I am having a hard time getting Samba to authentication correctly
against a Windows Active Directory setup.
Here is a snap of the smb.conf
[global]
passdb backend = ldapsam
security = domain
password server = server1.com server2.com
prefered master = No
local master = no
hide unreadable = yes
wins support = no
winbind use default domain = yes
domain master = No
netbios name = samba-newb
workgroup = scl
prefered master = no
dns proxy = no
idmap uid = 15000-20000
idmap gid = 15000-20000
realm = server.com
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
use spnego = yes
server string = samba-newb
update encrypted = yes
domain logons = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
os level = 20
template shell = /bin/bash
template homedir = /home/%D/%U
[newb]
comment = newb
inherit acls = Yes
path = /usr/local/files/
read only = no
force group = users
force user = users
guest ok = no
I can run the net ads join command which works fine, but if I try to
authentication without a local account I am recieving errors. Any
assistance or pointers is appreciated.
--
Jason Gerfen
Student Computing Labs, University Of Utah
jason.gerfen@scl.utah.edu
J. Willard Marriott Library
295 S 1500 E, Salt Lake City, UT 84112-0860
801-585-9810
"My girlfriend threated to
leave me if I went boarding...
I will miss her."
~ DIATRIBE aka FBITKK
On Tuesday 13 September 2005 11:09 am, Jason Gerfen wrote:> I am having a hard time getting Samba to authentication correctly > against a Windows Active Directory setup. > > Here is a snap of the smb.conf > [global] > passdb backend = ldapsam > security = domain > password server = server1.com server2.com > prefered master = No > local master = no > hide unreadable = yes > wins support = no > winbind use default domain = yes > domain master = No > netbios name = samba-newb > workgroup = scl > prefered master = no > dns proxy = no > idmap uid = 15000-20000 > idmap gid = 15000-20000 > realm = server.com > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > add machine script = /usr/sbin/useradd -c Machine -d > /var/lib/nobody -s /bin/false %m$ > use spnego = yes > server string = samba-newb > update encrypted = yes > domain logons = yes > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > encrypt passwords = yes > os level = 20 > template shell = /bin/bash > template homedir = /home/%D/%U > > [newb] > comment = newb > inherit acls = Yes > path = /usr/local/files/ > read only = no > force group = users > force user = users > guest ok = no > > I can run the net ads join command which works fine, but if I try to > authentication without a local account I am recieving errors. Any > assistance or pointers is appreciated. > > -- > Jason Gerfen > Student Computing Labs, University Of Utah > jason.gerfen@scl.utah.edu > > J. Willard Marriott Library > 295 S 1500 E, Salt Lake City, UT 84112-0860 > 801-585-9810 > > "My girlfriend threated to > leave me if I went boarding... > I will miss her." > ~ DIATRIBE aka FBITKKJason, It looks like your smb.conf is set up more for a Samba PDC than for a member server in a Windows AD. Are you looking to make your Samba server a member server? If so: security = ads wins server = ip.of.your.winsserver I don't believe you need: passdb backend = ldapsam Is kerberos installed, and do you have krb5.conf set up properly? Dimitri
Jason Gerfen wrote:> I am having a hard time getting Samba to authentication correctly > against a Windows Active Directory setup. > > Here is a snap of the smb.conf > [global] > passdb backend = ldapsam > security = domainThese two jump out at me. Should be: security = ads And since you're using domain/ads, you shouldn't use passdb backend. -- Rex
Jason Gerfen wrote:> I am having a hard time getting Samba to authentication correctly > against a Windows Active Directory setup. > > Here is a snap of the smb.conf > [global] > passdb backend = ldapsam > security = domain > password server = server1.com server2.com > prefered master = No > local master = no > hide unreadable = yes > wins support = no > winbind use default domain = yes > domain master = No > netbios name = samba-newbOh, and security=ads mixed with netbios name didn't work (for me at least), last time I tried. See https://bugzilla.samba.org/show_bug.cgi?id=2727 -- Rex
Jason Gerfen wrote:> I am having a hard time getting Samba to authentication correctly > against a Windows Active Directory setup.> template shell = /bin/bash > template homedir = /home/%D/%U> I can run the net ads join command which works fine, but if I try to > authentication without a local account I am recieving errors. Any > assistance or pointers is appreciated.If you want to avoid the use of local accounts, you also need to configure/use winbind and pam+nss_winbind -- Rex
On Tuesday 13 September 2005 3:58 pm, Rex Dieter wrote:> Jason Gerfen wrote: > > I am having a hard time getting Samba to authentication correctly > > against a Windows Active Directory setup. > > > > template shell = /bin/bash > > template homedir = /home/%D/%U > > > > I can run the net ads join command which works fine, but if I try to > > authentication without a local account I am recieving errors. Any > > assistance or pointers is appreciated. > > If you want to avoid the use of local accounts, you also need to > configure/use winbind and pam+nss_winbind > > -- RexRex is right. You need to configure resolv.conf, nsswitch.conf, and etc/pam.d/login. Dimitri
Leewa
2005-Sep-13 20:53 UTC
[Samba]: Including Windows domain with "smbclient -U" command?
To all,
Can on specify the Windows domain in the
"smbclient -U" command? Can one do something like,
smbclient -U //server
-Umywindowsdomain\johndoe%password
Kind Regards,
Wayne
e-mail: leewa2000@yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Leewa
2005-Sep-13 21:19 UTC
[Samba]: Including Windows domain with "smbclient -U" command?
--- Leewa <leewa2000@yahoo.com> wrote:> To all, > > Can on specify the Windows domain in the > "smbclient -U" command? Can one do something like, > > smbclient -U //server > -Umywindowsdomain\johndoe%password > > > Kind Regards, > > Wayne > e-mail: leewa2000@yahoo.com > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > -- > To unsubscribe from this list go to the following > URL and read the > instructions: > https://lists.samba.org/mailman/listinfo/samba >__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Could I get an example of the /etc/pam.d/login configuration for use with winbind? Dimitri Yioulos wrote:>On Tuesday 13 September 2005 3:58 pm, Rex Dieter wrote: > > >>Jason Gerfen wrote: >> >> >>>I am having a hard time getting Samba to authentication correctly >>>against a Windows Active Directory setup. >>> >>> template shell = /bin/bash >>> template homedir = /home/%D/%U >>> >>>I can run the net ads join command which works fine, but if I try to >>>authentication without a local account I am recieving errors. Any >>>assistance or pointers is appreciated. >>> >>> >>If you want to avoid the use of local accounts, you also need to >>configure/use winbind and pam+nss_winbind >> >>-- Rex >> >> > >Rex is right. You need to configure resolv.conf, nsswitch.conf, and >etc/pam.d/login. > >Dimitri > >-- Jason Gerfen Student Computing Labs, University Of Utah jason.gerfen@scl.utah.edu J. Willard Marriott Library 295 S 1500 E, Salt Lake City, UT 84112-0860 801-585-9810 "My girlfriend threated to leave me if I went boarding... I will miss her." ~ DIATRIBE aka FBITKK
On Wednesday 14 September 2005 10:21 am, you wrote:> Could I get an example of the /etc/pam.d/login configuration for use > with winbind? > > Dimitri Yioulos wrote: > >On Tuesday 13 September 2005 3:58 pm, Rex Dieter wrote: > >>Jason Gerfen wrote: > >>>I am having a hard time getting Samba to authentication correctly > >>>against a Windows Active Directory setup. > >>> > >>> ? ? ? template shell = /bin/bash > >>> ? ? ? template homedir = /home/%D/%U > >>> > >>>I can run the net ads join command which works fine, but if I try to > >>>authentication without a local account I am recieving errors. ?Any > >>>assistance or pointers is appreciated. > >> > >>If you want to avoid the use of local accounts, you also need to > >>configure/use winbind and pam+nss_winbind > >> > >>-- Rex > > > >Rex is right. ?You need to configure resolv.conf, nsswitch.conf, and > >etc/pam.d/login. > > > >DimitriJason, I'll do it, but you really should read Samba-3 by Example. ?John H. and company have done an excellent job of documenting Samba configuration and use. ?It would be better to use the mailing list after that. That said: #%PAM-1.0 auth ? ? ? required ? ? pam_securetty.so auth ? ?sufficient ? ? ?pam_winbind.so auth ? ?sufficient ? ? ?pam_unix.so use_first_pass auth ? ? ? required ? ? pam_stack.so service=system-auth auth ? ? ? required ? ? pam_nologin.so account sufficient ? ? ?pam_winbind.so account ? ?required ? ? pam_stack.so service=system-auth password ? required ? ? pam_stack.so service=system-auth session ? ?required ? ? pam_stack.so service=system-auth session ? ?optional ? ? pam_console.so Dimitri
