Hello,
I'm attempting to use samba winbind for ssh authentication for users
in Active Directory. Things are mostly working, but I'm looking for
two things:
1.) I currently have to authenticate as ADLOCAL+elijah at concordia.uchicago.edu
. I would like to authenticate as elijah at concordia.uchicago.edu
2.) I would like the uid of the elijah user to be pulled from an
existing entry in /etc/passwd (or eventually ldap) instead of being
generated by winbind.
====Active Directory Structure===Groups, Computers, and administrative users are
stored in the AD.UCHICAGO.EDU
domain. Users are stored in the AD.LOCAL domain. There is a
transitive trust between the two domains. I have an administrative
account in AD.UCHICAGO.EDU, and a normal user account in AD.LOCAL. The
samba server is joined to AD.UCHICAGO.EDU and cannot be joined
directly to AD.LOCAL.
====smb.conf===Samba is running on Red Hat Enterprise Linux 5.4. Samba is
version
3.0.33-3.14 as packaged by redhat.
[global]
workgroup = AD
server string = Samba Server Version %v
netbios name = concordia
security = domain
encrypt passwords = yes
dns proxy = yes
password server = ad1.ad.uchicago.edu
winbind separator = +
;username map = /etc/samba/smbusers
;idmap uid = 15000-200000
;idmap gid = 15000-200000
;winbind enum users = yes
;winbind enum groups = yes
template homedir = /home-ads/%U
template shell = /bin/bash
winbind use default domain = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
====krb5.conf===[libdefaults]
default_realm = AD.UCHICAGO.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
AD.UCHICAGO.EDU = {
admin_server = ad1.ad.uchicago.edu
kdc = ad1.ad.uchicago.edu
}
AD.LOCAL = {
admin_server = alfalfa.ad.local
kdc = alfalfa.ad.local
}
[domain_realm]
.ad.uchicago.edu = AD.UCHICAGO.EDU
.ad.local = AD.LOCAL
====pam.d/system-auth===auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account sufficient pam_winbind.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
========I joined the domain by: net rpc join -S ad1.ad.uchicago.edu -U _elijah
As I said, I can ssh in as ADLOCAL+elijah at concordia. I can also ssh in
as _elijah at concordia (_elijah is the administrative account in
AD.UCHICAGO.EDU
). If I create a local account (e.g. in /etc/passwd) named ADLOCAL
+elijah, I get that uid as the uid when I ssh in (instead of a uid
that I believe was generated by idmap before I commented the idmap
stuff out of smb.conf).
I've tried changing the workgroup to ADLOCAL in smb.conf, but that
doesn't work (I assume because the computer account is in AD).
Any idea how I can get users in ADLOCAL to login without the prefix
and inherit a uid from passwd? I'm not concerned about username
collisions between ADLOCAL and AD.UCHICAGO.EDU
Thanks,
Elijah
