Lemire, David
2008-Feb-15 19:33 UTC
[Samba] CentOS 5 client in W2K3 AD Domain, getent only shows local info
I'm trying to integrate a Linux machine into our Win2K3 ADS-based network. The machine must primarily serve as a user workstation (i.e., a Samba Client), although it also needs to serve at least one share for backup purposes. I'd like to emulate the behavior of our WinXP machines in that any user in our small company can login to any computer in the domain based on network username/password. I've been following the information in the "Samba3-By Example" guide (the on-line, PDF version, 28 Jan 2008), section 7.3.4. I've had success joining the network and accessing a share on a server, but then run into a snag where getent doesn't return equivalent information to wbinfo for users and groups. I've done scads of web searching, reading, tinkering with conf files, and have scanned about six months of this list's archive without finding a resolution, although my problem doesn't seem to be uncommon. Before I post conf files with specifics I'd like to ask a couple of basic questions: 1) Need I care that getent won't return equivalent results as wbinfo? The guide describes this is "to validate the full identity resolution is functional as required", so I've been taking it as gospel that I shouldn't tackle PAM until getent works. 2) Active Directory Configuration: Is it a requirement that I either make configuration changes in AD or install Microsoft Services for UNIX to accomplish what I want? The By-Example guide seems to indicate that I don't have to (1st page of 7.3.4), but at least one write-up I've found on-line states that AD mods are necessary (<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication- details/> it is from Dec 2005, so could be out-of-date?). 3) My software versions are: * PDC and BDC are running Active Directory on Windows Server 2003 SP2 * Linux machine is running CentOS 5 with current updates * Samba software is 3.0.25b (supplied w/CentOS) * krb5 software is 1.6.1-17 (supplied w/CentOS) * nss is 3,11,7 (supplied w/CentOS) * nss_ldap is 253- 5 (supplied w/CentOS) Do I need to upgrade to newer versions? I've read of problems with Samba 3.0.23c on Red Hat, but nothing I've seen indicates a problem with 3.0.25b. If upgrading is recommended, I'd appreciate a pointer to an appropriate source of RPMs, as these are newest version in the CentOS Repositories, and I'm not too comfortable with building>From source yet.4) If nsswitch.conf is configured for winbind, do I need to worry at all about LDAP configuration? 5) I've seen mention about letter case being a problem in configuring Kerberos and Samba. On our AD server, the domain appears as "DOMAIN.local", with the letter case as shown, so the FQDN of the server is SERVER.DOMAIN.local. Is this somehow causing me a problem? In the krb5.conf and smb5.conf files, I've identified the realm as DOMAIN.LOCAL. 6) One oddity: when I started working on this, after the machine joined the domain, wbinfo showed results as DOMAIN+username but somewhere along the line that change to just the username. Is that indicative of something I've misconfigured? Thanks for any insight. My gut tells me I'm not far off, but I've exceeded my "solve it myself" frustration level! Dave Lemire
Lemire, David
2008-Feb-19 14:03 UTC
[Samba] CentOS 5 client in W2K3 AD Domain, getent only shows local info
> Try comparing what you did to these articles. They worked very well for > me on a W2K AD domain. > To me, they're more easily understood than the official docs. > > http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 > http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1They pretty much describe what I'd done to this point, +/- a couple of details (which I do realize may be important). One question they bring up for me is this: In describing krb5.conf, I've seen the [domain_realms] section shown two or three different ways: [domain_realms] .kerberos.server = DOMAIN.NET [domain_realms] .mydomain.domain = DOMAIN.NET [domain_realms] .mydomain.domain = DOMAIN.NET mydomain.domain = DOMAIN.NET The example on MIT kerberos site would seem to indicate that the third one of those is right (see <http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#domain_005frealm>), but I've definitely seen both of the others used as example configurations. The other thing I came across after posting my question to this list was a entry in Scott Lowe's block about problems w/CentOS 5 and Active Directory integration <http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/>. OTOH, he was having problems getting the machine to join the domain, whereas my roadblocks are a step or two beyond that. Still, it makes me wonder if I shouldn't just one or more pieces of this puzzle (starting w/samba). I need to double-check my samba build include the DOMAIN2HOSTLIST component; I can't check at the moment, but IIRC, that might not have been in the list when I checked before. Would missing that account for my winbind / getent disparity? Dave> > Lemire, David wrote: >> I'm trying to integrate a Linux machine into our >> Win2K3 ADS-based network. The machine must >> primarily serve as a user workstation (i.e., a >> Samba Client), although it also needs to serve at >> least one share for backup purposes. I'd like to >> emulate the behavior of our WinXP machines in that >> any user in our small company can login to any >> computer in the domain based on network >> username/password. >> >> I've been following the information in the >> "Samba3-By Example" guide (the on-line, PDF >> version, 28 Jan 2008), section 7.3.4. I've had >> success joining the network and accessing a share >> on a server, but then run into a snag where >> getent doesn't return equivalent information to >> wbinfo for users and groups. I've done scads of >> web searching, reading, tinkering with conf files, >> and have scanned about six months of this list's >> archive without finding a resolution, although my >> problem doesn't seem to be uncommon. >> Before I post conf files with specifics I'd like >> to ask a couple of basic questions: >> >> 1) Need I care that getent won't return equivalent >> results as wbinfo? The guide describes this is >> "to validate the full identity resolution is >> functional as required", so I've been taking it as >> gospel that I shouldn't tackle PAM until getent >> works. >> >> 2) Active Directory Configuration: Is it a >> requirement that I either make configuration >> changes in AD or install Microsoft Services for >> UNIX to accomplish what I want? The By-Example >> guide seems to indicate that I don't have to (1st >> page of 7.3.4), but at least one write-up I've >> found on-line states that AD mods are necessary >> (<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication- >> details/> >> it is from Dec 2005, so could be out-of-date?). >> >> 3) My software versions are: >> >> * PDC and BDC are running Active Directory on >> Windows Server 2003 SP2 * Linux machine is running CentOS >> 5 with current updates * Samba software is 3.0.25b (supplied >> w/CentOS) * krb5 software is 1.6.1-17 (supplied w/CentOS) * nss is >> 3,11,7 (supplied w/CentOS) * nss_ldap is 253- 5 (supplied w/CentOS) >> >> Do I need to upgrade to newer versions? I've read >> of problems with Samba 3.0.23c on Red Hat, but >> nothing I've seen indicates a problem with >> 3.0.25b. If upgrading is recommended, I'd >> appreciate a pointer to an appropriate source of >> RPMs, as these are newest version in the CentOS >> Repositories, and I'm not too comfortable with building >> >From source yet. >> >> 4) If nsswitch.conf is configured for winbind, do >> I need to worry at all about LDAP configuration? >> >> 5) I've seen mention about letter case being a >> problem in configuring Kerberos and Samba. On our >> AD server, the domain appears as "DOMAIN.local", >> with the letter case as shown, so the FQDN of the >> server is SERVER.DOMAIN.local. Is this somehow >> causing me a problem? In the krb5.conf and >> smb5.conf files, I've identified the realm as >> DOMAIN.LOCAL. >> >> 6) One oddity: when I started working on this, >> after the machine joined the domain, wbinfo showed >> results as DOMAIN+username but somewhere along the >> line that change to just the username. Is that >> indicative of something I've misconfigured? >> >> Thanks for any insight. My gut tells me I'm not >> far off, but I've exceeded my "solve it myself" >> frustration level! >> >> Dave Lemire >>