samba - Nov 2006 - Samba with AD

I am stuck with Samba -Active Directory communication. Trying to bring my SUSE
10.0 to speak with AD Domain.

net rpc testjoin - brings a unable to find suitable server message

net join -  kerberos_kinit_password preauthentication failed and ads_connect
preauthentication failed

wbinfo -u works fine
wbinfo -t works fine
getent passwd/group works too

smb is running
nmb is running
winbindd is running
nscd is not running

Here my smb.conf

[global]
	workgroup = (netbios name of mydomain)
	realm = mydomain.local
	netbios name = sambaservername
	server string = 
	security = ads
	template shell = /bin/bash
	idmap uid = 150000-250000
	idmap gid = 150000-250000
	idmap backend = ldap://192.168.5.15 ldap://10.0.0.210
	winbind use default domain = yes
	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw
	map to guest = Bad User
	include = /etc/samba/dhcp.conf
	logon path = \\%L\profiles\.msprofile
	logon home = \\%L\%U\.9xprofile
	logon drive = P:
	add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$
	domain logons = no
	domain master = No
	ldap admin dn = 
	ldap delete dn = No
#ldap filter = (uid=%u)
	ldap group suffix = 
	ldap idmap suffix = 
	ldap machine suffix = 
	ldap passwd sync = No
	ldap replication sleep = 1000
	ldap ssl = Start_tls
	ldap suffix = 
	ldap timeout = 5
	ldap user suffix = 
	passdb backend = ldapsam:ldap://192.168.5.15	ldapsam:ldap://10.0.0.210
	security = user
	debug level = 5
	log level = 5


my nsswitch.conf

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd:	files ldap
group:	files ldap
shadow:	files

hosts:	files dns
networks:	files dns

services:	files
protocols:	files
rpc:	files
ethers:	files
netmasks:	files
netgroup:	files
publickey:	files

bootparams:	files
automount:	files nis
aliases:	files


my krb5.conf

[libdefaults]
	default_realm = mydomain.local
	clockskew = 300

[realms]
mydomain.local = {
	kdc = (FQDN of AD Domain Controller)
	default_domain = mydomain.local
	admin_server = (FQDN of AD Domain Controller)
}

[logging]
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmin.log
	default = FILE:/var/log/krb5lib.log

[domain_realm]
	.mydomain.local = mydomain.local
[appdefaults]
	pam = {
		ticket_lifetime = 1d
		renew_lifetime = 1d
		forwardable = true
		proxiable = false
		retain_after_close = false
		minimum_uid = 0
		try_first_pass = true
	}


my pam.d/login

#%PAM-1.0
auth     required       pam_securetty.so
auth     sufficient     pam_winbind.so use_first_pass_use_authtok
auth     sufficient     pam_unix2.so
auth	 required       pam_stack.so use_first_pass
auth     required       pam_nologin.so
auth     required       pam_mail.so
account  sufficient     pam_winbind.so use_first_pass use_authtok
account  required       pam_stack.so service=system-auth
account  sufficient     pam_unix2.so
password sufficient     pam_winbind.so use_first_pass use_authtok
password required       pam_pwcheck.so
password sufficient     pam_unix2.so
session  required       pam_stack.so service=system-auth
session  optional       pam_console.so
session  sufficient     pam_winbind.so use_first_pass use_authtok
session  required       pam_mkhomedir.so skel=/etc/skel/ umask=0022
session  sufficient     pam_unix2.so
session  required       pam_limits.so

and finally /etc/ldap.conf

#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#

# Your LDAP server. Must be resolvable without using LDAP.
host 192.168.5.15 10.0.0.210

# The distinguished name of the search base.
base dc=mydomain,dc=local

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
rootbinddn (DN of administrator)

# The credentials to bind with. 
# Optional: default is no credential.
bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn (DN of administrator)

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your
password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd	ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd	ou=People,dc=padl,dc=com?one
#nss_base_shadow	ou=People,dc=padl,dc=com?one
#nss_base_group		ou=Group,dc=padl,dc=com?one
#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
#nss_base_services	ou=Services,dc=padl,dc=com?one
#nss_base_networks	ou=Networks,dc=padl,dc=com?one
#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute	rfc2307attribute	mapped_attribute
#nss_map_objectclass	rfc2307objectclass	mapped_objectclass

# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member

# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds

# For IBM SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key



Any Tips what I am missing out on ?????  I am trying to get authentication
working with SAMBA through to AD

Regards

Pashii
_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066

Have you configured kerberos?

have a look at http://wiki.samba.org/index.php/Samba_%26_Active_Directory

"ads_connect preauthentication failed" means there is something wrong
with
authenication or the machine account already exists.

regards
Franz

Pashii B wrote:
> I am stuck with Samba -Active Directory communication. Trying to bring my
> SUSE 10.0 to speak with AD Domain.
> 
> net rpc testjoin - brings a unable to find suitable server message
> 
> net join -  kerberos_kinit_password preauthentication failed and
> ads_connect preauthentication failed
> 
> wbinfo -u works fine
> wbinfo -t works fine
> getent passwd/group works too
> 
> smb is running
> nmb is running
> winbindd is running
> nscd is not running
> 
> Here my smb.conf
> 
> [global]
> workgroup = (netbios name of mydomain)
> realm = mydomain.local
> netbios name = sambaservername
> server string > security = ads
> template shell = /bin/bash
> idmap uid = 150000-250000
> idmap gid = 150000-250000
> idmap backend = ldap://192.168.5.15 ldap://10.0.0.210
> winbind use default domain = yes
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
> map to guest = Bad User
> include = /etc/samba/dhcp.conf
> logon path = \\%L\profiles\.msprofile
> logon home = \\%L\%U\.9xprofile
> logon drive = P:
> add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$
> domain logons = no
> domain master = No
> ldap admin dn > ldap delete dn = No
> #ldap filter = (uid=%u)
> ldap group suffix > ldap idmap suffix > ldap machine suffix > ldap
passwd sync = No
> ldap replication sleep = 1000
> ldap ssl = Start_tls
> ldap suffix > ldap timeout = 5
> ldap user suffix > passdb backend = ldapsam:ldap://192.168.5.15 
ldapsam:ldap://10.0.0.210
> security = user
> debug level = 5
> log level = 5
> 
> 
> my nsswitch.conf
> 
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Legal entries are:
> #
> #       compat                  Use compatibility setup
> #       nisplus                 Use NIS+ (NIS version 3)
> #       nis                     Use NIS (NIS version 2), also called YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
> # For more information, please read the nsswitch.conf.5 manual page.
> #
> 
> # passwd: files nis
> # shadow: files nis
> # group:  files nis
> 
> passwd:       files ldap
> group:        files ldap
> shadow:       files
> 
> hosts:        files dns
> networks:     files dns
> 
> services:     files
> protocols:    files
> rpc:  files
> ethers:       files
> netmasks:     files
> netgroup:     files
> publickey:    files
> 
> bootparams:   files
> automount:    files nis
> aliases:      files
> 
> 
> my krb5.conf
> 
> [libdefaults]
> default_realm = mydomain.local
> clockskew = 300
> 
> [realms]
> mydomain.local = {
> kdc = (FQDN of AD Domain Controller)
> default_domain = mydomain.local
> admin_server = (FQDN of AD Domain Controller)
> }
> 
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> 
> [domain_realm]
> .mydomain.local = mydomain.local
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> try_first_pass = true
> }
> 
> 
> my pam.d/login
> 
> #%PAM-1.0
> auth     required       pam_securetty.so
> auth     sufficient     pam_winbind.so use_first_pass_use_authtok
> auth     sufficient     pam_unix2.so
> auth   required       pam_stack.so use_first_pass
> auth     required       pam_nologin.so
> auth     required       pam_mail.so
> account  sufficient     pam_winbind.so use_first_pass use_authtok
> account  required       pam_stack.so service=system-auth
> account  sufficient     pam_unix2.so
> password sufficient     pam_winbind.so use_first_pass use_authtok
> password required       pam_pwcheck.so
> password sufficient     pam_unix2.so
> session  required       pam_stack.so service=system-auth
> session  optional       pam_console.so
> session  sufficient     pam_winbind.so use_first_pass use_authtok
> session  required       pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session  sufficient     pam_unix2.so
> session  required       pam_limits.so
> 
> and finally /etc/ldap.conf
> 
> #
> # This is the configuration file for the LDAP nameservice
> # switch library, the LDAP PAM module and the shadow package.
> #
> 
> # Your LDAP server. Must be resolvable without using LDAP.
> host 192.168.5.15 10.0.0.210
> 
> # The distinguished name of the search base.
> base dc=mydomain,dc=local
> 
> # The LDAP version to use (defaults to 3
> # if supported by client library)
> ldap_version 3
> 
> # The distinguished name to bind to the server with.
> # Optional: default is to bind anonymously.
> rootbinddn (DN of administrator)
> 
> # The credentials to bind with.
> # Optional: default is no credential.
> bindpw secret
> 
> # The distinguished name to bind to the server with
> # if the effective user ID is root. Password is
> # stored in /etc/ldap.secret (mode 600)
> rootbinddn (DN of administrator)
> 
> # The port.
> # Optional: default is 389.
> #port 389
> 
> # The search scope.
> #scope sub
> #scope one
> #scope base
> 
> # Search timelimit
> #timelimit 30
> 
> # Bind timelimit
> #bind_timelimit 30
> 
> # Idle timelimit; client will close connections
> # (nss_ldap only) if the server has not been contacted
> # for the number of seconds specified below.
> #idle_timelimit 3600
> 
> # Filter to AND with uid=%s
> #pam_filter objectclass=account
> 
> # The user ID attribute (defaults to uid)
> #pam_login_attribute uid
> 
> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> #pam_lookup_policy yes
> 
> # Check the 'host' attribute for access control
> # Default is no; if set to yes, and user has no
> # value for the host attribute, and pam_ldap is
> # configured for account management (authorization)
> # then the user will not be allowed to login.
> #pam_check_host_attr yes
> 
> # Group to enforce membership of
> #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
> 
> # Group member attribute
> #pam_member_attribute uniquemember
> 
> # Specify a minium or maximum UID number allowed
> #pam_min_uid 0
> #pam_max_uid 0
> 
> # Template login attribute, default template user
> # (can be overriden by value of former attribute
> # in user's entry)
> #pam_login_attribute userPrincipalName
> #pam_template_login_attribute uid
> #pam_template_login nobody
> 
> # Do not hash the password at all; presume
> # the directory server will do it, if
> # necessary. This is the default.
> #pam_password clear
> 
> # Hash password locally; required for University of
> # Michigan LDAP server, and works with Netscape
> # Directory Server if you're using the UNIX-Crypt
> # hash mechanism and not using the NT Synchronization
> # service.
> pam_password crypt
> 
> # Remove old password first, then update in
> # cleartext. Necessary for use with Novell
> # Directory Services (NDS)
> #pam_password nds
> 
> # Update Active Directory password, by
> # creating Unicode password and updating
> # unicodePwd attribute.
> #pam_password ad
> 
> # Use the OpenLDAP password change
> # extended operation to update the password.
> #pam_password exop
> 
> # Redirect users to a URL or somesuch on password
> # changes.
> #pam_password_prohibit_message Please visit http://internal to change your
> #password.
> 
> # RFC2307bis naming contexts
> # Syntax:
> # nss_base_XXX                base?scope?filter
> # where scope is {base,one,sub}
> # and filter is a filter to be &'d with the
> # default filter.
> # You can omit the suffix eg:
> # nss_base_passwd     ou=People,
> # to append the default base DN but this
> # may incur a small performance impact.
> #nss_base_passwd      ou=People,dc=padl,dc=com?one
> #nss_base_shadow      ou=People,dc=padl,dc=com?one
> #nss_base_group               ou=Group,dc=padl,dc=com?one
> #nss_base_hosts               ou=Hosts,dc=padl,dc=com?one
> #nss_base_services    ou=Services,dc=padl,dc=com?one
> #nss_base_networks    ou=Networks,dc=padl,dc=com?one
> #nss_base_protocols   ou=Protocols,dc=padl,dc=com?one
> #nss_base_rpc         ou=Rpc,dc=padl,dc=com?one
> #nss_base_ethers      ou=Ethers,dc=padl,dc=com?one
> #nss_base_netmasks    ou=Networks,dc=padl,dc=com?ne
> #nss_base_bootparams  ou=Ethers,dc=padl,dc=com?one
> #nss_base_aliases     ou=Aliases,dc=padl,dc=com?one
> #nss_base_netgroup    ou=Netgroup,dc=padl,dc=com?one
> 
> # attribute/objectclass mapping
> # Syntax:
> #nss_map_attribute    rfc2307attribute        mapped_attribute
> #nss_map_objectclass  rfc2307objectclass      mapped_objectclass
> 
> # configure --enable-nds is no longer supported.
> # For NDS now do:
> #nss_map_attribute uniqueMember member
> 
> # configure --enable-mssfu-schema is no longer supported.
> # For MSSFU now do:
> #nss_map_objectclass posixAccount User
> #nss_map_attribute uid msSFUName
> #nss_map_attribute uniqueMember posixMember
> #nss_map_attribute userPassword msSFUPassword
> #nss_map_attribute homeDirectory msSFUHomeDirectory
> #nss_map_objectclass posixGroup Group
> #pam_login_attribute msSFUName
> #pam_filter objectclass=User
> #pam_password ad
> 
> # configure --enable-authpassword is no longer supported
> # For authPassword support, now do:
> #nss_map_attribute userPassword authPassword
> #pam_password nds
> 
> # For IBM SecureWay support, do:
> #nss_map_objectclass posixAccount aixAccount
> #nss_map_attribute uid userName
> #nss_map_attribute gidNumber gid
> #nss_map_attribute uidNumber uid
> #nss_map_attribute userPassword passwordChar
> #nss_map_objectclass posixGroup aixAccessGroup
> #nss_map_attribute cn groupName
> #nss_map_attribute uniqueMember member
> #pam_login_attribute userName
> #pam_filter objectclass=aixAccount
> #pam_password clear
> 
> # Netscape SDK LDAPS
> #ssl on
> 
> # Netscape SDK SSL options
> #sslpath /etc/ssl/certs/cert7.db
> 
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> ssl start_tls
> #ssl on
> 
> # OpenLDAP SSL options
> # Require and verify server certificate (yes/no)
> # Default is "no"
> #tls_checkpeer yes
> 
> # CA certificates for server certificate verification
> # At least one of these are required if tls_checkpeer is "yes"
> #tls_cacertfile /etc/ssl/ca.cert
> #tls_cacertdir /etc/ssl/certs
> 
> # SSL cipher suite
> # See man ciphers for syntax
> #tls_ciphers TLSv1
> 
> # Client certificate and key
> # Use these, if your server requires client authentication.
> #tls_cert
> #tls_key
> 
> 
> 
> Any Tips what I am missing out on ?????  I am trying to get authentication
> working with SAMBA through to AD
> 
> Regards
> 
> Pashii
> _____________________________________________________________________
> Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
> http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
>