thr3ads.net - samba - [Samba] ADS Authentication [Dec 2004]

If this information is useful, please help other people find it:
Share via:

Tom Skeren

2004-Dec-06 22:31 UTC

[Samba] ADS Authentication

I'm about ready to smash my head through a wall...I could use a few answers.

1.  When using security = ads, and completing net ads join, it was my 
understanding that samba authenticated username/pword against ads, and 
local posix accounts were nolonger needed, is this true?

2.  If yes, I have not been able to get it to work.  If I have a posix 
user account with the same name as one in ADS, even if pwords are 
different, I can log on to the samba server.  If no identical posix/ADS 
account exists on the samba server, then I cannot connect.  Any ideas as 
to where to look would be very helpful, as I am at a complete as to what 
to do at this point.

Jeremy Allison

2004-Dec-06 22:35 UTC

head link

[Samba] ADS Authentication

On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren
wrote:> I'm about ready to smash my head through a wall...I could use a few
answers.
> 
> 1.  When using security = ads, and completing net ads join, it was my 
> understanding that samba authenticated username/pword against ads, and 
> local posix accounts were nolonger needed, is this true?
Yes, so long as you have nsswitch and pam set up correctly. It sounds
like you don't.

Jeremy.

Tom Skeren

2004-Dec-08 15:33 UTC

head link

[Samba] ADS Authentication

Edward Wissner wrote:
>What did you change in your smb.conf file?
>  
>Well, I managed to get samba to authenticate, however, continued 
winbindd problems make the setup worthless.  Group searches fail, or are 
incomplete.  Domain users and groups list without domain id.  net 
groupmap fails.  Attempts to re-join via "net ads join" fail. 

If your interested, I have copied all the relevant config files here:

_*smb.conf:*_

workgroup = FSK
 realm = FSKLAW.NET
 server string = SSERVER
 netbios name = SSERVER
 security = ADS
 client schannel = Yes
 server schannel = Yes
 passdb backend = ldapsam:ldap://w2000.fsklaw.net
 socket options = TCP_NODELAY
 dns proxy = No
 ldap admin dn = cn=Administrator,cn=users,DC=fsklaw,DC=net
 ldap suffix = DC=fsklaw,DC=net
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 winbind separator = /
 winbind enum users = No
 winbind enum groups = No
 winbind use default domain = Yes
 dos filemode = Yes
 acl compatibility = win2k
        inherit acls = yes
        inherit permissions = yes

[FSK]
   path = /home/FSK
   public = yes
   only guest = no
   browseable = yes
   writeable = yes
   printable = no
   create mask = 0777
   force create mode = 0777
   force directory mode = 0777
   directory security mask = 0777

_*ldap.conf:
*_
host w2000.fsklaw.net
base dc=fsklaw,dc=net
ldap_version 3
URI ldaps:w2000.fsklaw.net
scope sub
pam_login_attribute Administrator
pam_password md5
idle_timelimit 3600
nss_base_passwd cn=Users,dc=fsklaw,dc=net?one
nss_base_group cn=Users,dc=fsklaw,dc=net?one
ssl on
TLS_CACERT /etc/CA/fsk.pem
tls_ciphers TLSv1
sasl_secprops maxssf=0
krb5_ccname FILE:/tmp/krb5cc_0

_*nsswitch.conf:
*_
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: dns winbind ldap files nis
automount: files winbind ldap nisplus
aliases: files winbind ldap nisplus

_*krb5.conf:*_

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = FSKLAW.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_etypes = des-cbc-crc des-cbc-md5
 default_etypes_des = des-cbc-crc des-cbc-md5
 default_keytab-name = FILE:/etc/krb5.keytab
[realms]

 FSKLAW.NET = {
  kdc = KERBEROS.FSKLAW.NET
  admin_server = w2000.fsklaw.net
  default_domain= fsklaw.net
 }

[domain_realm]
 .fsklaw.net = FSKLAW.NET
 fsklaw.net = FSKLAW.NET
 .FSKLAW.NET = FSKLAW.NET
.kerberos.server = KERBEROS.FSKLAW.NET
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false

_*pam.d/login:
*_
#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#

# auth
auth  required pam_nologin.so  no_warn
auth  sufficient pam_self.so  no_warn
auth  include  system
auth  sufficient /usr/local/lib/pam_winbind.so
# account
account  requisite pam_securetty.so
account  include  system
account  sufficient /usr/local/lib/pam_winbind.so

# session
session  include  system

# password
password include  system
>-----Original Message-----
>From: Tom Skeren [mailto:tms3@fsklaw.net]
>Sent: Tuesday, December 07, 2004 4:04 PM
>To: Jeremy Allison
>Cc: samba
>Subject: Re: [Samba] ADS Authentication
>
>
>Jeremy Allison wrote:
>
>It was an smb.conf issue.  Authentication against ADS is now
>functioning.  Now it's time to wrestle with ACLs.  Thanks for the help.
>
>TMS III
>
>  
>
>>On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>
>>
>>    
>>
>>>I'm about ready to smash my head through a wall...I could use a
few
>>>      
>>>
>answers.
>  
>
>>>1.  When using security = ads, and completing net ads join, it was
my
>>>understanding that samba authenticated username/pword against ads,
and
>>>local posix accounts were nolonger needed, is this true?
>>>
>>>
>>>      
>>>
>>Yes, so long as you have nsswitch and pam set up correctly. It sounds
>>like you don't.
>>
>>Jeremy.
>>
>>
>>    
>>
>
>
>
>
>  
>

Tom Skeren

2004-Dec-08 16:28 UTC

head link

[Samba] ADS Authentication

Edward Wissner wrote:
> I have similar issues, but am not using an ldap server, rather a W2k 
> Active Directory domain controller.
Yes, so am I.  The ldap server listed in ldap.conf is named w2000
> And am not interested in lging into the linux server with AD.
> Domain users and groups list without the domain ID for me as well.  I 
> don't know if that is proper as I have never seen a working setup.
No...it should be DOMAIN_NAME/user1  DOMAIN_NAME/group1 etc.  The "/"
is
specified in smb.conf as winbindd separator.
> I see my shares on the samba server from a w2k client, but am prompted 
> again for usr/passwd when attempting to open a shared directory.  
> That's when I get a failure.
Try mapping a drive by \\ip-addy\share....bet it works.
>  
> I'm ready to toss it and start over, migrating completely away 
> from w2k AD and setting up an ldap directory instead.
I can't unfortunately.
> Samba works great if I create my users locally.
It works pretty well as an NT style PDC, yes, but this project requires 
a samba server become a member server in ADS.
> ed 
>
>     -----Original Message-----
>     *From:* Tom Skeren [mailto:tms3@fsklaw.net]
>     *Sent:* Wednesday, December 08, 2004 10:32 AM
>     *To:* Edward Wissner; samba
>     *Subject:* Re: [Samba] ADS Authentication
>
>     Edward Wissner wrote:
>
>>What did you change in your smb.conf file?
>>  
>>
>     Well, I managed to get samba to authenticate, however, continued
>     winbindd problems make the setup worthless.  Group searches fail,
>     or are incomplete.  Domain users and groups list without domain
>     id.  net groupmap fails.  Attempts to re-join via "net ads
join"
>     fail. 
>
>     If your interested, I have copied all the relevant config files here:
>
>     _*smb.conf:*_
>
>     workgroup = FSK
>      realm = FSKLAW.NET
>      server string = SSERVER
>      netbios name = SSERVER
>      security = ADS
>      client schannel = Yes
>      server schannel = Yes
>      passdb backend = ldapsam:ldap://w2000.fsklaw.net
>      socket options = TCP_NODELAY
>      dns proxy = No
>      ldap admin dn = cn=Administrator,cn=users,DC=fsklaw,DC=net
>      ldap suffix = DC=fsklaw,DC=net
>      idmap uid = 10000-20000
>      idmap gid = 10000-20000
>      winbind separator = /
>      winbind enum users = No
>      winbind enum groups = No
>      winbind use default domain = Yes
>      dos filemode = Yes
>      acl compatibility = win2k
>             inherit acls = yes
>             inherit permissions = yes
>
>     [FSK]
>        path = /home/FSK
>        public = yes
>        only guest = no
>        browseable = yes
>        writeable = yes
>        printable = no
>        create mask = 0777
>        force create mode = 0777
>        force directory mode = 0777
>        directory security mask = 0777
>
>     _*ldap.conf:
>     *_
>     host w2000.fsklaw.net
>     base dc=fsklaw,dc=net
>     ldap_version 3
>     URI ldaps:w2000.fsklaw.net
>     scope sub
>     pam_login_attribute Administrator
>     pam_password md5
>     idle_timelimit 3600
>     nss_base_passwd cn=Users,dc=fsklaw,dc=net?one
>     nss_base_group cn=Users,dc=fsklaw,dc=net?one
>     ssl on
>     TLS_CACERT /etc/CA/fsk.pem
>     tls_ciphers TLSv1
>     sasl_secprops maxssf=0
>     krb5_ccname FILE:/tmp/krb5cc_0
>
>     _*nsswitch.conf:
>     *_
>     passwd: files winbind
>     shadow: files winbind
>     group: files winbind
>     hosts: dns winbind ldap files nis
>     automount: files winbind ldap nisplus
>     aliases: files winbind ldap nisplus
>
>     _*krb5.conf:*_
>
>     [logging]
>      default = FILE:/var/log/krb5libs.log
>      kdc = FILE:/var/log/krb5kdc.log
>      admin_server = FILE:/var/log/kadmind.log
>
>     [libdefaults]
>      ticket_lifetime = 24000
>      default_realm = FSKLAW.NET
>      dns_lookup_realm = false
>      dns_lookup_kdc = false
>      default_etypes = des-cbc-crc des-cbc-md5
>      default_etypes_des = des-cbc-crc des-cbc-md5
>      default_keytab-name = FILE:/etc/krb5.keytab
>     [realms]
>
>      FSKLAW.NET = {
>       kdc = KERBEROS.FSKLAW.NET
>       admin_server = w2000.fsklaw.net
>       default_domain= fsklaw.net
>      }
>
>     [domain_realm]
>      .fsklaw.net = FSKLAW.NET
>      fsklaw.net = FSKLAW.NET
>      .FSKLAW.NET = FSKLAW.NET
>     .kerberos.server = KERBEROS.FSKLAW.NET
>     [kdc]
>      profile = /var/kerberos/krb5kdc/kdc.conf
>
>     [pam]
>      debug = false
>      ticket_lifetime = 36000
>      renew_lifetime = 36000
>      forwardable = true
>      krb4_convert = false
>
>     _*pam.d/login:
>     *_
>     #
>     # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
>     #
>     # PAM configuration for the "login" service
>     #
>
>     # auth
>     auth  required pam_nologin.so  no_warn
>     auth  sufficient pam_self.so  no_warn
>     auth  include  system
>     auth  sufficient /usr/local/lib/pam_winbind.so
>     # account
>     account  requisite pam_securetty.so
>     account  include  system
>     account  sufficient /usr/local/lib/pam_winbind.so
>
>     # session
>     session  include  system
>
>     # password
>     password include  system
>
>>-----Original Message-----
>>From: Tom Skeren [mailto:tms3@fsklaw.net]
>>Sent: Tuesday, December 07, 2004 4:04 PM
>>To: Jeremy Allison
>>Cc: samba
>>Subject: Re: [Samba] ADS Authentication
>>
>>
>>Jeremy Allison wrote:
>>
>>It was an smb.conf issue.  Authentication against ADS is now
>>functioning.  Now it's time to wrestle with ACLs.  Thanks for the
help.
>>
>>TMS III
>>
>>  
>>
>>>On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
>>>
>>>
>>>    
>>>
>>>>I'm about ready to smash my head through a wall...I could
use a few
>>>>      
>>>>
>>answers.
>>  
>>
>>>>1.  When using security = ads, and completing net ads join, it
was my
>>>>understanding that samba authenticated username/pword against
ads, and
>>>>local posix accounts were nolonger needed, is this true?
>>>>
>>>>
>>>>      
>>>>
>>>Yes, so long as you have nsswitch and pam set up correctly. It
sounds
>>>like you don't.
>>>
>>>Jeremy.
>>>
>>>
>>>    
>>>
>>
>>
>>
>>
>>  
>>
>

Reasonably Related Threads

Search for more seemingly similar threads

samba - Dec 2004 - ADS Authentication

[Samba] ADS Authentication

[Samba] ADS Authentication

[Samba] ADS Authentication

[Samba] ADS Authentication

Reasonably Related Threads