ok, i've been buggering on and off with this for way too long now.
I'm just plain stuck.
The objective is to get full authentication working for a samba
machine by integrating it into and existing AD system as a member
server.
The domain is windows 2003, in native mode. There are two domain controllers.
The samba box is running debian sarge, using only the official sarge
packages. (samba 3.0.14a-3, MIT kerberos 1.3.6-2)
I followed the Samba3 By Example, chapter 7. I can join the domain
via 'net ads join' and all the tests seem to work, meaning:
getent passwd|group
wbinfo u|g
wbinfo --sequence
wbinfo -a username%passwd
wbinfo -t
kinit & klist
net ads status|user|group|info|testjoin
all succeed.
dns is working properly. I've even tried with/without hosts files.
The samba machine syncs time to one of the domain controllers.
I can create files and chown/chgrp them to domain user and group accounts.
I can create a share made writeable for the 'domain users' group and
have various 'domain users' create files in there.
However, I cannot log onto the samba machine using a domain account,
and when i attempt to access home directories of domain accounts
hosted on the samba machine, i keep getting prompted for a password
(and no passwords work).
I created the home directories and then chown'd them to the
DOMAIN+user and chgrp'd them to the domain user's primary group.
so, without further delay, the /etc/samba/smb.conf:
[global]
unix charset = LOCALE
workgroup = DOMAIN
realm = DOMAIN.LOCAL
security = ADS
; auth methods = winbind guest sam
password server = dc1.domain.local
username map = /etc/samba/smbusers
log level = 3 passdb:2 auth:2 winbind:2
syslog = 0
log file = /var/log/samba/%m
max log size = 0
printcap name = CUPS
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind trusted domains only = no
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
template primary group = "Domain Users"
template shell = /bin/bash
template homedir = /home/%D/%U
domain master = no
local master = yes
preferred master = no
os level = 255
interfaces = 192.168.1.151/24
bind interfaces only = yes
[homes]
comment = Home Dirs
valid users = %S
read only = No
browseable = No
; root preexec = /etc/samba/scripts/mk_sambadir "/home/%D/%U"
"%U" "%G"
[testshare]
path = /test
comment = samba ads test share
read only = no
browseable = yes
writelist = @"Domain Users"
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
admin users = root, Administrator
write list = root
<EOF>
/etc/krb5.conf:
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
DOMAIN.LOCAL = {
default_domain = domain.local
kdc = dc1.domain.local
}
[domain_realms]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
<EOF>
/etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
networks: files
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files
aliases: files
<EOF>
debian uses /etc/pam.d/common-* files to hold pam settings which are
@included into all other pam.d files.
/etc/pam.d/common-account:
account required pam_unix.so
account sufficient pam_winbind.so use_first_pass
<EOF>
/etc/pam.d/common-auth:
auth required pam_unix.so nullok_secure
auth sufficient pam_winbind.so use_first_pass
<EOF>
/etc/pam.d/common-password:
password required pam_unix.so nullok obscure min=4 max=8 md5
password sufficient pam_winbind.so use_first_pass
<EOF>
/etc/pam.d/common-session:
session required pam_unix.so
session sufficient pam_winbind.so use_first_pass
<EOF>
there are security audit entries of the samba machine logging on and
off, using kerberos.
??
--
Noah Dain
noahdain@gmail.com
Marcel de Riedmatten
2005-Jun-20 00:18 UTC
[Samba] ADS member server w/ winbind on debian sarge
Le lun 20/06/2005 ? 00:21, Noah Dain a ?crit :> ok, i've been buggering on and off with this for way too long now. > I'm just plain stuck. >> However, I cannot log onto the samba machine using a domain account, > and when i attempt to access home directories of domain accounts > hosted on the samba machine, i keep getting prompted for a password > (and no passwords work).> [global]> [homes] > comment = Home Dirs > valid users = %Stry valid users = DOMAIN+%S> read only = No > browseable = No > ; root preexec = /etc/samba/scripts/mk_sambadir "/home/%D/%U" "%U" "%G" > > [testshare] > path = /test > comment = samba ads test share > read only = no > browseable = yes > writelist = @"Domain Users"same here: writelist = @"DOMAIN+Domain Users" etc This might not be necessary if you have : winbind use default domain = Yes but i am not sure. -- Marcel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?Url : http://lists.samba.org/archive/samba/attachments/20050620/1143cfae/attachment.bin
Marcel de Riedmatten
2005-Jun-20 01:55 UTC
[Samba] ADS member server w/ winbind on debian sarge
Le lun 20/06/2005 ? 03:33, Noah Dain a ?crit :> > > valid users = %S > > > > try valid users = DOMAIN+%S> > > > This might not be necessary if you have : > > > > winbind use default domain = Yes > > > > but i am not sure.> yup! that did it for the home directories. (both 'DOMAIN+' and > 'winbind use default domain = yes' worked). Working just spiffy, now. > > thx, Marcel > > now. how do I go about giving ads domain accounts the ability to log > into the samba machine, via something like local login, ftp, ssh?have a look at the samba HOWTO ch. 27 http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html -- Marcel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?Url : http://lists.samba.org/archive/samba/attachments/20050620/98f32ae4/attachment.bin
On 6/20/05, Noah Dain <noahdain@gmail.com> wrote:> On 6/19/05, John H Terpstra <jht@samba.org> wrote: > > On Sunday 19 June 2005 16:21, Noah Dain wrote: > > > ok, i've been buggering on and off with this for way too long now. > > > I'm just plain stuck. > > > > > > The objective is to get full authentication working for a samba > > > machine by integrating it into and existing AD system as a member > > > server. > > > ... > > > debian uses /etc/pam.d/common-* files to hold pam settings which are > > > @included into all other pam.d files. > > > > > > /etc/pam.d/common-account: > > > > > > account required pam_unix.so > > ^^^^^^ > > Change to: sufficient. > > > > > account sufficient pam_winbind.so use_first_pass > > > <EOF> > > > > > > /etc/pam.d/common-auth: > > > > > > auth required pam_unix.so nullok_secure > > ^^^^^^ > > > > Change to sufficient. > > > > > auth sufficient pam_winbind.so use_first_pass > > > <EOF> > > > > > > /etc/pam.d/common-password: > > > > > > password required pam_unix.so nullok obscure min=4 max=8 md5 > > ^^^^^^ > > > > Change to sufficient. > > > > > password sufficient pam_winbind.so use_first_pass > > > <EOF> > > > > > > /etc/pam.d/common-session: > > > > > > session required pam_unix.so > > ^^^^^^ > > > > Change to sufficient. > > > > > session sufficient pam_winbind.so use_first_pass > > > <EOF> > > > > > > there are security audit entries of the samba machine logging on and > > > off, using kerberos. > > > > Let me know what happens when you have made these changes. > > > > - John T. > > -- > > John H Terpstra > > Samba-Team Member > > Phone: +1 (650) 580-8668 > > > > Author: > > The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 > > Samba-3 by Example, ISBN: 0131472216 > > Hardening Linux, ISBN: 0072254971 > > Other books in production. > > > > success! Changing the debian defaults for pam_unix.so to sufficient > as recommended above did the trick. I can now log in using domain > accounts via ssh and ftp using a username in the form: DOMAIN+user > > I'll read up on chapter 27 to figure out why this worked, and revisit > the pam docs on kernel.org. > > I think the biggest points of my confusion are stemming from not > knowing when and how the various authentication mechanisms interact, > but I think I'm starting to get the picture. > > thanks a lot guys, >first off, apologies if I inadvertently sent emails to individuals and not the list. gmail never seems to do the same thing twice with lists and email addresses. my bad. initially, JHT's suggestion instantly fixed the problem. Access was enabled for smb share access, ftp, and ssh (all that i tested). I promptly went to bed. When I got into the office next day, the samba server somehow reverted back to disallowing domain accounts access. It's behaving just as it was before I made the changes to the winbind entries in /etc/pam.d. I havn't had a chance to troubleshoot it at all yet, though. ??