HI my name ins Ben.T.George i am new to samba and active directory integration my machine ins Sun Slaris SPARC (solaris 10). the unix side samba and all deps are installed...from this link http://www.sunfreeware.com/programlistsparc10.html#samba now i want to sync samba with active directory.. so please help to for this.. please provide me the step by step for this.. now i am stuck with kerberos configuration. also please provide me the kerberos step by step configuration thanks Ben.T.George
Hi Ben, Which version of AD are you using? We had no luck integrating Solaris Samba w/ AD 2008 last year, and were forced to use a third-party authentication product called Centrify DirectControl to facilitate. This may have changed by now ? have you opened a support case with Oracle? --Rob Rob LaRose systems administrator imaginary forces | 530 west 25th st | new york city | p 646.486.6868 | f 646.486.4700 | www.imaginaryforces.com From: Ben George <bentech4you at gmail.com<mailto:bentech4you at gmail.com>> Date: Wed, 29 Sep 2010 03:07:15 -0400 To: "samba at lists.samba.org<mailto:samba at lists.samba.org>" <samba at lists.samba.org<mailto:samba at lists.samba.org>> Subject: [Samba] help with AD integration HI my name ins Ben.T.George i am new to samba and active directory integration my machine ins Sun Slaris SPARC (solaris 10). the unix side samba and all deps are installed...from this link http://www.sunfreeware.com/programlistsparc10.html#samba now i want to sync samba with active directory.. so please help to for this.. please provide me the step by step for this.. now i am stuck with kerberos configuration. also please provide me the kerberos step by step configuration thanks Ben.T.George -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ________________________________ This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to <ifpostmaster> postmaster at imaginaryforces.com and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. ...imaginaryforces.com...
HI
My name is Ben.T.George.
i followed http://www.edsiohio.com/images/advanced-AD-2009-05-18.pdf this
tutorial
my current status is .i successfully joined to the AD
*bash-3.00# ./net ads join -U administrator
Enter administrator's password:
Using short domain name -- SRE
Joined 'SUN1' to realm 'sre.com'*
and Wbinfo shows the users and groups from the AD
*bash-3.00# ./wbinfo -u
SUN1+ramana
SUN1+user1
SUN1+ben
administrator
guest
support_388945a0
krbtgt
teju
ben
ramana*
*bash-3.00# ./wbinfo -g
helpservicesgroup
telnetclients
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
dnsadmins
dnsupdateproxy*
then i checked the AD,the Sun1 is listed under the computer tab.
That means my connection side is success na..?
this is my smb.conf file
*# Samba config file created using SWAT
# from UNKNOWN (???^H)
# Date: 2010/09/29 17:37:34
[global]
workgroup = SRE
realm = SRE.COM <http://sre.com/>
security = ADS
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind use default domain = Yes
[user1]
path = /export/home/user1
valid users = user1, ramana, teju
[ramana]
path = /export/home/ramana
valid users = ramana, teju
[teju]
path = /export/home/teju
valid users = teju
[ben]
path = /export/home/ben
valid users = ben
[user1]
path = /export/home/user1
valid users = ben, user1, ramana, teju*
And Kerberos file: krb5.conf
*[libdefaults]
dns_lookup_realm = false
default_realm = SRE.COM <http://sre.com/>
ticket_lifetime = 600
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
#[kdc]
# profile = /krb5/var/krb5kdc/kdc.conf
[logging]
default = FILE:/usr/local/var/log/kdc.log
kdc = FILE:/usr/local/var/log/kdc.log
admin_server = FILE:/usr/local/var/log/adm.log
[realms]
SRE.COM <http://sre.com/> = {
kdc = srec.sre.com:88
admin_server = srec.sre.com:749
# default_domain = SRE.COM <http://sre.com/>
}
[domain_realm]
.sre.com = SRE.COM <http://sre.com/>
sre.com = SRE.COM <http://sre.com/>
[login]
krb4_convert = 0*
my need is,suppose ben is a user common to unix and windows..
when i login as ben through a windows machine,want to access the shared
folder for ben in Unix.(without giving password for ben)
another thing is when we change the password or username in Active
Directory,it also affect the same user in the unix
that means suppose i changes the user ben to ben1,and password...the changes
must be written in the /etc/passwd and shadow file..
is there any way to do this..i a beginner to this.so please give me good
advice
Thanks
Ben.T.George
HI
My name is Ben.T.George.
i followed http://www.edsiohio.com/images/advanced-AD-2009-05-18.pdf this
tutorial
my current status is .i successfully joined to the AD
*bash-3.00# ./net ads join -U administrator
Enter administrator's password:
Using short domain name -- SRE
Joined 'SUN1' to realm 'sre.com'*
and Wbinfo shows the users and groups from the AD
*bash-3.00# ./wbinfo -u
SUN1+ramana
SUN1+user1
SUN1+ben
administrator
guest
support_388945a0
krbtgt
teju
ben
ramana*
*bash-3.00# ./wbinfo -g
helpservicesgroup
telnetclients
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
dnsadmins
dnsupdateproxy*
then i checked the AD,the Sun1 is listed under the computer tab.
That means my connection side is success na..?
this is my smb.conf file
*# Samba config file created using SWAT
# from UNKNOWN (???^H)
# Date: 2010/09/29 17:37:34
[global]
workgroup = SRE
realm = SRE.COM <http://sre.com/>
security = ADS
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind use default domain = Yes
[user1]
path = /export/home/user1
valid users = user1, ramana, teju
[ramana]
path = /export/home/ramana
valid users = ramana, teju
[teju]
path = /export/home/teju
valid users = teju
[ben]
path = /export/home/ben
valid users = ben
[user1]
path = /export/home/user1
valid users = ben, user1, ramana, teju*
And Kerberos file: krb5.conf
*[libdefaults]
dns_lookup_realm = false
default_realm = SRE.COM <http://sre.com/>
ticket_lifetime = 600
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
#[kdc]
# profile = /krb5/var/krb5kdc/kdc.conf
[logging]
default = FILE:/usr/local/var/log/kdc.log
kdc = FILE:/usr/local/var/log/kdc.log
admin_server = FILE:/usr/local/var/log/adm.log
[realms]
SRE.COM <http://sre.com/> = {
kdc = srec.sre.com:88
admin_server = srec.sre.com:749
# default_domain = SRE.COM <http://sre.com/>
}
[domain_realm]
.sre.com = SRE.COM <http://sre.com/>
sre.com = SRE.COM <http://sre.com/>
[login]
krb4_convert = 0*
my need is,suppose ben is a user common to unix and windows..
when i login as ben through a windows machine,want to access the shared
folder for ben in Unix.(without giving password for ben)
another thing is when we change the password or username in Active
Directory,it also affect the same user in the unix
that means suppose i changes the user ben to ben1,and password...the changes
must be written in the /etc/passwd and shadow file..
is there any way to do this..i a beginner to this.so please give me good
advice
Thanks
Ben.T.George
HI Friends please check my problem http://bentgeorge.com/samba/ Thanks Ben.T.George
According to your page
"getent passwd" is showing the domain users.
If you try to ssh into your linux machine as "ben", with the way
nsswitch.conf is configured, it will try to authenticated you as the
"ben" in /etc/passwd not the one in the AD domain.
I suggest you try the following
comment out "ben" from /etc/passwd and /etc/shadow.
Make sure that the /export/Home/ben directory is owned by the SRE+ben
user. See if you can ssh into linux as "ben." (I think you can
specify "ben" and not "SRE+ben" for the ssh user.) Keep an
eye on the
log files e.g in /var/samba/log or /var/log/samba.
You have still not clarified why nsswitch.conf has entries for ldap.
On 10/04/2010 05:17 AM, Ben George wrote:>
> please check this link
>
> http://bentgeorge.com/samba/
> all are mentioned here
>
>
> Thanks
> Ben.T.George
>
>
>
> On Thu, Sep 30, 2010 at 10:16 PM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at
gmail.com>> wrote:
>
> Hi
>
> Please clarify the following
> - Did you run "truss getent passwd" command and look for
lines
> with nss_winbind- just in case it is looking for a file with a
> different version.
> - Why does nsswitch.conf have ldap references- are you using ldap?
>
>
> You should also look through the samba logs- it may provide some
> information.
>
>
>
> On 09/30/2010 12:14 PM, Ben George wrote:
>>
>>
>>
>> yes client has Solaris and a windows xp machine under the AD domain
>>
>> yes i exported the paths to the newly installed
/usr/local/samba/lib
>>
>> me using the new packahes and disabled the default packages
>>
>>
>> On Thu, Sep 30, 2010 at 6:16 PM, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com <mailto:gaiseric.vandal at
gmail.com>> wrote:
>>
>> So to clarify the customer has a Sun Solaris 10 UNIX machine
>> and a Linux workstation?
>>
>> FOR SOLARIS
>>
>> I had problems with getting nsswitch+winbind working with the
>> samba from sunfreeware- I had to recompile from scratch
>> (major headache.) In hindsight this may not have been
>> necessary for winbind- although I had to recompile anyway
>> for ZFS support.
>>
>> On solaris, you should have a file called
>> /usr/lib/nss_winbind.so.1 - which is the nsswitcher winbind
>> library provided by the samba that sun bundles with solaris
>> 10 (but this is samba 3.0.x and too old to be much use.)
>>
>> In /usr/local/samba/lib - do you see an nss_winbind.so.1
>> file? How is your PATH and LD_LIBRARY_PATH set- you want
>> to make sure you are using the /usr/local/samba/bin and
>> /usr/local/samba/lib first.
>>
>> If you run "truss getent passwd | tee log1.txt" you
should
>> see it looking for nss_winbind.so.1 - ideally it will look
>> in /usr/local/samba/lib before /usr/lib. If it uses
>> /usr/lib/nss_winbind.so.1 that will probably NOT work. You
>> may want to rename that file just to make sure.
>>
>>
>>
>>
>>
>>
>> On 09/30/2010 10:57 AM, Ben George wrote:
>>>
>>> Sun Solaris 10 (under SPARC)
>>>
>>> local users in /etc/passwd
>>>
>>> samba 3.4.2 from sunfreeware.com
<http://sunfreeware.com>
>>>
>>>
>>> getent passwd
>>>
>>> */ramana:x:100:1::/export/home/ramana:/bin/sh
>>> teju:x:101:1::/export/home/teju:/bin/sh
>>> user1:x:102:1::/export/home/user1:/bin/sh
>>> ben:x:103:1::/home/ben:/bin/sh
>>>
>>> /*like this*/
>>>
>>> /*/
>>> /Thanks
>>> Ben.T.George*/
>>> /*
>>>
>>>
>>>
>>>
>>> On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com
>>> <mailto:gaiseric.vandal at gmail.com>> wrote:
>>>
>>> Then it sounds like you need the AD integration. If
the
>>> user's also login to the linux workstation directly
(or
>>> via ssh) then you will need to configure winbind and
>>> nsswitch to support unix logins.
>>>
>>> Why does nsswitch.conf include ldap? Is this the only
>>> linux/unix machine? Are local users in ldap or
>>> /etc/passwd?
>>>
>>> What version of samba? What version of linux?
>>>
>>> Ideally "getent passwd" woudl show something
like
>>>
>>>
>>>
>>> ben:*:10001:10001:Ben
George:/export/Home/SRE/ben/:bin/tcsh
>>>
>>> or
>>>
>>> SRE+ben:*:10001:10001:Ben
>>> George:/export/Home/SRE/ben:/bin/bash
>>>
>>>
>>>
>>> I don't think you need a huge amount of AD
experience to
>>> make this work but I think you have to have general
>>> understanding of what WIndows domains are about.
>>>
>>> You should also review the smb.conf man page for the
>>> section on idmap_ad.
>>>
>>>
>>>
>>>
>>>
>>> On 09/30/2010 09:24 AM, Ben George wrote:
>>>>
>>>>
>>>> Thanks for your replay..
>>>>
>>>> yes my client told me like this that's Y..and
the
>>>> manager gave that work to newly joined me.. :(
>>>>
>>>> i don't have any AD and core unix experience..i
have
>>>> only experience in linux.not much
>>>>
>>>> may this project will affect my job.. :(
>>>>
>>>> my nsswitch.conf
>>>>
>>>> */passwd: files ldap winbind
>>>> group: files ldap winbind
>>>> hosts: dns files
>>>> ipnodes: dns files/*
>>>>
>>>>
>>>> "*nsswitch+winbind (which I do) or the smb pam
>>>> module*"..? :(
>>>>
>>>> i don't know..my client's need is he has a
linux
>>>> machine..also a ADS..from the unix machine, he want
to
>>>> share secure folder's to the AD user's..so
eash user
>>>> can only access that particular shared folder..when
the
>>>> password of user changed in AD, that will affect to
the
>>>> smbpassword...means without changing that
particular
>>>> user's smb password in the unix machine..
>>>>
>>>> for this need which method is useful..from your
experience
>>>>
>>>> "*Does "getent passwd" show the
windows users?*"
>>>>
>>>> please check the output ..i think getent password
only
>>>> shows unix system password
>>>>
>>>> */bash-3.00# getent passwd
>>>> root:x:0:0:Super-User:/:/sbin/sh
>>>> daemon:x:1:1::/:
>>>> bin:x:2:2::/usr/bin:
>>>> sys:x:3:3::/:
>>>> adm:x:4:4:Admin:/var/adm:
>>>> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
>>>> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
>>>> nuucp:x:9:9:uucp
>>>> Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
>>>> smmsp:x:25:25:SendMail Message Submission
Program:/:
>>>> listen:x:37:4:Network Admin:/usr/net/nls:
>>>> gdm:x:50:50:GDM Reserved UID:/:
>>>> webservd:x:80:80:WebServer Reserved UID:/:
>>>> postgres:x:90:90:PostgreSQL Reserved
UID:/:/usr/bin/pfksh
>>>> svctag:x:95:12:Service Tag UID:/:
>>>> nobody:x:60001:60001:NFS Anonymous Access User:/:
>>>> noaccess:x:60002:60002:No Access User:/:
>>>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous
Access
>>>> User:/:
>>>> ramana:x:100:1::/export/home/ramana:/bin/sh
>>>> teju:x:101:1::/export/home/teju:/bin/sh
>>>> user1:x:102:1::/export/home/user1:/bin/sh
>>>> ben:x:103:1::/home/ben:/bin/sh/*
>>>>
>>>>
>>>> "you already have a "unix" ben and a
"ADS" ben defined?"
>>>>
>>>> Yes i defined the ben user in Unix and ADS...bcoz i
>>>> don't have much knowledge about that sorry
>>>>
>>>> Hope u will help me
>>>> Thanks
>>>> Ben.T.George
>>>>
>>>>
>>>> On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
>>>> <gaiseric.vandal at gmail.com
>>>> <mailto:gaiseric.vandal at gmail.com>>
wrote:
>>>>
>>>>
>>>> disclaimer: I don't use Samba as an ADS
member
>>>> server. I use samba as PDC with trusts to an
ADS
>>>> domain. So my observations may not be valuid.
>>>>
>>>> Did you try updating nsswitch.conf
>>>>
>>>>
>>>> passwd: files winbind
>>>> group: files winbind
>>>>
>>>>
>>>> If you are using a Windows domain and have a
user
>>>> defined in the domain, you generally don't
want to
>>>> add the user as a local user. Since the
>>>> underlying unix OS needs to know about the
domain
>>>> users you need to either use nsswitch+winbind
>>>> (which I do) or the smb pam module (which I
don't
>>>> use, and not sure if it really is the correct
>>>> approach.)
>>>>
>>>> If you use nsswitch.conf+winbind you can then
also
>>>> OPTIONALLY allow "windows" users
"unix" access like
>>>> ssh. My samba server is a PDC- I have a
domain
>>>> trust with windows domains BUT the default
shell
>>>> is "/bin/false." (It is still a
little flaky...)
>>>>
>>>> Does "getent passwd" show the windows
users? It
>>>> should show something like
>>>>
>>>> ben:*:10001:10001:Ben
George:/home/SRE/ben/bin/false
>>>>
>>>> or
>>>>
>>>> SRE+ben:*:10001:10001:Ben
>>>> George:/home/SRE/ben/bin/false
>>>>
>>>>
>>>>
>>>> It looks like = you already have a
"unix" ben and a
>>>> "ADS" ben defined?
>>>>
>>>> "wbinfo -s" and "wbinfo -n"
are also useful for
>>>> making sure that the name-to-sid and
sid-to-name
>>>> mappings are correct for domain users.
>>>>
>>>
>>>
>>
>>
>
>