LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 10-17-2006, 09:37 PM   #1
zerovice
LQ Newbie
 
Registered: Dec 2005
Posts: 25

Rep: Reputation: 15
...of Samba ADS security, Kerberos, and AD on Windows 2003


Systems:
RHEL4.4 and Win2003SP1 DC

1st question:
After many attempts I have one question; Is kerberos enough to authenticate with Active Directory or do you have to use it in combination with ldap or winbind in order to access a samba share?

What I am trying to accomplish is to have my RHEL4 box serve out a few shares and for my windows users to access them without having to input any credentials. (I was assuming it would use the kerberos info from the initial windows logon)

I apologize for the post as there are many out there, but if anyone can answer my question above I would at least have some hope that it can be done.

Additionally, I have the necessary samba and kerberos packages installed and I am able to access samba shares logging onto windows with an acct. that is in linux.

I am also able to do a kinit and klist shows the ticket although when I try an smbclient -k -L /servername I receive "session setup failed: NT_STATUS_LOGON_FAILURE" (the server has been added to AD that wasn't a problem)

If any of this has caught your eye or anyone has any ideas please let me know!
 
Old 10-19-2006, 07:53 AM   #2
zerovice
LQ Newbie
 
Registered: Dec 2005
Posts: 25

Original Poster
Rep: Reputation: 15
I am currently working on this and will be monitoring the thread for any response it is now 7:50am 10/19 Thursday. Any suggestions would be greatly appreciated.
 
Old 10-19-2006, 08:46 AM   #3
jgeiger
LQ Newbie
 
Registered: Aug 2006
Location: Nebraska
Distribution: RHEL 4, CentOS 4, Fedora 4&5
Posts: 5

Rep: Reputation: 0
I'm not an expert, but I have never seen a way for samba to authenticate against AD that didn't use winbind. The set up is fairly straight forward, and quite reliable. I haven't met the post requirement to post URL's, but if you do a Google search for "Red Hat samba active directory" the first doc is Red Hat's guide to integrating samba w/ AD.
 
Old 10-19-2006, 09:21 AM   #4
zerovice
LQ Newbie
 
Registered: Dec 2005
Posts: 25

Original Poster
Rep: Reputation: 15
Thanks for that, but have already run through this. Additionally, it mentions at the bottom to stop winbind before joining to the domain. Although it doesn't explicitly say to do anything with winbind it would seem it's being used.... Appreciate the effort, anything else offered I am willing to chase up so keep 'em coming!
 
Old 10-19-2006, 09:51 AM   #5
jgeiger
LQ Newbie
 
Registered: Aug 2006
Location: Nebraska
Distribution: RHEL 4, CentOS 4, Fedora 4&5
Posts: 5

Rep: Reputation: 0
Here's the method we have used on our 4 samba servers:

Configure /etc/krb5.conf:

Code:
[logging]
default = FILE:/var/adm/krb5libs.log
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmind.log

[libdefaults]
	default_realm = DOMAIN
	kdc_req_checksum_type = 2
	dns_lookup_realm = true
	dns_lookup_kdc = true

[realms]
	DOMAIN= {
		kdc = DC.DOMAIN
		admin_server = DC.DOMAIN
		default_domain = DOMAIN
	}

[domain_realm]
	.domain = DOMAIN


[appdefaults]
	pam = {
		debug = false
		ticket_lifetime = 36000
		renew_lifetime = 36000
		forwardable = true 
		krb4_convert = false
	}
Configure /etc/nsswitch.conf:
Code:
passwd:       files winbind
group:        files winbind
hosts:        files dns
services:     files winbind
networks:     files
protocols:    files winbind
rpc:          files
publickey:    files winbind
netgroup:     files
automount:    files winbind
aliases:      files
Configure /etc/samba/smb.conf: (truncated for the sake of brevity)
Code:
   workgroup = DOMAIN
   netbios name = SAMBASERVER
   security = ads
   winbind separator = +
   winbind cache time = 10
   template shell = /bin/bash
   template homedir = /home/%U
   idmap uid = 1000000-3000000
   idmap gid = 1000000-3000000
   idmap backend = idmap_rid:DOMAIN=1000000-3000000
   allow trusted domains = no
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = no
   realm = DOMAIN
Restart winbind and samba.

Get a kerberos ticket:

kinit user@DOMAIN

Join the domain:

net ads join

Configure /etc/pam.d/system-auth:
Code:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so
Reboot for good measure.

When it comes back up, you can use wbinfo to get info from the domain and verify you are joined correctly.

wbinfo -t (checks shared secret)
wbinfo -n DOMAIN+someuser (should get a sid back from AD)

That's the process to the best of my recollection.
 
Old 10-19-2006, 11:50 AM   #6
zerovice
LQ Newbie
 
Registered: Dec 2005
Posts: 25

Original Poster
Rep: Reputation: 15
Thanks for that! Getting closer.... I have winbind setup and am returning info using wbinfo -u so that's good! Although getent doesn't seem to be returning anything which may be a problem as trying smbclient -L localhost -U username is giving session setup failed: NT_STATUS_LOGON_FAILURE, for either a local or AD user....just wanted to let you know that you had helped thus far...appreciate it.
 
Old 10-19-2006, 01:07 PM   #7
zerovice
LQ Newbie
 
Registered: Dec 2005
Posts: 25

Original Poster
Rep: Reputation: 15
Thanks jgeiger! I am all set, now to write up the how-to. In the end the above examples did everything it was supposed to. getent wasn't working because I had winbind uid and gid set additionally so the mapping wasn't happening. Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ADS / winbind / samba / kerberos HELP!!! jsheffie Red Hat 5 08-16-2006 10:01 AM
Samba 3.0.21a and Samba Domain Member Servers in a Windows 2003 ADS Domain ramz Linux - Networking 3 04-09-2006 09:26 PM
Samba, Kerberos and ADS problems deadlock Linux - Networking 0 01-26-2006 12:27 PM
Problems joining Samba to ADS 2003 daneek Linux - Networking 0 05-24-2005 05:40 PM
Samba as a Windows 2003 ADS member bigdumbchimp Linux - Networking 0 09-16-2004 11:22 PM


All times are GMT -5. The time now is 02:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration