LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 12-13-2006, 05:06 AM   #1
mhs
LQ Newbie
 
Registered: Dec 2006
Posts: 2

Rep: Reputation: 0
Major winbind problems in Ubuntu Dapper (authenticating with FC5 Samba LDAP PDC)


Hello!

Setting:
Samba PDC with LDAP-backend. Fedora Core 5. Authenticating many W2K & XP workstations (as NT Domain members), lots of users and also other stuff (using LDAP backend directly) with no problems. Also serving files and printers.

Problem:
Experimenting with using Linux workstation in the mix.
Using Ubuntu 6.06 LTS, really easy to set up in a simple configuration, but proper Samba PDC interoperability is a major pain in the back.

I am able to join the Ubuntu client to domain, and see all shares and connect to a printer. However, I REALLY need to authenticate the domain user right in the X login, and not every time trying to access shares, imap or whatever. So I want it to be just like logging to a real NT domain using any workstation.

So I need winbind, right? This was also very easy to set up when I did it way back in real NT domain, using FC3 machine as a client. Set up smb.conf, ran authconfig and that was it. But I cannot get this to work in Ubuntu using Samba LDAP PDC as NT Domain, no matter what I do.

I have basically followed these instructions:

http://ubuntuforums.org/archive/index.php/t-5409.html

They make perfect sense to me, but getent passwd and getent groups show only client's local users and groups. wbinfo -g tells me there is an error looking up groups, which figures. Nothing appears in the log files. So, I've forgotten something, big deal.

But the weird thing is this:

"wbinfo -u" DOES show domain users. The listing itself is also bit weird, sometimes there is the domain name included, sometimes not. When domain name is shown, the winbind separator is not respected, but there is always a letter w as a separator.

When I do "net groupmap list", the domain groups are shown, but the SID in them is the Ubuntu client's sid, and not the domain's. Also, they are mapped to group -1, and I cannot map them manually to locally created groups, because of the SID issue.

If I use the Samba PDC's LDAP backend directly, without winbind, user authentication works fine. I can see all the domain users and groups using getent, and I can log in as any of them using ssh or text console, and access all the samba resources as that user. But this setup does not allow gdm login! I get the error "user group not found".

So where should I look for clues on how to solve this?
I don't mind giving up winbind, and using ldap directly, but the optimal solution would be winbind just because it is driving me crazy that it worked so easily against real NT domain. I can't stand the idea that Linux-Windows interoperability is so easy, and Linux-Linux so difficult :-)

I have tried to avoid the most common pitfalls in setup as follows:
- nscd is NOT running on any machine that is running winbind
- I checked that all the names resolve fine and servers and clients all see each other.
- I have deleted the cache in /var/cache/samba, which just causes the domain name to briefly appear in the wbinfo -u listing, nothing else.
- winbind settings are exactly as stated in the URL above. I have experimented with explicitly stating the idmap backend as my ldap server (which is not in the instructions), but it makes no difference.
- Samba versions are newest that come with the distributions, FC5 is 3.0.23, Ubuntu 3.0.14.

Any help would be greatly appreciated. Also, if I have explained this in too complicated manner or left out something vital, please let me know and I'll revise my question.

Cheers,

Mika
 
Old 12-19-2006, 10:37 PM   #2
Jaqui
Member
 
Registered: Jan 2006
Location: Vancouver BC
Distribution: LFS, SLak, Gentoo, Debian
Posts: 291

Rep: Reputation: 36
~blink~

~blink~


you need to use a non linux protocol to connect a linux system to a linux server?
why?
why not just have it use nfs?
[ far easier, and more secure, capable and reliable ]
 
Old 12-21-2006, 06:01 PM   #3
xjlittle
Member
 
Registered: Aug 2003
Location: Indiana
Distribution: fc6 sles9 & 10 kubuntu ubuntu-server
Posts: 240
Blog Entries: 2

Rep: Reputation: 30
Hopefully not so major :-) What you are looking for is system authentication against your openldap server. This requires three configuration files: /etc/ldap.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth. Most likely you already have the first two configured since you have already setup the samba pdc. If not you can use the ones from the pdc just make adjustments in the /etc/ldap.conf file.

Now for the pam file, it should look something like this:
Code:
auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so

account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so
account    required     pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_first_pass
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_ldap.so
This should look to the nsswitch.conf and ldap.conf to locate the ldap server and find the user.

There also should be some documentation under /usr/share/doc/

Use
Code:
 locate ldap
to find where it is.

hth

Last edited by xjlittle; 12-21-2006 at 06:03 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
samba member server as fileserver authenticating samba PDC activeq Linux - Networking 0 11-17-2006 09:44 AM
SAMBA not as a PDC with LDAP rbulman Linux - Networking 1 10-18-2006 03:49 PM
Samba with winbind, kerberos and ldap? humbletech99 Linux - Networking 2 02-03-2006 03:23 AM
ldap + samba PDC shane200_ Linux - Networking 0 08-31-2005 01:23 PM
Samba + LDAP PDC help!!!!!!!!!! shane200_ Suse/Novell 1 08-14-2005 09:10 AM


All times are GMT -5. The time now is 07:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration