samba - Dec 2005 - samba Active directory and SSO

Dear all,

I guess there were a lot of posts about this subject, but Im really stuck 
& prefer start a new thread hoping that some of you 
won't mind re-posting to help the Samba NewBie that I am.

well, here is my situation:
- more than 1000 users on a hetegenous network, One Domain & the need to 
keep only one.

- I need my Linux Boxes' users to get authenticated against a single AD, 
therefore I installed Samba 3 on a redhat 9 kernel 2.4, 

- smbd, nmbd & Winbind are running

- the linux boxes joined my domain using the command
        [root@LinuxBox root]#net ads join -U Administrator%password 

- I am able to view the list of the users in the AC, with:
        [root@LinuxBox root]#/usrlocal/samba/bin/wbinfo -u 

HOWEVER, I get the listing in the format username  not the supposed 
MYDAMAINNAME+username

furthermore, when I try to logon the linuxbox using one of my AD users, I 
simply cannot
Please find below my config files: smb.conf, /pam.d./login & /etc/nsswitch

Thank you very much for reading my post & Please let me know if you need 
anymore information....

Best Regards,

smb.conf

#======================= Global Settings 
====================================[global]

# workgroup = NT-Domain-Name or Workgroup-Name
        workgroup = medi
        netbios name = LinuxMachine
logon drive = h:
logon home = \\home_dir_server\%U
logon script = %U.bat
 winbind separator = : 
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 winbind uid = 10000-20000
 winbind gid = 10000-20000
 winbind enunm users = yes
 winbind enunm groups = yes
 template homedir = /home/%D/ %U
 template shell = /bin/bash
 winbind usedefault domain = yes
 client use spnego = yes
unix extensions = yes
case sensitive = yes
delete readonly = yes
# server string is the equivalent of the NT Description field
        server string = Samba Server
max log size = 50
security = ADS
ads server = 10.100.101.62
password server = 10.100.101.62
encrypt passwords = yes
realm = medi.com
smb passwd file = /etc/samba/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
pam password change = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 10.100.101.62
username map = /etc/samba/smbusers
dns proxy = no

#============================ Share Definitions 
=============================[homes]
        comment = Home Directories
        browseable = no
        writeable = yes
        valid users = %S
        create mode = 0664
        directory mode = 0775
[shared]
        path = /home/shared
        writeable = yes
        guest ok = yes

[medi]
        path = /home/medi
        writeable = yes
Login
#%PAM-1.0

auth       required              /lib/security/pam_securetty.so
auth       sufficient            /lib/security/pam_winbind.so
auth       sufficient            /lib/security/pam_unix.so use_first_pass
auth       required              /lib/security/pam_stack.so 
service=system-auth
auth       required              /lib/security/pam_nologin.so
account    sufficient            /lib/security/pam_winbind.so
account    required              /lib/security/pam_stack.so 
service=system-auth
password   required              /lib/security/pam_stack.so 
service=system-auth
session    required              /lib/security/pam_stack.so 
service=system-auth
session    optional              /lib/security/pam_console.so

#auth       requisite        pam_nologin.so
#auth       requisite        pam_krb5.so
#auth       optional         pam_smbpass.so migrate
#account    required         pam_krb5.so
#password   requisite        pam_cracklib.so retry=3
#password   optional         pam_smbpass.so nullok use_authtok 
try_first_pass
#password   required         pam_krb5.so use_authtok try_first_pass
#session    required         pam_krb5.so

nsswitch:
passwd:     files winbind
shadow:     files
group:      files winbind

==================================Sebbane Mehdi
Network & Systems Administrator
ITS Department
Alakhawayn University
Ifrane 53000
Morocco
Voice : +212 (0) 55 86 24 23
Fax:      +212 (0) 55 86 24 24
www.aui.ma
===================================

Hi,
I think there is one thing or two you must change. 
> -----Original Message-----
> From: M.Sebbane@aui.ma [mailto:M.Sebbane@aui.ma] 
> Sent: sexta-feira, 16 de Dezembro de 2005 15:48
> To: samba@lists.samba.org
> Subject: [Samba] samba Active directory and SSO
> 
> Dear all,
> 
> I guess there were a lot of posts about this subject, but Im 
> really stuck & prefer start a new thread hoping that some of 
> you won't mind re-posting to help the Samba NewBie that I am.
> 
> well, here is my situation:
> - more than 1000 users on a hetegenous network, One Domain & 
> the need to keep only one.
> 
> - I need my Linux Boxes' users to get authenticated against a 
> single AD, therefore I installed Samba 3 on a redhat 9 kernel 2.4, 
> 
> - smbd, nmbd & Winbind are running
> 
> - the linux boxes joined my domain using the command
>         [root@LinuxBox root]#net ads join -U Administrator%password 
> 
> - I am able to view the list of the users in the AC, with:
>         [root@LinuxBox root]#/usrlocal/samba/bin/wbinfo -u 
> 
> HOWEVER, I get the listing in the format username  not the supposed 
> MYDAMAINNAME+username
> 
> furthermore, when I try to logon the linuxbox using one of my 
> AD users, I simply cannot Please find below my config files: 
> smb.conf, /pam.d./login & /etc/nsswitch
> 
> Thank you very much for reading my post & Please let me know 
> if you need anymore information....
> 
> Best Regards,
> 
> smb.conf
> 
> #======================= Global Settings 
> ====================================> [global]
<--snip -->
>  winbind usedefault domain = yes
I think this must be set to no in order to show also the MYDOMAIN part,i.e
winbind use default domain = no

According to man 5 smb.conf you should set also winbind separator:

       winbind separator (G)
              This parameter allows an admin to define the character used
when
              listing a username of the form of DOMAIN \user.  This
parameter
              is  only  applicable  when using the pam_winbind.so and
nss_win-
              bind.so modules for UNIX services.

              Please note that setting this parameter  to  +  causes
problems
              with  group membership at least on glibc systems, as the
charac-
              ter + is used as a special character for NIS in /etc/group.

              Default: winbind separator = ?\?

              Example: winbind separator = +
> ==================================> Sebbane Mehdi
> Network & Systems Administrator
> ITS Department
> Alakhawayn University
> Ifrane 53000
> Morocco
> Voice : +212 (0) 55 86 24 23
> Fax:      +212 (0) 55 86 24 24
> www.aui.ma
> ==================================> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
Best Regards,
Bruno Guerreiro