Hi, I compiled Samba 3.0.23d on a CentOS 4.4 machine. Then I configured /etc/krb5.conf for my domain. Was able to successfully run kinit and join my Windows 2003 domain with a net ads join. Net ads user and net ads group returns the users and the groups of the domain. So far so good. I'm kinda stuck on the next step. I would like to grant access to the share defined in smb.conf to anybody in the domain. How do I make it authenticate users on the domain instead of using the server? Content of smb.conf: [global] workgroup = BENCHCAN server string = Virtual Linux wins server = 192.168.64.20 netbios name = BACKUP realm = BENCHMARKCANADA.COM password server = castor-srvr1.benchmarkcanada.com security = ADS [share] path = / guest ok = no read only = no Thanks! Simon
> -----Original Message----- > From: Simon Renshaw > Sent: Friday, December 08, 2006 10:13 AM > > Hi, > > I compiled Samba 3.0.23d on a CentOS 4.4 machine. Then I configured > /etc/krb5.conf for my domain. Was able to successfully run kinit and > join my Windows 2003 domain with a net ads join. Net ads user and net > ads group returns the users and the groups of the domain. > > So far so good. > > I'm kinda stuck on the next step. I would like to grant access to the > share defined in smb.conf to anybody in the domain. How do I make it > authenticate users on the domain instead of using the server? > > Content of smb.conf: > > [global] > workgroup = BENCHCAN > server string = Virtual Linux > wins server = 192.168.64.20 > netbios name = BACKUP > realm = BENCHMARKCANADA.COM > password server = castor-srvr1.benchmarkcanada.com > security = ADS > > [share] > path = / > guest ok = no > read only = no > > Thanks! > SimonYou need this in your global section: idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes encrypt passwords = yes And this in your share section: valid users = @"BENCHCAN\domain users" Although this will give all your users access to / which doesn't seem like a good idea, but I assume this is just for testing.
Thanks for the reply. You are correct, I'm testing on a virtual machine. I modified smb.conf with the lines you said but when I try to access the share, I keep getting prompted for my user/pass. Any idea? Simon -----Original Message----- From: samba-bounces+simon=benchmarkconsulting.com@lists.samba.org [mailto:samba-bounces+simon=benchmarkconsulting.com@lists.samba.org] On Behalf Of James A. Dinkel Sent: 8 d?cembre, 2006 13:05 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist> -----Original Message----- > From: Simon Renshaw > Sent: Friday, December 08, 2006 10:13 AM > > Hi, > > I compiled Samba 3.0.23d on a CentOS 4.4 machine. Then I configured > /etc/krb5.conf for my domain. Was able to successfully run kinit and > join my Windows 2003 domain with a net ads join. Net ads user and net > ads group returns the users and the groups of the domain. > > So far so good. > > I'm kinda stuck on the next step. I would like to grant access to the > share defined in smb.conf to anybody in the domain. How do I make it > authenticate users on the domain instead of using the server? > > Content of smb.conf: > > [global] > workgroup = BENCHCAN > server string = Virtual Linux > wins server = 192.168.64.20 > netbios name = BACKUP > realm = BENCHMARKCANADA.COM > password server = castor-srvr1.benchmarkcanada.com > security = ADS > > [share] > path = / > guest ok = no > read only = no > > Thanks! > SimonYou need this in your global section: idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes encrypt passwords = yes And this in your share section: valid users = @"BENCHCAN\domain users" Although this will give all your users access to / which doesn't seem like a good idea, but I assume this is just for testing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
> -----Original Message----- > From: Don Meyer > Sent: Friday, December 08, 2006 2:12 PM > > > Don't forget the necessary modifications to nsswitch.conf: > > passwd: files winbind > shadow: files winbind > group: files winbind > > > Cheers, > -DonThat's right. Although, I do not have winbind after the shadow directive, and I've never seen any documentation saying you need it, just after passwd and group. Also, I believe this is also required in /etc/pam.d/samba: auth required pam_winbind.so account required pam_winbind.so but I've never tried it without this. James
On Fri, 2006-12-08 at 17:35 -0600, Don Meyer wrote:> Interestingly, I've never modified my /etc/pam.d/samba -- mainly > because I make the modifications in /etc/pam.d/system-auth, so the > AD-based auth can take effect for all services.Sorry I didn't realize this was about the samba pam conf file specifically, I'd say that for samba pam_winbindd is completely unnecessary, system-auth is the right place for general authentication.> The one slight hiccup I am seeing is for console logins: locally > defined users can log onto the console successfully -- if they use > there AD password, they are accepted on the first password prompt. > > However, if they use their locally defined password (shadow) at the > console, then they are subjected to a second password prompt each time > -- and it doesn't matter whether they enter the local password > correctly on the first prompt, it only matters on the second one. Is > there something about my placement/ordering above that might be > causing this?put the option use_first_pass on the second module in the stack, so that it doesn't ask for a new password, but try with the one provided to the first module. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org
> -----Original Message----- > From: simo > Sent: Friday, December 08, 2006 7:58 PM > > On Fri, 2006-12-08 at 17:35 -0600, Don Meyer wrote: > > Interestingly, I've never modified my /etc/pam.d/samba -- mainly > > because I make the modifications in /etc/pam.d/system-auth, so the > > AD-based auth can take effect for all services. > > Sorry I didn't realize this was about the samba pam conf file > specifically, I'd say that for samba pam_winbindd is completely > unnecessary, system-auth is the right place for generalauthentication.> > Simo.I don't want all authentication to be able to use winbind, just Samba. That is why I put it in /etc/pam.d/samba instead of /etc/pam.d/system-auth (which is refered to by /etc/pam.d/samba). But if I am understanding you, in order for the Samba file server to authenticate via winbind, I do NOT need pam_winbind in either /etc/pam.d/samba nor /etc/pam.d/system-auth?
I modified nsswitch.conf and I restarted winbind. Still cannot authenticate. Wbinfo -u does return the list of my domain users. I can also see the groups. I do not have a /etc/pam.d/samba file. Any idea what I need to check next? Thanks! Simon -----Original Message----- From: samba-bounces+simon=benchmarkconsulting.com@lists.samba.org [mailto:samba-bounces+simon=benchmarkconsulting.com@lists.samba.org] On Behalf Of James A. Dinkel Sent: 8 d?cembre, 2006 16:24 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist> -----Original Message----- > From: Don Meyer > Sent: Friday, December 08, 2006 2:12 PM > > > Don't forget the necessary modifications to nsswitch.conf: > > passwd: files winbind > shadow: files winbind > group: files winbind > > > Cheers, > -DonThat's right. Although, I do not have winbind after the shadow directive, and I've never seen any documentation saying you need it, just after passwd and group. Also, I believe this is also required in /etc/pam.d/samba: auth required pam_winbind.so account required pam_winbind.so but I've never tried it without this. James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Now if I run net ads user, I see the following error messages and then I see the list of users: [2006/12/11 13:36:24, 0] param/loadparm.c:map_parameter(2443) Unknown parameter encountered: "dmap uid" [2006/12/11 13:36:24, 0] param/loadparm.c:lp_do_parameter(3131) Ignoring unknown parameter "dmap uid" ? Simon -----Original Message----- From: samba-bounces+simon=benchmarkconsulting.com@lists.samba.org [mailto:samba-bounces+simon=benchmarkconsulting.com@lists.samba.org] On Behalf Of Simon Renshaw Sent: 11 d?cembre, 2006 12:48 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist I modified nsswitch.conf and I restarted winbind. Still cannot authenticate. Wbinfo -u does return the list of my domain users. I can also see the groups. I do not have a /etc/pam.d/samba file. Any idea what I need to check next? Thanks! Simon -----Original Message----- From: samba-bounces+simon=benchmarkconsulting.com@lists.samba.org [mailto:samba-bounces+simon=benchmarkconsulting.com@lists.samba.org] On Behalf Of James A. Dinkel Sent: 8 d?cembre, 2006 16:24 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist> -----Original Message----- > From: Don Meyer > Sent: Friday, December 08, 2006 2:12 PM > > > Don't forget the necessary modifications to nsswitch.conf: > > passwd: files winbind > shadow: files winbind > group: files winbind > > > Cheers, > -DonThat's right. Although, I do not have winbind after the shadow directive, and I've never seen any documentation saying you need it, just after passwd and group. Also, I believe this is also required in /etc/pam.d/samba: auth required pam_winbind.so account required pam_winbind.so but I've never tried it without this. James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba