Is that a tough question? 2. When using winbindd, can I still use the "username map" parameter/file so that I link Windows accounts to the same Unix one? Right now, this does not seem to work... Is there some issues with this? What is the exact syntax? 3. Is PAM absolutely required? I do not think so, but, hey, you never know... 4. I saw in a few mails on Google that the command "wbinfo --set-auth-user DOMAINNAME\\Administrator%password" is sometime required? Is it true? What is it all about? 5. I saw also in a lot of mails on Google and Samba list that it was required to copy the libnss_winbind.so (from the nsswitch directory in the samba source) to the /lib directory. However, the target filename is sometime nss_winbnid.so, sometime libnss_winbind.so, sometime ending with .so.1 or .so.2, etc. What is it all about? What is really required? Is this system specific? 6. Does the Samba server (aka the Unix box) need to be in the same domain as the Win2K3 server? Same question for the client workstations? 7. I saw in some other mails/documents (too many read in a short period) that it may be required to change the Windows account's password? Is this true? If so, when is it required and with what typical configuration? I really need some help to make this work. Maybe I am doing (or have done) something wrong. If asked for, I can provide all the various config files I am using. Regards, Marcello Melfi
Gerald (Jerry) Carter
2004-Oct-19 14:01 UTC
[Samba] Issues/Questions about Samba 3.x.x versus it's Working Status
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Melfi.Marcello@hydro.qc.ca wrote: | 1. I once asked if it was possible not to use winbindd | and just use the "username map" parameter/file. I never got | any answer to that... Is that a tough question? Yes. | 2. When using winbindd, can I still use the "username | map" parameter/file so that I link Windows accounts to the | same Unix one? Right now, this does not seem to work... Is | there some issues with this? What is the exact syntax? See my post about this earlier today. | 3. Is PAM absolutely required? I do not think so, but, | hey, you never know... No. not required. | 4. I saw in a few mails on Google that the | command "wbinfo --set-auth-user DOMAINNAME\\Administrator%password" | is sometime required? Is it true? What is it all about? No. not required nor needed in the latest Samba releases (especially when using security = ads). | 5. I saw also in a lot of mails on Google and Samba list | that it was required to copy the libnss_winbind.so (from | the nsswitch directory in the samba source) to the /lib | directory. However, the target filename is sometime nss_winbnid.so, | sometime libnss_winbind.so, sometime ending with | .so.1 or .so.2, etc. What is it all about? What is really | required? Is this system specific? nss_winbind.so is the NSS library used to export domain users and groups to the underlying UNIX OS. It is required when you run winbindd and the name is OS specific. | 6. Does the Samba server (aka the Unix box) need to be in the | same domain as the Win2K3 server? Same question for | the client workstations? Yes and no. Suggest you re-reead the documentation on security = [domain|ads] | 7. I saw in some other mails/documents (too many read in | a short period) that it may be required to change the | Windows account's password? Is this true? If so, when | is it required and with what typical configuration? Normally this is handled automatically for you by smbd (if appropriate) once you are joined to a domain. cheers, jerry - --------------------------------------------------------------------- Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBdR4CIR7qMdg1EfYRAj6OAKCZV7HpL4cuwLmpzLXVnFTEoeWABQCfUFa5 HE1bh8awLFwbDunY7VzXnjY=EYiB -----END PGP SIGNATURE-----