samba - Feb 2008 - CentOS 5 client in W2K3 AD Domain, getent only shows local info

I'm trying to integrate a Linux machine into our
Win2K3 ADS-based network.  The machine must
primarily serve as a user workstation (i.e., a
Samba Client), although it also needs to serve at
least one share for backup purposes.  I'd like to
emulate the behavior of our WinXP machines in that
any user in our small company can login to any
computer in the domain based on network
username/password.

I've been following the information in the
"Samba3-By Example" guide (the on-line, PDF
version, 28 Jan 2008), section 7.3.4.  I've had
success joining the network and accessing a share
on a server, but then run into a snag where
getent doesn't return equivalent information to
wbinfo for users and groups. I've done scads of
web searching, reading, tinkering with conf files,
and have scanned about six months of this list's
archive without finding a resolution, although my
problem doesn't seem to be uncommon.  

Before I post conf files with specifics I'd like
to ask a couple of basic questions:

1) Need I care that getent won't return equivalent
results as wbinfo?  The guide describes this is
"to validate the full identity resolution is
functional as required", so I've been taking it as
gospel that I shouldn't tackle PAM until getent
works.

2) Active Directory Configuration:  Is it a
requirement that I either make configuration
changes in AD or install Microsoft Services for
UNIX to accomplish what I want?  The By-Example
guide seems to indicate that I don't have to (1st
page of 7.3.4), but at least one write-up I've
found on-line states that AD mods are necessary
(<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-
details/>
it is from Dec 2005, so could be out-of-date?).

3) My software versions are:

*   PDC and BDC are running Active Directory on
          Windows Server 2003 SP2 
*   Linux machine is running CentOS 5 with current updates 
*   Samba software is 3.0.25b (supplied w/CentOS) 
*   krb5 software is 1.6.1-17 (supplied w/CentOS) 
*   nss is 3,11,7 (supplied w/CentOS) 
*   nss_ldap is 253- 5 (supplied w/CentOS)

Do I need to upgrade to newer versions?  I've read
of problems with Samba 3.0.23c on Red Hat, but
nothing I've seen indicates a problem with
3.0.25b.  If upgrading is recommended, I'd
appreciate a pointer to an appropriate source of
RPMs, as these are newest version in the CentOS
Repositories, and I'm not too comfortable with
building
>From source yet.
4)  If nsswitch.conf is configured for winbind, do
I need to worry at all about LDAP configuration?

5)  I've seen mention about letter case being a
problem in configuring Kerberos and Samba. On our
AD server, the domain appears as "DOMAIN.local",
with the letter case as shown, so the FQDN of the
server is SERVER.DOMAIN.local.  Is this somehow
causing me a problem?  In the krb5.conf  and
smb5.conf files, I've identified the realm as
DOMAIN.LOCAL.

6)  One oddity:  when I started working on this,
after the machine joined the domain, wbinfo showed
results as DOMAIN+username but somewhere along the
line that change to just the username.  Is that
indicative of something I've misconfigured?

Thanks for any insight.  My gut tells me I'm not
far off, but I've exceeded my "solve it myself"
frustration level!

Dave Lemire

> Try comparing what you did to these articles.  They worked very well for 
> me on a W2K AD domain.
> To me, they're more easily understood than the official docs.
> 
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1

They pretty much describe what I'd done to this point, +/- a couple of 
details (which I do realize may be important).  One question they bring 
up for me is this:  In describing krb5.conf, I've seen the 
[domain_realms] section shown two or three different ways:

  [domain_realms]
         .kerberos.server = DOMAIN.NET


  [domain_realms]
         .mydomain.domain = DOMAIN.NET


  [domain_realms]
         .mydomain.domain = DOMAIN.NET
         mydomain.domain = DOMAIN.NET

The example on MIT kerberos site would seem to indicate that the third 
one of those is right (see 
<http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#domain_005frealm>),
but I've definitely seen both of the others used as example configurations.


The other thing I came across after posting my question to this list was 
a entry in Scott Lowe's block about problems w/CentOS 5 and Active 
Directory integration 
<http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/>.
  OTOH, he was having problems getting the machine to join the domain, 
whereas my roadblocks are a step or two beyond that.  Still, it makes me 
wonder if I shouldn't just one or more pieces of this puzzle (starting 
w/samba).


I need to double-check my samba build include the DOMAIN2HOSTLIST 
component; I can't check at the moment, but IIRC, that might not have 
been in the list when I checked before.  Would missing that account for 
my winbind / getent disparity?

Dave





> 
> Lemire, David wrote:
>> I'm trying to integrate a Linux machine into our
>> Win2K3 ADS-based network.  The machine must
>> primarily serve as a user workstation (i.e., a
>> Samba Client), although it also needs to serve at
>> least one share for backup purposes.  I'd like to
>> emulate the behavior of our WinXP machines in that
>> any user in our small company can login to any
>> computer in the domain based on network
>> username/password.
>>
>> I've been following the information in the
>> "Samba3-By Example" guide (the on-line, PDF
>> version, 28 Jan 2008), section 7.3.4.  I've had
>> success joining the network and accessing a share
>> on a server, but then run into a snag where
>> getent doesn't return equivalent information to
>> wbinfo for users and groups. I've done scads of
>> web searching, reading, tinkering with conf files,
>> and have scanned about six months of this list's
>> archive without finding a resolution, although my
>> problem doesn't seem to be uncommon. 
>> Before I post conf files with specifics I'd like
>> to ask a couple of basic questions:
>>
>> 1) Need I care that getent won't return equivalent
>> results as wbinfo?  The guide describes this is
>> "to validate the full identity resolution is
>> functional as required", so I've been taking it as
>> gospel that I shouldn't tackle PAM until getent
>> works.
>>
>> 2) Active Directory Configuration:  Is it a
>> requirement that I either make configuration
>> changes in AD or install Microsoft Services for
>> UNIX to accomplish what I want?  The By-Example
>> guide seems to indicate that I don't have to (1st
>> page of 7.3.4), but at least one write-up I've
>> found on-line states that AD mods are necessary
>>
(<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-
>> details/>
>> it is from Dec 2005, so could be out-of-date?).
>>
>> 3) My software versions are:
>>
>> *   PDC and BDC are running Active Directory on
>>           Windows Server 2003 SP2 *   Linux machine is running CentOS 
>> 5 with current updates *   Samba software is 3.0.25b (supplied 
>> w/CentOS) *   krb5 software is 1.6.1-17 (supplied w/CentOS) *   nss is 
>> 3,11,7 (supplied w/CentOS) *   nss_ldap is 253- 5 (supplied w/CentOS)
>>
>> Do I need to upgrade to newer versions?  I've read
>> of problems with Samba 3.0.23c on Red Hat, but
>> nothing I've seen indicates a problem with
>> 3.0.25b.  If upgrading is recommended, I'd
>> appreciate a pointer to an appropriate source of
>> RPMs, as these are newest version in the CentOS
>> Repositories, and I'm not too comfortable with building
>> >From source yet.
>>
>> 4)  If nsswitch.conf is configured for winbind, do
>> I need to worry at all about LDAP configuration?
>>
>> 5)  I've seen mention about letter case being a
>> problem in configuring Kerberos and Samba. On our
>> AD server, the domain appears as "DOMAIN.local",
>> with the letter case as shown, so the FQDN of the
>> server is SERVER.DOMAIN.local.  Is this somehow
>> causing me a problem?  In the krb5.conf  and
>> smb5.conf files, I've identified the realm as
>> DOMAIN.LOCAL.
>>
>> 6)  One oddity:  when I started working on this,
>> after the machine joined the domain, wbinfo showed
>> results as DOMAIN+username but somewhere along the
>> line that change to just the username.  Is that
>> indicative of something I've misconfigured?
>>
>> Thanks for any insight.  My gut tells me I'm not
>> far off, but I've exceeded my "solve it myself"
>> frustration level!
>>
>> Dave Lemire
>>