LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Samba not working with Samba Server joined to ADS (https://www.linuxquestions.org/questions/linux-newbie-8/samba-not-working-with-samba-server-joined-to-ads-4175459742/)

Treikayan 04-26-2013 11:41 PM
Samba not working with Samba Server joined to ADS
 
Hello,

I cannot browse or open any samba shares from a windows client machine.

I have integrated the Samba Server into ADS and have tried setting up smb.conf to allow a windows domain user access samba shares. It fails. Below are steps I did for setting up the Samba Server as a Domain Member Server.

I would like to still use PAM authentication (that fails even). I also have VSFTP installed and would like that integrated to authenticate against ADS. Please help!

messagebus, oddjob, winbind, openldap, smb are all running.

STEPS I TOOK:
Code:
Promote Linux Server to full functioning Samba Server and Domain Member Server
DUZIT (PX9130426-2038-EC01F) Linux Samba to Member Server.

yum install openldap

1. Run authconfig command on NOMAD
2. Modify /etc/samba/smb.conf, global settings
3. Update PAM config
        Ensure PAM accepts local accounts
4. Join NOMAD (Samba Server) to PROXIMA domain
        "net ads join" command
5. Update Kerberos 5 config
        Ensure Kerberos can look up uid/gid in PROXIMA.LOCAL realm
        Check KDC with host command
6. Check NSSSWITCH.CONF
7. Update IPTABLES

DETAILS:

AUTHCONFIG

authconfig \
--disablecache \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbworkgroup=PROXIMA \
--smbrealm=PROXIMA.LOCAL \
--enablewinbindusedefaultdomain \
--winbindtemplatehomedir=/home/PROXIMA/%U \
--winbindtemplateshell=/bin/false \
--enablekrb5 \
--krb5realm=PROXIMA.LOCAL \
--enablekrb5kdcdns \
--enablekrb5realmdns \
--enablelocauthorize \
--enablemkhomedir \
--enablepamaccess \
--updateall

SMB.CONF

.
.
.
.
Add these lines to [global]

        idmap config PROXIMA:backend = rid
            idmap config PROXIMA:base_rid = 500
            idmap config PROXIMA:range = 500-1000000

Comment out these lines in [global]

        #  idmap uid = 16777216-33554431
        #  idmap gid = 16777216-33554431

JOIN NOMAD TO THE DOMAIN
.
.
.
[root@nomad home]# net ads join -U sysadmin
sysadmin's password:
Using short domain name -- PROXIMA
DNS update failed! # DNS entry manually created beforehand!
Joined 'NOMAD' to realm 'PROXIMA.LOCAL'
[root@nomad home]# service smb restart

[root@nomad home]# /etc/rc.d/init.d/messagebus restart
Stopping system message bus:                              [  OK  ]
Starting system message bus:                              [  OK  ]
[root@nomad home]# chkconfig smb on
[root@nomad home]# chkconfig  winbind on
[root@nomad home]# chkconfig  oddjobd on



KRB5.CONF

.
.
.
[libdefaults]
 default_realm = PROXIMA.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 # ticket_lifetime = 24h
 ticket_lifetime = 600
 forwardable = yes
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 PROXIMA.LOCAL = {
  kdc = filer.proxima.local
  kdc = COMPILER.proxima.local
  default_domain = PROXIMA
 }

[domain_realm]       
 proxima.local = PROXIMA.LOCAL
 .proxima.local = PROXIMA.LOCAL
.
.
.


[root@nomad ~]# host -t any _kerberos._tcp.proxima.local
_kerberos._tcp.proxima.local has SRV record 0 100 88 compiler.proxima.local.
_kerberos._tcp.proxima.local has SRV record 0 100 88 filer.proxima.local.

NSSSWITCH.CONF

.
.
.
passwd:    files winbind
shadow:    files winbind
group:      files winbind

passwd:    compat winbind 
shadow:    compat 
group:      compat winbind
.
.
.

