Prev: [Samba] unix exts / wide links / symlinks
Next: [Samba] NTLM_AUTH windows 2008 server failure
From: Karsten Römke on 3 Mar 2010 10:00
Walter Neu schrieb:
> set the following in the [global] section and try again
>
> winbind enum users = yes
> winbind enum groups = yes
>
>

Hello,
thanks for your hint, I have done that,
I think I should post my smb.conf, the krb5.conf
and the nsswitch.conf in some parts:

smb.conf
[global]
workgroup = NT_TECHNOLOGIE
#printing = cups
#printcap name = cups
#printcap cache time = 750
#cups options = raw
map to guest = Bad User
#logon path = \\%L\profiles\.msprofile
#logon home = \\%L\%U\.9xprofile
#logon drive = P:
#usershare allow guests = No
netbios name = www
#passdb backend = smbpasswd
wins server = hhbnt12.hhb.bonn.de
wins support = No
security = ads

#zusaetzlich zu yast
password server = hhbnt12.hhb.bonn.de
client use spnego = yes
realm = HHB.BONN.DE
winbind separator = /
winbind use default domain = Yes
winbind enum groups = yes
winbind enum users = yes
log level = 0 passdb:3 auth:3

winbind nested groups = Yes
template shell = /bin/bash

#sehr unsicher:
passdb backend = tdbsam
idmap backend = ad


[documentswrite]
comment = Count Dooku
inherit acls = No
path = /srv/www/htdocs/documents
read only = Yes
valid users = roemke römke roemkea


krb5.conf
[libdefaults]
# default_realm = EXAMPLE.COM
default_realm = HHB.BONN.DE

[realms]
HHB.BONN.DE = {
kdc = hhbnt12.hhb.bonn.de
}

#folgendes von prolinux
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}



and parts from nsswitch.conf
#passwd: compat winbind
passwd: files winbind
#group: files ldap winbind
group: files winbind
shadow: files winbind

I have nothing done in /etc/pam.d/ - I don't want logins of
Windows-Users.



Karsten


>
> Karsten Römke schrieb:
>> Hello,
>> I have a problem in authentification vs ads.
>>
>> History:
>> - Samba works as stand-alone server (non productive)
>> - some experiments with connection to a ldap-Server running on another -
>> machine.
>> - Trying to join to Active Directory, since I have no success I
>> deinstalled
>> samba completely and reinstall it.
>>
>> Versions:
>>
>> OpenSuse 11.1 (actual apart from the kernel)
>> Samba samba-3.2.7-11.4.1
>> winbind: samba-winbind-3.2.7-11.4.1
>> Windows 2003 Server with ADS
>>
>> I followed the artikel in
>> http://www.pro-linux.de/NB3/artikel/2/1110/3,next.html
>> (sorry it's german) and looked to the official samba howto.
>>
>>
>> The following tests I have done:
>>
>> not sure: kinit, I set up /etc/krb5.conf
>>
>> (roemke is a local user and a user of ADS with
>> admin rights)
>>
>> net ads join -S hhbnt12.hhb.bonn.de -Uroemke%xyz
>> seems to work, Server says that I have joined the
>> Domain but DNS update failed.
>>
>> test:
>> www:/etc/samba # net ads testjoin
>> Join is OK
>>
>> test:
>> wbinfo -u
>> -> shows all usernames on active directory but no machines
>> as mentioned in the samba wiki
>>
>> www:/etc/samba # wbinfo -a roemkea%xyz
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>> roemkea is a non local user, only available in the ads
>>
>> getent passwd
>> shows only local users :-(
>>
>> I checked the nsswitch.conf and do symbolik links
>> /lib/libnss_winbind ...
>>
>>
>> I think at that point I could stop, bu I tested via smbclient:
>>
>> (roemkea is ADS User)
>> smbclient //www/documentsWrite -Uroemkea
>> -> NT_STATUS_ACCESS_DENIED
>> Log-File:
>> [2010/03/03 14:34:25, 3] auth/auth.c:check_ntlm_password(220)
>> check_ntlm_password: Checking password for unmapped user
>> [NT_TECHNOLOGIE]\[roemkea]@[WWW] with the new password interface
>> [2010/03/03 14:34:25, 3] auth/auth.c:check_ntlm_password(223)
>> check_ntlm_password: mapped user is: [NT_TECHNOLOGIE]\[roemkea]@[WWW]
>> [2010/03/03 14:34:25, 2] auth/auth.c:check_ntlm_password(318)
>> check_ntlm_password: Authentication for user [roemkea] -> [roemkea]
>> FAILED with error NT_STATUS_NO_SUCH_USER
>>
>> with localuser roemke:
>> NT_STATUS_ACCESS_DENIED
>> but in the Log-File
>> [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(220)
>> check_ntlm_password: Checking password for unmapped user
>> [NT_TECHNOLOGIE]\[roemke]@[WWW] with the new password interface
>> [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(223)
>> check_ntlm_password: mapped user is: [NT_TECHNOLOGIE]\[roemke]@[WWW]
>> [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(269)
>> check_ntlm_password: winbind authentication for user [roemke] succeeded
>> [2010/03/03 14:35:33, 2] auth/auth.c:check_ntlm_password(308)
>> check_ntlm_password: authentication for user [roemke] -> [roemke] ->
>> [roemke] succeeded
>>
>> I found no hint.
>> It seems that for a local user winbind ask the ADS and get back that
>> the authentification is ok, but I don't get access.
>> For a non local user I get the Information that there is no such user.
>>
>> I don't understand what happens.
>>
>> Any help would be nice
>>
>> Karsten
>>
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Diego Zuccato on 4 Mar 2010 03:10
On 03/03/2010 15:51, Karsten Römke wrote:

> Walter Neu schrieb:
>> set the following in the [global] section and try again
>>
>> winbind enum users = yes
>> winbind enum groups = yes
Well, then maybe I start seeing where my problem could be: I have them
both set to "no" (we have about 150K users in AD, and about 500K
groups), but "usually" resolution works well. Just sometimes it seems
there are problems with domain trust (a machine that worked stops
resolving and the log says there are troubles acquiring a ticket --
other machines that were cloned from the same disk continue working
without problems).

--
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego.zuccato(a)unibo.it
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Karsten Römke on 4 Mar 2010 06:30
Hi Grant,
< ... delete old text ...
you wrote
> Your join is just fine. That err is the same as happens when I join and
> mine works excellently otherwise. The join is ok is the important part.
>
> There are various tests you can do to see if things are working:
> KERBEROS
> kinit usernamewithadminprivileges
> like:
> kinit karsten
> should ask for a password
works
>
> klist
> should return a tciket cache for the user just authenticated
>
works
> kdestroy
> should make it so when you do klist agin there are no more tickets cached
>
works


> LDAP
I don't know.
I'm confused, I thought I need winbind to connect to the windows server.
I thought that my pam configuration maybe is wrong.

So my question: Do I need winbind or ldap or both.
There are any modification needed to my pam.d directory?
I found a file named samba there.

Thanks
Karsten

> use ldapsearch like:
>
> ldapsearch -x -D 'cn=yourldapuserthatyouusetoauthenticate,ou=veryspeicifou,ou=users,ou=yourou,dc=yourad,dc=yourdomain,dc=yourtld' -H ldaps://ldap.yourad.yourdomain.yourtld -W -b 'ou=yourou,dc=yourad,dc=yourdomain,dc=likecom'
>
> you don't have to be quite that specific but you get the idea. It
> returns all the users in your ou.
>
> you need to set your /etc/ldap.conf and /etc/ldap/ladp.conf (might be
> /etc/openldap/ldap.conf depending on your OS)
> to look at the right places, fer instance:
>
> /etc/ldap.conf
> ssl on
> port 636
> ldap_version 3
> tls_checkpeer no
> uri ldaps://ldap.yourldapurl
> # limit the base to your departmental OU, wider scopes can affect the output time and entries to be displayed
> binddn CN=yourkerberosldapaccount,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> #password for the AD user account used to bind to AD LDAP
> bindpw yourldapuserpassword
> base OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> nss_map_objectclass posixAccount user
> nss_map_objectclass shadowAccount user
> nss_map_objectclass posixGroup group
> nss_map_attribute uid sAMAccountName
> nss_map_attribute uidNumber uidNumber
> nss_map_attribute gidNumber gidNumber
> nss_map_attribute cn sAMAccountName
> nss_map_attribute homeDirectory unixHomeDirectory
> nss_map_attribute uniqueMember member
> nss_map_attribute loginShell loginShell
> nss_map_attribute shadowLastChange pwdLastSet
> pam_login_attribute sAMAccountName
> pam_filter objectclass=user
>
> and fer the odder wun:
>
> #/etc/ldap/ldap.conf or /etc/openldap/ldap.conf on some OS
> #Secure LDAP URI/Server
> uri ldaps://ldap.yourldapurl
> # restrict to your ou
> BASE OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> # set to the cn for the kerberos user used for authenticating
> BINDDN cn=yourkerberosuser,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld
> # during testing switch off ssl cert checking, later you should install the certs from your ldap server and set this always
> TLS_REQCERT never
>
>
>
> if those tests are working and you have set up the ldap conf files right
> and nsswitch.conf as well you should get back the users/groups from
> your ou when you do
> getent passwd.
> or getent group
>
> You might try nsswitch.conf settings like
> passwd: files ldap
> group: files ldap
> shadow: files ldap
>
>
> there's some description here:
> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
> but you might also google for more.
>
> Have fun!
>
> Grant

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: grant little on 5 Mar 2010 01:10
On Thu, Mar 4, 2010 at 7:59 AM, grant little <grantliddle(a)gmail.com> wrote:

>
>
>> OOPS! I misread what you were trying to do. I thought you were using LDAP.
> Sorry. Please ignore my message
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: grant little on 5 Mar 2010 01:40
On Thu, Mar 4, 2010 at 8:13 AM, Karsten Römke <k.roemke(a)gmx.de> wrote:

> grant little schrieb:
> <snip/>



> > OOPS! I misread what you were trying to do. I thought you were using
> > LDAP. Sorry. Please ignore my message
> >
> Hi Grant,
> I'm not sure if you misunderstand me.
> As far as I know ADS is nothing else then LDAP.
> So it is possible that I need LDAP to ask the win2003 server for
> authentification.
> I'm still unsure what my next steps should be.
> Trying to add winbind to the pam-System, which I only understand at
> the "surface" or trying to add ldap support.
> Karsten
>

Hi Karsten,

I have made samba with ads work on two servers here, one running centos 5.4
using samba 3.033 and the other ubuntu 9.10 server using samba 3.4.0.
On each there is kerberos, ldap and winbind.
I looked at the instructions that you used and they look as if they should
work but I am now out of my depth. I have never made it work without ldap. I
also had samba 3.5.0rc3 running on unbuntu 9.10 server with only kerberos
and ldap, that was with no winbind.
Note those all use ldap. I don't have personal experience authenticating
without ldap.

Here they do it without ldap:
http://wiki.samba.org/index.php/Samba_&_Active_Directory
so you might try there.
Sorry I can't be more help for doing it without ldap, not my area of
expertise.
There's a good book on samba put out by OReilly called "Using Samba"
Grant
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: [Samba] unix exts / wide links / symlinks
Next: [Samba] NTLM_AUTH windows 2008 server failure