samba - Dec 2016 - How to join join Ubuntu desktop to AD

On 12/11/2016 8:59 AM, Brian Candler via samba wrote:
> On 10/12/2016 16:25, Brian Candler wrote:
>> I think there's plenty of emphasis now, but I think there is a part
>> which is misleading:
>>
>> > To enable Samba to retrieve user and group information from Active
>> Directory (AD):
>> >
>> > * Users must have at least the uidNumber and groups the gidNumber 
>> attribute set. 
>
> I'm so sorry: I misread this as "Users must have at least the 
> uidNumber and gidNumber attribute set", which is of course *not* what 
> it says.  Hence the text is accurate (if you read it correctly); it's 
> my brain which is at fault.
>
> I do still think that the alternative text I gave is clearer - for my 
> brain anyway :-)
>
> Regards,
>
> Brian.
>
>
OK finally solved. Added to my smb.conf

     'winbind use default domain = yes'

Disabling Avahi and using the above was the issue.  Next to attempt 
actually signing in from the login screen and not via. SSH.



-- 
- James

On 12/12/2016 3:27 PM, lingpanda101 wrote:
> On 12/11/2016 8:59 AM, Brian Candler via samba wrote:
>> On 10/12/2016 16:25, Brian Candler wrote:
>>> I think there's plenty of emphasis now, but I think there is a
part
>>> which is misleading:
>>>
>>> > To enable Samba to retrieve user and group information from
Active
>>> Directory (AD):
>>> >
>>> > * Users must have at least the uidNumber and groups the
gidNumber
>>> attribute set. 
>>
>> I'm so sorry: I misread this as "Users must have at least the 
>> uidNumber and gidNumber attribute set", which is of course *not*
what
>> it says.  Hence the text is accurate (if you read it correctly);
it's
>> my brain which is at fault.
>>
>> I do still think that the alternative text I gave is clearer - for my 
>> brain anyway :-)
>>
>> Regards,
>>
>> Brian.
>>
>>
>
> OK finally solved. Added to my smb.conf
>
>     'winbind use default domain = yes'
>
> Disabling Avahi and using the above was the issue.  Next to attempt 
> actually signing in from the login screen and not via. SSH.
>
>
>
Following the wiki and I'm stuck at 'Authenticating Domain Users Using 
PAM'. I see the section

If you have compiled Samba, you need to add a symbolic links. 
Seepam_winbind Link 
<https://wiki.samba.org/index.php/Pam_winbind_Link>for OS specific 
information, where to place it.


If I follow the link it appears to take me to a page similar to 
'libnss_winbind' linking. I don't see any difference. I ran 
'pam-auth-update' and made sure to enable Winbind NT/Active Directory 
authentication. I did not manually edit pam config files. If I attempt 
to login with a domain account I get

user1 at DR210:/$ su domainuser

Password:

su: Authentication failure


Any ideas? Thanks.


-- 
- James

On Tue, 13 Dec 2016 14:57:59 -0500
lingpanda101 via samba <samba at lists.samba.org> wrote:
> On 12/12/2016 3:27 PM, lingpanda101 wrote:
> > On 12/11/2016 8:59 AM, Brian Candler via samba wrote:
> >> On 10/12/2016 16:25, Brian Candler wrote:
> >>> I think there's plenty of emphasis now, but I think there
is a
> >>> part which is misleading:
> >>>
> >>> > To enable Samba to retrieve user and group information
from
> >>> > Active 
> >>> Directory (AD):
> >>> >
> >>> > * Users must have at least the uidNumber and groups the
> >>> > gidNumber 
> >>> attribute set. 
> >>
> >> I'm so sorry: I misread this as "Users must have at least
the
> >> uidNumber and gidNumber attribute set", which is of course
*not*
> >> what it says.  Hence the text is accurate (if you read it
> >> correctly); it's my brain which is at fault.
> >>
> >> I do still think that the alternative text I gave is clearer - for
> >> my brain anyway :-)
> >>
> >> Regards,
> >>
> >> Brian.
> >>
> >>
> >
> > OK finally solved. Added to my smb.conf
> >
> >     'winbind use default domain = yes'
> >
> > Disabling Avahi and using the above was the issue.  Next to attempt 
> > actually signing in from the login screen and not via. SSH.
> >
> >
> >
> 
> Following the wiki and I'm stuck at 'Authenticating Domain Users
> Using PAM'. I see the section
> 
> If you have compiled Samba, you need to add a symbolic links. 
> Seepam_winbind Link 
> <https://wiki.samba.org/index.php/Pam_winbind_Link>for OS specific 
> information, where to place it.
> 
> 
> If I follow the link it appears to take me to a page similar to 
> 'libnss_winbind' linking. I don't see any difference. I ran 
Give that man a prize, the only difference between the 'Libnss winbind
Links' page and the 'Pam winbind Link' page is the title, they both
refer to setting up the libnss_winbind lib

I will fix it, not sure how because the links should probably all be on
one page.
> 'pam-auth-update' and made sure to enable Winbind NT/Active
Directory
> authentication. I did not manually edit pam config files. If I
> attempt to login with a domain account I get
> 
> user1 at DR210:/$ su domainuser
> 
> Password:
> 
> su: Authentication failure
> 
> 
> Any ideas? Thanks.
> 
> 
You need three extra links:

ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2
ln
-s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so

You also need a file /usr/share/pam-configs/winbind

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login try_first_pass
Auth-Initial:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login
Account-Type: Primary
Account:
	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
Password-Type: Primary
Password:
	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
Password-Initial:
	[success=end default=ignore]	pam_winbind.so
Session-Type: Additional
Session:
	optional			pam_winbind.so

You will also need to install libpam-krb5

Finally check that the 'passwd' and 'group' lines in
/etc/nsswitch.conf
have 'winbind' in them.

Rowland