TEST ADS COMMUNICATION

[root@nomad ~]# net ads info
LDAP server: 172.17.10.10
LDAP server name: filer.proxima.local
Realm: PROXIMA.LOCAL
Bind Path: dc=PROXIMA,dc=LOCAL
LDAP port: 389
Server time: Fri, 26 Apr 2013 23:15:43 CDT
KDC server: 172.17.10.10
Server time offset: -12

TEST A USER ACCOUNT

[root@nomad ~]# kinit dummy@PROXIMA.LOCAL
Password for dummy@PROXIMA.LOCAL:
[root@nomad ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: dummy@PROXIMA.LOCAL

Valid starting    Expires            Service principal
04/26/13 23:17:27  04/26/13 23:27:27  krbtgt/PROXIMA.LOCAL@PROXIMA.LOCAL


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
A SAMBA SHARE EXAMPLE:

[root@nomad ~]# testparm -s
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[FTP]"
Processing section "[Shekinya]"
Processing section "[printers]"
Processing section "[shared]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = PROXIMA
realm = PROXIMA.LOCAL
server string = Samba Server
security = ADS
obey pam restrictions = Yes
passdb backend = tdbsam
guest account = samba
template homedir = /home/PROXIMA/%U
template shell = /sbin/nologin
winbind separator = +
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config PROXIMA:range = 16777216-33554431
idmap config PROXIMA:base_rid = 500
idmap config PROXIMA:backend = rid
cups options = raw

[homes]
comment = Home Directories
valid users = MYDOMAIN\%S
read only = No

[FTP]
comment = FTP Directories
path = /home
valid users = @PROXIMA+echatham, @echatham, @sysadmin, @root
create mask = 0700
directory mask = 0700
inherit permissions = Yes
inherit acls = Yes
guest ok = Yes

[Shekinya]
comment = Shekinya Website
path = /var/www/html/shekinya
valid users = @echatham, @sysadmin, @root
read only = No
guest ok = Yes

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[shared]
comment = HPPAV main share
path = /mnt/shares/samba_t
read only = No
inherit permissions = Yes
guest ok = Yes

Treikayan 04-27-2013 12:45 AM
Ok, one thing I did change was the delimiters for the shares: "@," "\," and "+." I can't tell if the "\" "+" is the correct delimiter in the config, but "@" is for searching a group. I think the "\" works though.

Code:
[homes]
        comment = Home Directories
        valid users = PROXIMA\%S
        read only = No

[FTP]
        comment = FTP Directories
        path = /home
        valid users = PROXIMA+echatham, PROXIMA\echatham, @echatham, @sysadmin, @root
        create mask = 0700
        directory mask = 0700
        inherit permissions = Yes
        inherit acls = Yes
        guest ok = Yes

[Shekinya]
        comment = Shekinya Website
        path = /var/www/html/shekinya
        valid users = PROXIMA\sysadmin, @echatham, @sysadmin, @root
        read only = No
        guest ok = Yes
I commented out this line too in smb.conf

Code:
#  winbind separator = +
I still would like to integrate VSFTP to use ADS authentication though. Also, is there a way to map the "Domain Admins" group to the "root" group?

Thank you.

Treikayan 04-27-2013 01:11 AM
Nope still having problems. I log onto the windows client as "echatham." I commented out the UNIX user echatham in /etc/passwd.

Now, I cannot browse to the Samba Server at all if I try logging on with the DOMAIN account to get to the Samba Server.

For some reason, the admin account (I used to join to ADS) shows up when I browse to the Samba Server. I can tell this because the home directory that displays is the ADMIN account. So, trying this in Windows

Quote:
C:\>runas /user:PROXIMA\echatham "explorer.exe /seperate"
Enter the password for PROXIMA\echatham:
Attempting to start explorer.exe /seperate as user "PROXIMA\echatham" ...
Then attempting to browse to the server in the new Windows Explorer pane fails. It keeps asking me to logon. When I put the domain account in, it fails.


All times are GMT -5. The time now is 10:56 PM.