David Martinez
2005-Dec-06 16:25 UTC
[Samba] Mac OS X clients not binding to a Samba+LDAP PDC
Hi there ! This is my first post and I really would like to have this stuff working ... if not, I should go to Win2k3 server .... please help me to avoid it !!!! I've been trying to integrate Mac OS X (10.3) clients to my Samba server through the Active Directory Plugin with no success. This PDC is currently working for 90 PC's with XP SP2. My server is well configured from the DNS (or I think so): ns A 192.168.101.50 ldap A 192.168.101.50 pruebas A 192.168.101.50 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.dc._msdcs SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.aab455e4-bbb2-408b-a097-bb359f315574.domains._msdcs SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.gc._msdcs SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.pdc._msdcs SRV 0 100 389 pruebas.valeeuro.com _gc._tcp.Default-First-Site-Name._sites SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.Default-First-Site-Name._sites SRV 0 100 389 pruebas.valeeuro.com _gc._tcp SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp SRV 0 100 389 pruebas.valeeuro.com When I try to bind the Mac computer to the domain it stops on step 3 and sends an error "Invalid username and password" As I see, the Mac is trying to connect using kerberos authentication, which I dont know how to configure on the samba+ldap!! ?How do I enable kerberos authentication on my LDAP+SAMBA+Linux server? My configuration: samba 3.0.20 openldap 2.2.23 (openldap is the backend for samba) bind 9.3 linux fedora core 4 Thanks in advance !!! Saludos David -- Saludos David
Have you configured NSS and PAM to use winbindd? Are you trying to use a PDC or Active Directory LDAP/Kerberos? - PDC supports NTLM for authentication, which is old school Windows NT. - Active Directory supports Kerberos for authentication. I haven't yet used the AD plug-in. I think that the LDAP schema needs to be modified to support UNIX data like gid/uid, shell, etc. There's an AD4Unix open source solution that I think can add the compatible schema. The AD plug-in also I will reconfigure PAM to use Apple's module, you need to configure PAM to use SAMBA's windbindd instead. Also before this, you must establish authentication through Kerberos, testing with kinit, and configuring Kerberos on the client. You might need to export a keytab that corresponds to a Windows service principal name(s) (user account with name that represents host client and services offered by host client) using ktpass on the Windows domain controller, and import this keybtab securing into the client that needs to access Windows domain controller. As for Mac OS X, I am pretty sure they support the older SAMBA 2.0, which does not have support for Active Directory, other than through a PDC emulator operations masters on Windows 2000 or Windows Server 2003 domain controller. Also, you say you are using SAMBA 3.0.20. Did you compile this on the Macintosh? - Joaquin -----Original Message----- From: samba-bounces+letz_samba=realmspace.com@lists.samba.org [mailto:samba-bounces+letz_samba=realmspace.com@lists.samba.org] On Behalf Of David Martinez Sent: Tuesday, December 06, 2005 8:25 AM To: samba@lists.samba.org Subject: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC Hi there ! This is my first post and I really would like to have this stuff working ... if not, I should go to Win2k3 server .... please help me to avoid it !!!! I've been trying to integrate Mac OS X (10.3) clients to my Samba server through the Active Directory Plugin with no success. This PDC is currently working for 90 PC's with XP SP2. My server is well configured from the DNS (or I think so): ns A 192.168.101.50 ldap A 192.168.101.50 pruebas A 192.168.101.50 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.dc._msdcs SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.aab455e4-bbb2-408b-a097-bb359f315574.domains._msdcs SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.gc._msdcs SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.pdc._msdcs SRV 0 100 389 pruebas.valeeuro.com _gc._tcp.Default-First-Site-Name._sites SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp.Default-First-Site-Name._sites SRV 0 100 389 pruebas.valeeuro.com _gc._tcp SRV 0 100 389 pruebas.valeeuro.com _ldap._tcp SRV 0 100 389 pruebas.valeeuro.com When I try to bind the Mac computer to the domain it stops on step 3 and sends an error "Invalid username and password" As I see, the Mac is trying to connect using kerberos authentication, which I dont know how to configure on the samba+ldap!! ?How do I enable kerberos authentication on my LDAP+SAMBA+Linux server? My configuration: samba 3.0.20 openldap 2.2.23 (openldap is the backend for samba) bind 9.3 linux fedora core 4 Thanks in advance !!! Saludos David -- Saludos David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
I think the best solution for the Macintosh would be PADLs stuff. Check out,
http://www.padl.com/Contents/OpenSourceSoftware.html. There's a NSS module
that will plug into LDAP for unix information. You'll need to configure the
appropriate mappings. Also, there's a PAM module that will authenticate
using a password hash stored in the LDAP. Naturally you should encrypt the
traffic using either SASL, LDAPS, or LDAP StartTLS. Amongst the tools is a
caching tool, which will allow the laptop to work offline, much like the Windows
feature.
For a pure SAMBA 2.0 solution, you would have to configure NSS and PAM to use
windbindd on the MacOS X. I am not even sure how to this or what Apple's
level of support is for a complete SAMBA set of tools and configurations.
Another thing, you seem to be confusing PDC with Active Directory DC. The PDC
is from the olden days, and uses NTLM for authentication. An AD DC uses
Kerberos for authentication. There's no concept of a PDC in Active
Directory, as it is a "multi-master" scenario, where every DC is an
equal citizen. If one fails, users authenticate to another DC. There's no
"primary" like in the historic NT domain, which is a
"single-master" scenario having a single-point of failure; if the PDC
fails, no one authenticates until a BDC is promoted to the role of PDC.
- Joaquin Menchaca
________________________________________
From: David Martinez [mailto:davidmx@gmail.com]
Sent: Thursday, December 08, 2005 8:13 AM
To: SAMBA
Cc: samba@lists.samba.org
Subject: Re: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC
Thanks for your response.
I think I'm not been clear, my environment is:
1. Fedora Core 4 + openldap 2.2 + samba 3.0: this is the PDC, samba uses ldap as
a backend for users,computers,groups. That box has NSS, PAM and LDAP configured
2. Windows XP clients are attached to the domain and are working pretty good.
3. I need to join Mac OS X 10.3 clients to the same domain in order to have
single sign-on. These clients are using samba 2.
?? * My first test was to use incorporated LDAP authentication with Mac OS X
(Apps->Utilities -> Directory Access -> Authentication -> Custom
Path ), I had to change default LDAP attribute mapping and it worked. But this
solution won't allow my mobile users to sign on once they are out of office
because last login is not catched (I need a windows-like behavior where AD
clients can login even when they are not attached to the network).
?? * A second test is to use Active Directory Plugin incorporated with Panther
but it doesn't work. I've been using a sniffer to see whats going on on
the binding process and I found the Mac client asks for kerberos authentication,
as long as I have not kerberos in the PDC box the binding process fails. The
Active Directory Plugin works fine with Win2K AD servers, I have used it
before... looks like the AD Plugin does not use samba.
As you see I have three options:
* Find a solution to the LDAP authentication catching problem when the Mac
Clients are not connected to the network.
* Configure kerberos authentication on the LDAP+SAMBA box and join the Mac
Clients to the PDC.
* Forgett all this and spend $15,000 bugs on win server and CALS, reconfigure
all WinXP Clients and install Win2k on the linux box.
Does anybody here has ever attached Mac OS X clients to a Samba 3 PDC ??
Saludos
David
??????
On 12/8/05, SAMBA <letz_samba@realmspace.com> wrote:
Have you configured NSS and PAM to use winbindd?
Are you trying to use a PDC or Active Directory LDAP/Kerberos?
??- PDC supports NTLM for authentication, which is old school Windows NT.
??- Active Directory supports Kerberos for authentication.
I haven't yet used the AD plug-in.??I think that the LDAP schema needs to be
modified to support UNIX data like gid/uid, shell, etc.??There's an AD4Unix
open source solution that I think can add the compatible schema.??The AD plug-in
also I will reconfigure PAM to use Apple's module, you need to configure PAM
to use SAMBA's windbindd instead.??Also before this, you must establish
authentication through Kerberos, testing with kinit, and configuring Kerberos on
the client. You might need to export a keytab that corresponds to a Windows
service principal name(s) (user account with name that represents host client
and services offered by host client) using ktpass on the Windows domain
controller, and import this keybtab securing into the client that needs to
access Windows domain controller.
As for Mac OS X, I am pretty sure they support the older SAMBA 2.0, which does
not have support for Active Directory, other than through a PDC emulator
operations masters on Windows 2000 or Windows Server 2003 domain controller.
Also, you say you are using SAMBA 3.0.20.??Did you compile this on the
Macintosh?
- Joaquin
-----Original Message-----
From: samba-bounces+letz_samba= realmspace.com@lists.samba.org
[mailto:samba-bounces+letz_samba=realmspace.com@lists.samba.org] On Behalf Of
David Martinez
Sent: Tuesday, December 06, 2005 8:25 AM
To: samba@lists.samba.org
Subject: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC
Hi there !
This is my first post and I really would like to have this stuff working ...
if not, I should go to Win2k3 server .... please help me to avoid it !!!!
I've been trying to integrate Mac OS X (10.3) clients to my Samba server
through the Active Directory Plugin with no success. This PDC is currently
working for 90 PC's with XP SP2.
My server is well configured from the DNS (or I think so):
ns??????????????A?????? 192.168.101.50
ldap????????????A?????? 192.168.101.50
pruebas???????? A?????? 192.168.101.50
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV????0 100 389
pruebas.valeeuro.com
_ldap._tcp.dc._msdcs?????????? SRV????0 100 389 pruebas.valeeuro.com
_ldap._tcp.aab455e4-bbb2-408b-a097-bb359f315574.domains._msdcs SRV????0 100
389 pruebas.valeeuro.com
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs SRV????0 100 389
pruebas.valeeuro.com
_ldap._tcp.gc._msdcs?????????? SRV????0 100 389 pruebas.valeeuro.com
_ldap._tcp.pdc._msdcs??????????SRV????0 100 389 pruebas.valeeuro.com
_gc._tcp.Default-First-Site-Name._sites SRV????0 100 389
pruebas.valeeuro.com
_ldap._tcp.Default-First-Site-Name._sites SRV????0 100 389
pruebas.valeeuro.com
_gc._tcp?????????????????????? SRV????0 100 389 pruebas.valeeuro.com
_ldap._tcp???????????????????? SRV????0 100 389 pruebas.valeeuro.com
When I try to bind the Mac computer to the domain it stops on step 3 and
sends an error "Invalid username and password"
As I see, the Mac is trying to connect using kerberos authentication, which
I dont know how to configure on the samba+ldap!!
?How do I enable kerberos authentication on my LDAP+SAMBA+Linux server?
My configuration:
samba 3.0.20
openldap 2.2.23 (openldap is the backend for samba)
bind 9.3
linux fedora core 4
Thanks in advance !!!
Saludos
David
--
Saludos
David
--
To unsubscribe from this list go to the following URL and read the
instructions:??https://lists.samba.org/mailman/listinfo/samba
--
Saludos
David