Linux Addict wrote:>
> Greetings!!!
>
> I am using samba 3.0.28 clients authenticating AD R2 with SFU 3.5. I
> have setup nss info to template, sfu get the uid, gid, home dir and
> shell from AD.
Whoa, slow down, your getting all ahead of yourself. You seem to need
to pick a user authorization (passwd/group) method and a user
authentication method.
User authorization can be nss_ldap or samba+winbind or samba+ldap or
samba+ad (samba+ldap and samba+ad are really the same, but samba
uses ad extensions when storing the attributes).
I personnally like samba+winbind because with RID mapping I no
longer have to worry about creating and maintaining UIDs and GIDs for
every Windows user and group, which is a big pain.
As far as authentication goes, there is pam_ldap, pam_winbind, samba
or kerberos.
If you authenticating against a Windows AD domain I really don't see
any point to not using Kerberos. It is straight forward, easy to
setup, secure and provides single sign-on functionality. The others
require additional setup procedures and don't do single sign-on.
> The problem is it seems to be working for sometime, and then it says
> could not get uid/gid pair. I am assuming some kind of caching is
> causing this.
It may be your initial setup.
> My understanding with SFU is that, there wont be any mappings and the
> specific user will pull the uid,gid from AD Unix Attributes.
Managing UIDs and GIDs under SFU is a big PITA. I would only use it
under circumstances where winbind wasn't available, but even there
I would probably setup a Linux VM that would dump winbind RID
mappings into NIS maps and then use NIS to send them out.
> The winbindd-idmap file throws the following error.
>
> nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
> Could not get unix ID
Did you join the machine to the domain with a 'net ads join' ?
> This is testparam output.
>
> idmap backend = ad
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/bash
> winbind separator = +
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = template, sfu
>
>
>
> Please someone help me to all linux clients authenticate
> consistently from AD.
Make sure you have these installed:
samba-common
samba-client
cyrus-sasl-gssapi
libgssapi
cyrus-sasl-md5
cyrus-sasl-lib
cyrus-sasl
cyrus-sasl-gssapi
cyrus-sasl-ntlm
cyrus-sasl-plain
krb5-workstation
pam_krb5
krb5-libs
krb5-auth-dialog
Try this simple starting smb.conf:
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ads
password server = *
use kerberos keytab = yes
passdb backend = tdbsam
allow trusted domains = no
idmap backend = rid
idmap uid = 100000-199999
idmap gid = 100000-199999
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind enum groups = yes
winbind enum users = yes
name resolve order = wins bcast host
[homes]
comment = Home Directories
read only = no
browseable = no
[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
browseable = no
And this simple krb5.conf:
logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
krb4_convert = false
}
[realms]
EXAMPLE.COM = {
kdc = example.com
admin_server = example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
Then make sure your nsswitch.conf has these defined:
passwd: files winbind
shadow: files
group: files winbind
And your /etc/pam.d/system-auth is similar to:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_krb5.so
The modules to pay attention to are, pam_krb5.so and pam_mkhomedir.so.
Then your Windows users should be able to single sign-on to Linux and access
all the Windows shares and resources.
-Ross
______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.