Jason Gerfen wrote:> <snippit> > >> dns_lookup_realm = true >> dns_lookup_kdc = true >> default_tkt_enctypes = des-cbc-crc des-cbc-md5 >> default_tgs_enctypes = des-cbc-crc >> >> > I have added these options to my krb5.conf per your suggestion > >> Note the default enctypes. Seems in the way back I was getting >> errors; adding these fixed that. Others may disagree, and YMMV. >> >> Dimitri >> >> > > I have the following services running smbd, nmbd & winbindd. Here are > snippits of the logs log.nmbd, log.smbd and log.winbind > > log.winbind > [2005/09/14 10:38:06, 1] nsswitch/winbindd.c:main(864) > winbindd version 3.0.13-1.1-SUSE started. > Copyright The Samba Team 2000-2004 > [2005/09/14 10:38:08, 1] > nsswitch/winbindd_ads.c:ads_cached_connection(81) > ads_connect for domain SCL.UTAH.EDU failed: No such file or directory > > log.smbd > [2005/09/14 11:03:04, 0] printing/print_cups.c:cups_cache_reload(85) > Unable to connect to CUPS server localhost - Connection refused > [2005/09/14 11:03:04, 0] printing/print_cups.c:cups_cache_reload(85) > Unable to connect to CUPS server localhost - Connection refused > ** I am not running cups > > log.nmbd > add_domain_logon_names: > Attempting to become logon server for workgroup SCL.UTAH.EDU on > subnet 192.168.0.3 > [2005/09/14 10:38:12, 0] > nmbd/nmbd_logonnames.c:become_logon_server_success(124) > become_logon_server_success: Samba is now a logon server for > workgroup SCL.UTAH.EDU on subnet 192.168.0.3 > [2005/09/14 10:43:48, 0] > nmbd/nmbd_become_lmb.c:become_local_master_stage2(396) > ***** > > Samba name server ODIN-NEWB is now a local master browser for > workgroup DOMAIN.Com on subnet 192.168.0.3 > > ***** > > I am still not able to authenticate against the domain, any other > suggestions? >If it helps any this is the response from wbinfo %> wbinfo -m BUILTIN the -t and -u options return errors as well: jason@odin-newb:~> sudo wbinfo -m BUILTIN jason@odin-newb:~> sudo wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_PIPE_NOT_AVAILABLE (0xc00000ac) Could not check secret jason@odin-newb:~> sudo wbinfo -u Error looking up domain users -- Jason Gerfen Student Computing Labs, University Of Utah jason.gerfen@scl.utah.edu J. Willard Marriott Library 295 S 1500 E, Salt Lake City, UT 84112-0860 801-585-9810 "My girlfriend threated to leave me if I went boarding... I will miss her." ~ DIATRIBE aka FBITKK
Jason Gerfen wrote:> </snip> > > Ok I think I have found my problem. I need to find a way to map Samba > to an active directory common name: > > %> net ads join -U"Administrator" "cn=users,dc=domain,dc=com" > (example, I know the syntax is incorrect) > > As far as I can tell it is hard coded in the net ads join routine to > tack on the ou=users vs. cn=users, anyone shed some light on this? >Some output from strace %> strace -o tmp net ads join -U "Admin" "users" write(6, "0C\2\1\5c>\4\36ou=users,dc=SCL,dc=UTAH"..., 69) = 69 <-- here is the hard coded ou, I am not 100% familiar with the LDAP RFC but on a windows Active Directory there are CN and OU containers select(1024, [6], [], NULL, {15, 0}) = 1 (in [6], left {14, 999000}) read(6, "0\204\0\0\0\222\2\1", 8) = 8 read(6, "\5e\204\0\0\0\211\n\1 \4\25DC=scl,DC=utah,DC=ed"..., 144) = 144 rt_sigaction(SIGALRM, {SIG_IGN}, {0x535000, [ALRM], SA_RESTORER, 0x2aaaab95ff00}, 8) = 0 Anyone shed some light here? I need a way to overwrite that OU parameter to a CN... -- Jason Gerfen Student Computing Labs, University Of Utah jason.gerfen@scl.utah.edu J. Willard Marriott Library 295 S 1500 E, Salt Lake City, UT 84112-0860 801-585-9810 "My girlfriend threated to leave me if I went boarding... I will miss her." ~ DIATRIBE aka FBITKK
On Thursday 15 September 2005 4:17 pm, you wrote:> Dimitri Yioulos wrote: > >On Thursday 15 September 2005 3:32 pm, you wrote: > >></snip> > >> > >>Ok I think I have found my problem. I need to find a way to map Samba > >>to an active directory common name: > >> > >>%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com" (example, > >>I know the syntax is incorrect) > >> > >>As far as I can tell it is hard coded in the net ads join routine to > >>tack on the ou=users vs. cn=users, anyone shed some light on this? > > > >Uh, I must be missing something here. This is a pretty straightforward > > set-up, right? You want to join this Samba box to a Win2k3 server for > > file- or print-serving purposes? I've always felt that you get a basic > > set-up working first, then start to get fancy. > > > >AFAIK: > > > >1. kinit Administrator@MYDOMAIN.COM > >(You'll be prompted for a password. My systems simply return me to a > > prompt if I'm successful.) > >2. net ads join -U Administrator@MYDOMAIN.COM > >(Again, you'll be prompted for a password. Info about the machine joining > > the AD is returned) > > > >Beyond this, someone else will have to help out. > > > >Best, > > > >Dimitri > > Yeah this works, I can get my krb creds: > > jason@odin-newb:~> kinit Admin@DOMAIN.COM > Password for Admin@DOMAIN.COM: > jason@odin-newb:~> klist > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: Admin@DOMAIN.COM > > Valid starting Expires Service principal > 09/15/05 14:12:30 09/16/05 00:11:16 krbtgt/DOMAIN.COM@DOMAIN.COM > renew until 09/16/05 14:12:30 > > > Kerberos 4 ticket cache: /tmp/tkt1000 > klist: You have no tickets cached > > And this works as well: > > Admin@DOMAIN.COM's password: > [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405) > ads_add_machine_acct: Host account for odin-newb already exists - > modifying old account > Using short domain name -- DOMAIN.COM > Joined 'ODIN-NEWB' to realm 'DOMAIN.COM' > > But when testing, using wbinfo -u or getent I am getting only the local > passwd accounts. > > jason@odin-newb:~> wbinfo -u > Error looking up domain users > > And here is where my accounts need to be authenticted from > > LDAP://server.domain.com/CN=Users,DC=server,DC=domain,DC=com > > Note the CN=Users, vs. OU=Users, I will go read the RFC to see if I can > get more info on this.So, you're not authenticating against ADS? If you are, are you sure the winbind daemon is running? Dimitri
Hi,
I get exactly the same.
'kinit -U[username]%[password] works 100%; 'klist' shows my kerberos
ticket(s); I set up my krb5.conf as per the examples in Samba 3 by
Example-HOWTO; I joined the domain 100% with 'net ads join -U
[username]%[password]', but:
wbinfo -u just gives me "Error looking up domain users."
wbinfo -g gives me a listing of all the ADS groups <-- working 100%?
'getent passwd' gives me a listing of all local users, but no domain /
ADS users
'getent group' gives me the local groups, but no ADS groups (just hangs
a while after local groups and then probably times out)
I only have a small office file & print server (about 12 users), so I
got around this by using local accounts and manually mapping them to the
corresponding domain users (/etc/samba/smbusers - local username
[DOMAIN]/[domain username]) and using 'username map /etc/samba/smbusers'
in smb.conf .
Here is my config:
[global]
realm = COMPANY.COM
security = ADS
password server = kdc.company.com
idmap uid = 10000-1000000
idmap gid = 10000-1000000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind separator = /
unix password sync = yes
workgroup = COMPANY-COM
interfaces = eth0 lo
bind interfaces only = yes
netbios name = SERVER
name resolve order = wins hosts bcast
dns proxy = no
domain logons = no
preferred master = no
domain master = no
local master = yes
os level = 33
max log size = 1024
log level = 2
log file = /var/log/samba/samba-new.log
syslog = 1
guest account = smbguest
username level = 50
username map = /etc/samba/smbusers
encrypt passwords = yes
password level = 20
client use spnego = yes
wins server = x.x.x.x
preserve case = yes
short preserve case = yes
case sensitive = no
hide dot files = yes
hide unreadable = yes
hide special files = yes
map to guest = never
I also repeatedly get the following in
/var/log/samba/log-wb.COMPANY-COM:
[2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
cli_rpc_open failed on pipe \lsarpc to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer
[2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
cli_rpc_open failed on pipe \NETLOGON to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer
Service smb status gives:
smbd (pid 21371 21233) is running...
nmbd (pid 14018) is running...
Service winbind status gives:
winbindd (pid 8991 8370 8367 8366) is running...
I'm running Samba 3.0.20 on Linux Fedora Core 4
Although we can work, any help to get the proper domain authentication
working would be greatly appreciated.
TIA
Ernest
> Dimitri Yioulos wrote:
> >On Thursday 15 September 2005 3:32 pm, you wrote:
> >></snip>
> >>
> >>Ok I think I have found my problem. I need to find a way to map
> >>Samba to an active directory common name:
> >>
> >>%> net ads join -U"Administrator"
"cn=users,dc=domain,dc=com"
> >>(example, I know the syntax is incorrect)
> >>
> >>As far as I can tell it is hard coded in the net ads join routine
to
> >>tack on the ou=users vs. cn=users, anyone shed some light on this?
> >
> >Uh, I must be missing something here. This is a pretty
> >straightforward set-up, right? You want to join this Samba box to a
> >Win2k3 server for
> > file- or print-serving purposes? I've always felt that you get a
> >basic set-up working first, then start to get fancy.
> >
> >AFAIK:
> >
> >1. kinit Administrator@MYDOMAIN.COM
> >(You'll be prompted for a password. My systems simply return me to
a
> >prompt if I'm successful.) 2. net ads join -U
> >Administrator@MYDOMAIN.COM (Again, you'll be prompted for a
password.
> >Info about the machine joining the AD is returned)
> >
> >Beyond this, someone else will have to help out.
> >
> >Best,
> >
> >Dimitri
>
> Yeah this works, I can get my krb creds:
>
> jason@odin-newb:~> kinit Admin@DOMAIN.COM Password for
> Admin@DOMAIN.COM:
> jason@odin-newb:~> klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: Admin@DOMAIN.COM
>
> Valid starting Expires Service principal
> 09/15/05 14:12:30 09/16/05 00:11:16 krbtgt/DOMAIN.COM@DOMAIN.COM
> renew until 09/16/05 14:12:30
>
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
>
> And this works as well:
>
> Admin@DOMAIN.COM's password:
> [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405)
> ads_add_machine_acct: Host account for odin-newb already exists -
> modifying old account Using short domain name -- DOMAIN.COM Joined
> 'ODIN-NEWB' to realm 'DOMAIN.COM'
>
> But when testing, using wbinfo -u or getent I am getting only the
> local passwd accounts.
>
> jason@odin-newb:~> wbinfo -u
> Error looking up domain users
>
> And here is where my accounts need to be authenticted from
>
> LDAP://server.domain.com/CN=Users,DC=server,DC=domain,DC=com
>
> Note the CN=Users, vs. OU=Users, I will go read the RFC to see if I
> can get more info on this.
So, you're not authenticating against ADS? If you are, are you sure the
winbind daemon is running?
Dimitri
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba