LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Samba + Winbind + AD (http://www.linuxquestions.org/questions/linux-networking-3/samba-winbind-ad-313520/)

Thakowbbery 04-15-2005 08:36 AM

Samba + Winbind + AD
 
After my failure using LDAP + SFU, I ran to Samba + Winbind to try the AD users authentication on Linux workstations.

I'm currently running a Mandrake 10.1 with samba 3.0.7.

#################################################
My smb.conf:

[global]


netbios name = 0l001
server string = Samba Server 0l001
realm = <realm>
workgroup = SRSP
security = ADS
password server = <enderešo_AD>
encrypt passwords = yes
hosts allow = 10.11.8.0/255.255.252.0 127.
guest account = nobody
log file = /var/log/samba/samba.log
username map = /etc/samba/user.map
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
load printers = yes
dns proxy = no
obey pam restrictions = Yes
pam password change = Yes
valid users = @"SRSP/UsersSRSP" root nobody
read list = @"SRSP/UsersSRSP" root
write list = @"SRSP/UsersSRSP" root
default service = homes
preload = global homes printers
winbind separator = / (I also tried "+", with no sucess)
winbind use default domain = yes
idmap uid = 10000-60000
idmap gid = 10000-60000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template primary group = "SRSP/UsersSRSP"
template shell = /bin/bash

#============================ Share Definitions ==============================

include = /etc/samba/shares.conf

#################################################
My krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = SRSP.DPF
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
SRSP.DPF = {
kdc = SRSPDCT02
default_domain = srsp.dpf
}

[domain_realm]
.srsp.dpf = SRSP.DPF
srsp.dpf = SRSP.DPF

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
#################################################

kinit works perfectly, and net ads join also works, since the machine is added to the domain.

The problem is: Winbind can't recover the information. SMB, NMB and Winbindd are up.

wbinfo -u
Error looking up domain users

wbinfo -g
Erros looking up domain users

wbinfo -t
Checking the trust secret via RPC calls failed
error code was (0x0)
Could not check secret


Both users and groups are not stored in the default Users folders, but in the UsersSRSP folder.

Can anyone help me out?

cowanrl 04-17-2005 09:28 AM

You may want to check out these 2 articles and see if there are any steps you left out:


Samba Security = ADS
http://www.justlinux.com/forum/showt...hreadid=118288


Winbind
http://www.justlinux.com/forum/showt...hreadid=118512

Thakowbbery 04-18-2005 06:31 AM

Thanks
I'll go over it and see if I can get a soultion.

Thakowbbery 04-27-2005 02:28 PM

Kinda of made it somewhere.
What was stucking the wbinfo commands was a firewall rule. As a test, I gave full acess (full in, full out) to my Linux machine.
The problem is. My AD domain is part a ramification of a greater Microsoft "forest network". When I send a wbinfo -u, -t, -g, -m, whatever, the machine starts looking over in all AD controllers of all the networks in the greater microsoft "forest". That results on each command, although they do list users, groups, RPC calls suceeded and so on, to take about 20 minutes to work, and login doesn't work (probably due to a timeout).
I don't believe there may be a solution to that but, does anyone has a solution?

cowanrl 04-27-2005 03:53 PM

Just looking over the differences in your krb5.conf file and mine. Here's mine:

[realms]
THE_COWANS.COM = {
kdc = pe500sc.the_cowans.com
kdc = mainnt.the_cowans.com
admin_server = pe500sc.the_cowans.com
default_domain = the_cowans.com
}

Your not using a FQDN for your kdc and your also not listing an admin_server. Not sure if that would make any difference but that is a difference between yours and mine. Of course, my AD domain is much smaller than yours.

blutonium 10-25-2005 02:55 AM

I am having similar problem but I am maybe a few steps ahead I have configured all the files and gone through a milion documents. I can join the domain but there is still some trouble. wbinfo -u doesnt work but wbinfo -g will give me the groups in the ad. Also when I use the wbinfo -t to check for trust. Trust is established. I think I am very close to the solution. I'm running FC4 and trying to join Samba to a win 2003 domain. When I use the net ads join -u a message saying that I have joined the domain is displayed. This is only for the administrator account, but when I try to log in with other ad user names i get authentication errors.

It would be pretty safe to assume that I have configured all the necessary files.

Any thoughts comments?

Thanks.

jeev@dialog 06-28-2007 01:49 AM

[global]
encrypt passwords = Yes
winbind separator = /
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
server string = rad_test
netbios name = test
security = domain
workgroup = domain name
log file = /var/log/samba/log.%m
max log size = 50
password server = servername.domain
realm = doamainname
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins proxy = no


--------- krb5.conf---------------

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = domainname
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
DIALOG.DIALOGGSM.COM = {
kdc = servername.domain:88
admin_server = servername.domain:749
default_domain = domainname
}

[domain_realm]
.example.com = domainname
example.com = domainname

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf


---------commands to use-------------


restart winbind

#set your machine to default domain
domainname <name of the domain>


kinit Administrator #This will cache you a ticket

klist # see cash tickets

Thats it.

Now check & c.


Cheers,
Lahiru Perera


All times are GMT -5. The time now is 08:18 PM.