LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-15-2005, 08:36 AM   #1
Thakowbbery
Member
 
Registered: Mar 2005
Posts: 135

Rep: Reputation: 17
Samba + Winbind + AD


After my failure using LDAP + SFU, I ran to Samba + Winbind to try the AD users authentication on Linux workstations.

I'm currently running a Mandrake 10.1 with samba 3.0.7.

#################################################
My smb.conf:

[global]


netbios name = 0l001
server string = Samba Server 0l001
realm = <realm>
workgroup = SRSP
security = ADS
password server = <enderešo_AD>
encrypt passwords = yes
hosts allow = 10.11.8.0/255.255.252.0 127.
guest account = nobody
log file = /var/log/samba/samba.log
username map = /etc/samba/user.map
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
load printers = yes
dns proxy = no
obey pam restrictions = Yes
pam password change = Yes
valid users = @"SRSP/UsersSRSP" root nobody
read list = @"SRSP/UsersSRSP" root
write list = @"SRSP/UsersSRSP" root
default service = homes
preload = global homes printers
winbind separator = / (I also tried "+", with no sucess)
winbind use default domain = yes
idmap uid = 10000-60000
idmap gid = 10000-60000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template primary group = "SRSP/UsersSRSP"
template shell = /bin/bash

#============================ Share Definitions ==============================

include = /etc/samba/shares.conf

#################################################
My krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = SRSP.DPF
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
SRSP.DPF = {
kdc = SRSPDCT02
default_domain = srsp.dpf
}

[domain_realm]
.srsp.dpf = SRSP.DPF
srsp.dpf = SRSP.DPF

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
#################################################

kinit works perfectly, and net ads join also works, since the machine is added to the domain.

The problem is: Winbind can't recover the information. SMB, NMB and Winbindd are up.

wbinfo -u
Error looking up domain users

wbinfo -g
Erros looking up domain users

wbinfo -t
Checking the trust secret via RPC calls failed
error code was (0x0)
Could not check secret


Both users and groups are not stored in the default Users folders, but in the UsersSRSP folder.

Can anyone help me out?

Last edited by Thakowbbery; 04-15-2005 at 12:34 PM.
 
Old 04-17-2005, 09:28 AM   #2
cowanrl
Member
 
Registered: Dec 2004
Location: Western Pennsylvania, USA
Distribution: Red Hat
Posts: 150

Rep: Reputation: 15
You may want to check out these 2 articles and see if there are any steps you left out:


Samba Security = ADS
http://www.justlinux.com/forum/showt...hreadid=118288


Winbind
http://www.justlinux.com/forum/showt...hreadid=118512
 
Old 04-18-2005, 06:31 AM   #3
Thakowbbery
Member
 
Registered: Mar 2005
Posts: 135

Original Poster
Rep: Reputation: 17
Thanks
I'll go over it and see if I can get a soultion.
 
Old 04-27-2005, 02:28 PM   #4
Thakowbbery
Member
 
Registered: Mar 2005
Posts: 135

Original Poster
Rep: Reputation: 17
Kinda of made it somewhere.
What was stucking the wbinfo commands was a firewall rule. As a test, I gave full acess (full in, full out) to my Linux machine.
The problem is. My AD domain is part a ramification of a greater Microsoft "forest network". When I send a wbinfo -u, -t, -g, -m, whatever, the machine starts looking over in all AD controllers of all the networks in the greater microsoft "forest". That results on each command, although they do list users, groups, RPC calls suceeded and so on, to take about 20 minutes to work, and login doesn't work (probably due to a timeout).
I don't believe there may be a solution to that but, does anyone has a solution?
 
Old 04-27-2005, 03:53 PM   #5
cowanrl
Member
 
Registered: Dec 2004
Location: Western Pennsylvania, USA
Distribution: Red Hat
Posts: 150

Rep: Reputation: 15
Just looking over the differences in your krb5.conf file and mine. Here's mine:

[realms]
THE_COWANS.COM = {
kdc = pe500sc.the_cowans.com
kdc = mainnt.the_cowans.com
admin_server = pe500sc.the_cowans.com
default_domain = the_cowans.com
}

Your not using a FQDN for your kdc and your also not listing an admin_server. Not sure if that would make any difference but that is a difference between yours and mine. Of course, my AD domain is much smaller than yours.
 
Old 10-25-2005, 02:55 AM   #6
blutonium
LQ Newbie
 
Registered: Oct 2005
Posts: 4

Rep: Reputation: 0
I am having similar problem but I am maybe a few steps ahead I have configured all the files and gone through a milion documents. I can join the domain but there is still some trouble. wbinfo -u doesnt work but wbinfo -g will give me the groups in the ad. Also when I use the wbinfo -t to check for trust. Trust is established. I think I am very close to the solution. I'm running FC4 and trying to join Samba to a win 2003 domain. When I use the net ads join -u a message saying that I have joined the domain is displayed. This is only for the administrator account, but when I try to log in with other ad user names i get authentication errors.

It would be pretty safe to assume that I have configured all the necessary files.

Any thoughts comments?

Thanks.
 
Old 06-28-2007, 01:49 AM   #7
jeev@dialog
LQ Newbie
 
Registered: Jun 2007
Posts: 1

Rep: Reputation: 0
[global]
encrypt passwords = Yes
winbind separator = /
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
server string = rad_test
netbios name = test
security = domain
workgroup = domain name
log file = /var/log/samba/log.%m
max log size = 50
password server = servername.domain
realm = doamainname
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins proxy = no


--------- krb5.conf---------------

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = domainname
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
DIALOG.DIALOGGSM.COM = {
kdc = servername.domain:88
admin_server = servername.domain:749
default_domain = domainname
}

[domain_realm]
.example.com = domainname
example.com = domainname

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf


---------commands to use-------------


restart winbind

#set your machine to default domain
domainname <name of the domain>


kinit Administrator #This will cache you a ticket

klist # see cash tickets

Thats it.

Now check & c.


Cheers,
Lahiru Perera
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba and Winbind bkesting Linux - Networking 0 11-18-2004 03:12 PM
samba with winbind kaasi Red Hat 2 10-26-2003 02:48 PM
samba with winbind kaasi Linux - Newbie 1 10-26-2003 02:43 PM
samba with winbind kaasi Linux - Networking 0 10-24-2003 07:27 PM
Winbind, Samba, NT acb67 Linux - Networking 2 07-22-2003 03:45 PM


All times are GMT -5. The time now is 08:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration