I'm trying to get AD authentication working on a RHEL 5.4 base system
I can wbinfo -[ug] and getent {passwd|group} with 3.0.33 Everything
appears to work just fine, except I could not actually authenticate...
I'd always get failed password. A lot of Googling turned up a bug that
indicated that it was impossible to get 3.0.33 to authenticate against a
W2K8 AD, so I installed 3.5.4 Same smb.conf, same krb5.conf... but I
cannot join the domain. net ads status works, but net ads join tells
me:
Failed to join domain: failed to lookup DC info for domain 'MY.DOMAIN'
over rpc: Invalid workstation
Googling that error leads to a very few responses, none of which help
me. What is the "invalid workstation", and how do I make it valid?
:-)
smb.conf:
[global]
workgroup = MY
password server = 192.168.2.22
realm = MY.DOMAIN
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
client ntlmv2 auth = yes
disable netbios = yes
smb ports = 445
winbind use default domain = yes
winbind offline logon = yes
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
passdb backend = tdbsam
krb5.conf:
[libdefaults]
default_realm = MY.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MY.DOMAIN = {
kdc = ad1.my.domain:88
admin_server = ad1.my.domain:749
default_domain = my.domain
}
[domain_realm]
.my.domain = MY.DOMAIN
my.domain = MY.DOMAIN
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
On Thu, 2012-04-19 at 10:20 -0400, John Oliver wrote:> I'm trying to get AD authentication working on a RHEL 5.4 base system > > I can wbinfo -[ug] and getent {passwd|group} with 3.0.33 Everything > appears to work just fine, except I could not actually authenticate... > I'd always get failed password. A lot of Googling turned up a bug that > indicated that it was impossible to get 3.0.33 to authenticate against a > W2K8 AD, so I installed 3.5.4 Same smb.conf, same krb5.conf... but I > cannot join the domain. net ads status works, but net ads join tells > me: >Your smb.conf is wrong needs to look something like the following. This is covered in the man pages these days. # deal with NSS and the whole UID/SID id mapping stuff idmap backend = tdb idmap uid = 2000000 - 2999999 idmap gid = 2000000 - 2999999 idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : schema_mode = rfc2307 idmap config MYDOMAIN : readonly = yes idmap config MYDOMAIN : range = 500 - 1999999 idmap cache time = 604800 idmap negative cache time = 20 winbind cache time = 600 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = false You of course need to have the RFC2307 attributes populated in the AD for this to work, and a winbind entry in /etc/nsswitch and winbind running. Note that you should upgrade to RHEL5.8 immediately and make sure that you have samba3x-3.5.10-0.108.el5_8 installed unless you want your box to be rooted by the first passer by. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom.