From: Karsten Römke on 3 Mar 2010 10:00 Walter Neu schrieb: > set the following in the [global] section and try again > > winbind enum users = yes > winbind enum groups = yes > > Hello, thanks for your hint, I have done that, I think I should post my smb.conf, the krb5.conf and the nsswitch.conf in some parts: smb.conf [global] workgroup = NT_TECHNOLOGIE #printing = cups #printcap name = cups #printcap cache time = 750 #cups options = raw map to guest = Bad User #logon path = \\%L\profiles\.msprofile #logon home = \\%L\%U\.9xprofile #logon drive = P: #usershare allow guests = No netbios name = www #passdb backend = smbpasswd wins server = hhbnt12.hhb.bonn.de wins support = No security = ads #zusaetzlich zu yast password server = hhbnt12.hhb.bonn.de client use spnego = yes realm = HHB.BONN.DE winbind separator = / winbind use default domain = Yes winbind enum groups = yes winbind enum users = yes log level = 0 passdb:3 auth:3 winbind nested groups = Yes template shell = /bin/bash #sehr unsicher: passdb backend = tdbsam idmap backend = ad [documentswrite] comment = Count Dooku inherit acls = No path = /srv/www/htdocs/documents read only = Yes valid users = roemke römke roemkea krb5.conf [libdefaults] # default_realm = EXAMPLE.COM default_realm = HHB.BONN.DE [realms] HHB.BONN.DE = { kdc = hhbnt12.hhb.bonn.de } #folgendes von prolinux [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } and parts from nsswitch.conf #passwd: compat winbind passwd: files winbind #group: files ldap winbind group: files winbind shadow: files winbind I have nothing done in /etc/pam.d/ - I don't want logins of Windows-Users. Karsten > > Karsten Römke schrieb: >> Hello, >> I have a problem in authentification vs ads. >> >> History: >> - Samba works as stand-alone server (non productive) >> - some experiments with connection to a ldap-Server running on another - >> machine. >> - Trying to join to Active Directory, since I have no success I >> deinstalled >> samba completely and reinstall it. >> >> Versions: >> >> OpenSuse 11.1 (actual apart from the kernel) >> Samba samba-3.2.7-11.4.1 >> winbind: samba-winbind-3.2.7-11.4.1 >> Windows 2003 Server with ADS >> >> I followed the artikel in >> http://www.pro-linux.de/NB3/artikel/2/1110/3,next.html >> (sorry it's german) and looked to the official samba howto. >> >> >> The following tests I have done: >> >> not sure: kinit, I set up /etc/krb5.conf >> >> (roemke is a local user and a user of ADS with >> admin rights) >> >> net ads join -S hhbnt12.hhb.bonn.de -Uroemke%xyz >> seems to work, Server says that I have joined the >> Domain but DNS update failed. >> >> test: >> www:/etc/samba # net ads testjoin >> Join is OK >> >> test: >> wbinfo -u >> -> shows all usernames on active directory but no machines >> as mentioned in the samba wiki >> >> www:/etc/samba # wbinfo -a roemkea%xyz >> plaintext password authentication succeeded >> challenge/response password authentication succeeded >> roemkea is a non local user, only available in the ads >> >> getent passwd >> shows only local users :-( >> >> I checked the nsswitch.conf and do symbolik links >> /lib/libnss_winbind ... >> >> >> I think at that point I could stop, bu I tested via smbclient: >> >> (roemkea is ADS User) >> smbclient //www/documentsWrite -Uroemkea >> -> NT_STATUS_ACCESS_DENIED >> Log-File: >> [2010/03/03 14:34:25, 3] auth/auth.c:check_ntlm_password(220) >> check_ntlm_password: Checking password for unmapped user >> [NT_TECHNOLOGIE]\[roemkea]@[WWW] with the new password interface >> [2010/03/03 14:34:25, 3] auth/auth.c:check_ntlm_password(223) >> check_ntlm_password: mapped user is: [NT_TECHNOLOGIE]\[roemkea]@[WWW] >> [2010/03/03 14:34:25, 2] auth/auth.c:check_ntlm_password(318) >> check_ntlm_password: Authentication for user [roemkea] -> [roemkea] >> FAILED with error NT_STATUS_NO_SUCH_USER >> >> with localuser roemke: >> NT_STATUS_ACCESS_DENIED >> but in the Log-File >> [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(220) >> check_ntlm_password: Checking password for unmapped user >> [NT_TECHNOLOGIE]\[roemke]@[WWW] with the new password interface >> [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(223) >> check_ntlm_password: mapped user is: [NT_TECHNOLOGIE]\[roemke]@[WWW] >> [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(269) >> check_ntlm_password: winbind authentication for user [roemke] succeeded >> [2010/03/03 14:35:33, 2] auth/auth.c:check_ntlm_password(308) >> check_ntlm_password: authentication for user [roemke] -> [roemke] -> >> [roemke] succeeded >> >> I found no hint. >> It seems that for a local user winbind ask the ADS and get back that >> the authentification is ok, but I don't get access. >> For a non local user I get the Information that there is no such user. >> >> I don't understand what happens. >> >> Any help would be nice >> >> Karsten >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Diego Zuccato on 4 Mar 2010 03:10 On 03/03/2010 15:51, Karsten Römke wrote: > Walter Neu schrieb: >> set the following in the [global] section and try again >> >> winbind enum users = yes >> winbind enum groups = yes Well, then maybe I start seeing where my problem could be: I have them both set to "no" (we have about 150K users in AD, and about 500K groups), but "usually" resolution works well. Just sometimes it seems there are problems with domain trust (a machine that worked stops resolving and the log says there are troubles acquiring a ticket -- other machines that were cloned from the same disk continue working without problems). -- Diego Zuccato Servizi Informatici Dip. di Astronomia - Università di Bologna Via Ranzani, 1 - 40126 Bologna - Italy tel.: +39 051 20 95786 mail: diego.zuccato(a)unibo.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Karsten Römke on 4 Mar 2010 06:30 Hi Grant, < ... delete old text ... you wrote > Your join is just fine. That err is the same as happens when I join and > mine works excellently otherwise. The join is ok is the important part. > > There are various tests you can do to see if things are working: > KERBEROS > kinit usernamewithadminprivileges > like: > kinit karsten > should ask for a password works > > klist > should return a tciket cache for the user just authenticated > works > kdestroy > should make it so when you do klist agin there are no more tickets cached > works > LDAP I don't know. I'm confused, I thought I need winbind to connect to the windows server. I thought that my pam configuration maybe is wrong. So my question: Do I need winbind or ldap or both. There are any modification needed to my pam.d directory? I found a file named samba there. Thanks Karsten > use ldapsearch like: > > ldapsearch -x -D 'cn=yourldapuserthatyouusetoauthenticate,ou=veryspeicifou,ou=users,ou=yourou,dc=yourad,dc=yourdomain,dc=yourtld' -H ldaps://ldap.yourad.yourdomain.yourtld -W -b 'ou=yourou,dc=yourad,dc=yourdomain,dc=likecom' > > you don't have to be quite that specific but you get the idea. It > returns all the users in your ou. > > you need to set your /etc/ldap.conf and /etc/ldap/ladp.conf (might be > /etc/openldap/ldap.conf depending on your OS) > to look at the right places, fer instance: > > /etc/ldap.conf > ssl on > port 636 > ldap_version 3 > tls_checkpeer no > uri ldaps://ldap.yourldapurl > # limit the base to your departmental OU, wider scopes can affect the output time and entries to be displayed > binddn CN=yourkerberosldapaccount,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld > #password for the AD user account used to bind to AD LDAP > bindpw yourldapuserpassword > base OU=yourou,DC=AD,DC=yourdoain,DC=yourtld > nss_map_objectclass posixAccount user > nss_map_objectclass shadowAccount user > nss_map_objectclass posixGroup group > nss_map_attribute uid sAMAccountName > nss_map_attribute uidNumber uidNumber > nss_map_attribute gidNumber gidNumber > nss_map_attribute cn sAMAccountName > nss_map_attribute homeDirectory unixHomeDirectory > nss_map_attribute uniqueMember member > nss_map_attribute loginShell loginShell > nss_map_attribute shadowLastChange pwdLastSet > pam_login_attribute sAMAccountName > pam_filter objectclass=user > > and fer the odder wun: > > #/etc/ldap/ldap.conf or /etc/openldap/ldap.conf on some OS > #Secure LDAP URI/Server > uri ldaps://ldap.yourldapurl > # restrict to your ou > BASE OU=yourou,DC=AD,DC=yourdoain,DC=yourtld > # set to the cn for the kerberos user used for authenticating > BINDDN cn=yourkerberosuser,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld > # during testing switch off ssl cert checking, later you should install the certs from your ldap server and set this always > TLS_REQCERT never > > > > if those tests are working and you have set up the ldap conf files right > and nsswitch.conf as well you should get back the users/groups from > your ou when you do > getent passwd. > or getent group > > You might try nsswitch.conf settings like > passwd: files ldap > group: files ldap > shadow: files ldap > > > there's some description here: > http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss > but you might also google for more. > > Have fun! > > Grant -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: grant little on 5 Mar 2010 01:10 On Thu, Mar 4, 2010 at 7:59 AM, grant little <grantliddle(a)gmail.com> wrote: > > >> OOPS! I misread what you were trying to do. I thought you were using LDAP. > Sorry. Please ignore my message > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: grant little on 5 Mar 2010 01:40 On Thu, Mar 4, 2010 at 8:13 AM, Karsten Römke <k.roemke(a)gmx.de> wrote: > grant little schrieb: > <snip/> > > OOPS! I misread what you were trying to do. I thought you were using > > LDAP. Sorry. Please ignore my message > > > Hi Grant, > I'm not sure if you misunderstand me. > As far as I know ADS is nothing else then LDAP. > So it is possible that I need LDAP to ask the win2003 server for > authentification. > I'm still unsure what my next steps should be. > Trying to add winbind to the pam-System, which I only understand at > the "surface" or trying to add ldap support. > Karsten > Hi Karsten, I have made samba with ads work on two servers here, one running centos 5.4 using samba 3.033 and the other ubuntu 9.10 server using samba 3.4.0. On each there is kerberos, ldap and winbind. I looked at the instructions that you used and they look as if they should work but I am now out of my depth. I have never made it work without ldap. I also had samba 3.5.0rc3 running on unbuntu 9.10 server with only kerberos and ldap, that was with no winbind. Note those all use ldap. I don't have personal experience authenticating without ldap. Here they do it without ldap: http://wiki.samba.org/index.php/Samba_&_Active_Directory so you might try there. Sorry I can't be more help for doing it without ldap, not my area of expertise. There's a good book on samba put out by OReilly called "Using Samba" Grant -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: [Samba] unix exts / wide links / symlinks Next: [Samba] NTLM_AUTH windows 2008 server failure |