Greetings. I have just started scratching the surface of using Samba to
create a SSO environment for my network. I have been playing a bit with
both SuSE 9.3 and CentOS 4.1 to authenticate to an AD PDM (W2K).
I've made it the farthest with the CentOS server. I have joined it to
the domain and been able to verify AD users and groups using wbinfo
[-u|-g] and getent [passwd|group]. I have even been able to `su` to an
AD user on the CentOS server, but only with errors:
# su - DOMAIN\+testuser
id: cannot find name for user ID 16777216
-bash-3.00$
It seems to pass, but with errors. (I had to manually create the homedir
for the user: /home/DOMAIN/testuser to get `su` to work.)
I can't seem to login to the server using the account, though. I've been
using a number of documents from Samba, O`Reilly, and other sources I
googled up, but they are all pretty much the same. Am I missing
something? Do I have to do something else to allow an existing AD
account to log into the machine?
Here's my config:
smb.conf:
---------
[global]
workgroup = DOMAIN
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
winbind separator = +
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
password server = pdc.addomain.mydomain.com
realm = ADDOMAIN.MYDOMAIN.COM
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
krb5.conf:
----------
[libdefaults]
ticket_lifetime = 600
default_realm = ADDOMAIN.MYDOMAIN.COM
dns_lookup_kdc=0
dns_lookup_realm=0
dns_fallback=0
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
rc4-hmac
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
rc4-hmac
permitted_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
des-cbc-md5 arcfoug-hmac-md5 arcfour-hmac-md
[realms]
ADDOMAIN.MYDOMAIN.COM = {
kdc = 10.10.10.10
kdc = 10.10.10.12
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
nsswitch.conf:
--------------
passwd: compat winbind
shadow: files winbind
group: compat winbind
hosts: files dns winbind
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
--
Brian
"An adventure is never an adventure
when it?s happening. Challenging
experiences need time to ferment,
and adventure is simply physical
and emotional comfort recollected
in tranquility." - Tim Cahill
(Hold the Enlightenment - 2002)
