LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-02-2011, 01:33 AM   #16
centos123
Member
 
Registered: Apr 2011
Posts: 394

Original Poster
Rep: Reputation: 15

in this website
http://www.samba.org/samba/docs/man/...n/winbind.html

given to copy libnss_winbind.so in /lib/
and pam_winbind.so into /lib/security/ i copied...

then when i join it it gives error...
Shutting down Winbind services: [ OK ]
Starting Winbind services: [ OK ]
[/usr/bin/net join -w win.co.in -S windc -U Administrator] // here win.co.in is window server domain name
Unable to find a suitable server
Unable to find a suitable server


also what to write in winbind configuration field for - 'window domain' 'winbind ads realm' 'security model' ' window domain controller' and 'templat shell'.......

Last edited by centos123; 07-02-2011 at 01:41 AM. Reason: incomplete
 
Old 07-02-2011, 04:09 AM   #17
centos123
Member
 
Registered: Apr 2011
Posts: 394

Original Poster
Rep: Reputation: 15
i get no output from running command
#kinit Administrator@DOMAIN.COM
no output..just command prompt
 
1 members found this post helpful.
Old 07-02-2011, 06:28 AM   #18
centos123
Member
 
Registered: Apr 2011
Posts: 394

Original Poster
Rep: Reputation: 15
#net ads join -U Administrator
Administrator's password:
[2011/07/02 15:59:21, 0] utils/net_ads.c:ads_startup_int(286)
ads_connect: No logon servers
Failed to join domain: No logon servers

any body help...
 
Old 07-02-2011, 06:48 AM   #19
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
It has been quite a while since I last tried to set something like this up and I have forgotten a bit of it. Your error message makes me think that you are missing a configuration that goes with LDAP. There is a set of parameters where you specify the domain, and values for OU, CN, and so forth. Have you performed this step?

I have some bookmarked how to documents that helped me with this process. They are on my office PC and I won't have access to it till Tuesday.
 
Old 07-02-2011, 07:56 AM   #20
centos123
Member
 
Registered: Apr 2011
Posts: 394

Original Poster
Rep: Reputation: 15
i configured only kerbores and winbind ..not ldap.dont know about ldap..
could you please help me to configure wirte file..i think iam doing some mistake in krb5.conf file.
here is my configuration....

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SILK.CO.IN
dns_lookup_kdc = false

dns_lookup_realm = false

[realms]
SILK.CO.IN = {
default_domain = silk.co.in
kdc = SILK.CO.IN

admin_server = x.x.x.201 ip of domain machine

}

[domain_realms]
.silk.co.in = SILK.CO.IN
silk.co.in = SILK.CO.IN


[appdefaults]

pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimun_uid = 1
}

here silk.co.in is windows domain server name..is there is any parameter for linux machine...





here is configuration of samba file

workgroup = silk.co.in // windows domain server:
password server = *
security = ADS
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
encrypt passwords = yes
; ads server = X,.X.X.201
realm = SILK.CO.IN
netbios name = fileserver // linux host name
 
1 members found this post helpful.
Old 07-03-2011, 06:31 AM   #21
panseluta
LQ Newbie
 
Registered: Dec 2008
Posts: 20

Rep: Reputation: 1
dude, you went too far in the wrong direction with your problem. you don't need to configure kerbores, winbind or ldap to have a simple samba file sharing. your server does not have to be on the same domain with windows users to be accessed.

I'm managing a big network with several workgroups and domains and I have a samba share accesible from any workgroup or domain.

All you need is a fresh smb.conf file (the one you have now might be messed up) and follow this settings:

in smb.conf:

uncomment interface and hosts allow
modify interface with your prefered interface (eth0, eth1...)
add to hosts allow the ip class of your allowed hosts (192.168.0.0/24 or 172.16.0.0/16 etc.)
add this settings under Global:

hide unreadable = yes
refresh = 1

somewhere you will find "security = user" (uncommented) change it to
security = share

# passdb backend = tdbsam
guest account = nobody

then add the shared folders:

[STORAGE]
path = /home/storage
browseable = yes
writeable = yes
guest ok = yes

save smb.conf then chmod the shared folder and subfolders:

chmod -R 777 /home/storage

don't forget about firewall ports I already posted.

after all these steps are done you have to restart smb service: service smb restart

now it should work!

if still not working type this command:

setsebool -P samba_enable_home_dirs on

and restart smb service again.
 
Old 07-04-2011, 02:19 AM   #22
centos123
Member
 
Registered: Apr 2011
Posts: 394

Original Poster
Rep: Reputation: 15
@penseluta

you post this ---

Also in your firewall config you must open some ports:

iptables -A INPUT -i eth0 -p udp --dport 137 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 445 -j ACCEPT

change eth0 with your network interface used for samba sharing.




here what it mean of " change eth0 with your network interface "....

and when iam changing SElinux = permisive and checking status it shows SElinux disable..infact in its file it is permisive.then why it status show disable..


please clear this to me..
 
Old 07-04-2011, 02:38 AM   #23
panseluta
LQ Newbie
 
Registered: Dec 2008
Posts: 20

Rep: Reputation: 1
I mean change eth0 with your network interface you are using inside your lan. If you have a server with two network cards eth0 for internet and eth1 for lan then you should open those ports for eth1 interface.

From my readings centos is based on red hat just like fedora. I had fedora and I wanted the same thing you want: samba share for all workgroups and domains from my network. I was able to see the first folder of my share but not able to access it. Always the same error:
"You might not have permission to use this Network resource.
The network path was not found."

Solved the problem with this command:

setsebool -P samba_enable_home_dirs on

if not working try this one:

setsebool samba_enable_home_dirs=1

or check smb.conf there you cand find information about this line right at the beginning of smb.conf
 
Old 07-04-2011, 02:40 AM   #24
centos123
Member
 
Registered: Apr 2011
Posts: 394

Original Poster
Rep: Reputation: 15
another problem..occurs

in morning when i login into root..in desktop a window box seen.
"Network Authentication" box.it prompt me to enter PASSWORD FOR Administrator@<WINDOW DOMAIN SERVER>

and in red color a warning message is written as " your credential has been expired.
in tab written "Renew Ticket" "cancel"...
i entered password and clicked on Renew Ticket..

after that iam not getting mycomputer and other content of desktop...i cant go inside file server...in gnome cgi..

now how could i get into mycomputer..through gnome

Last edited by centos123; 07-04-2011 at 02:41 AM.
 
Old 07-04-2011, 03:21 AM   #25
centos123
Member
 
Registered: Apr 2011
Posts: 394

Original Poster
Rep: Reputation: 15
thanks penseluta...

iam testing..your configuration..till can you please solve my gnome problem..
when i clicked on Places-->Desktop
it errors...
Could not open location 'file:///root/Desktop'

There is no default action associated with this location.

i properly logoff the root.but when i login it didnot show any file folder and computer,root home directories on desktop..

why it so..
 
Old 07-04-2011, 07:19 AM   #26
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
panseluta: you went too far in the wrong direction with your problem. you don't need to configure kerbores, winbind or ldap to have a simple samba file sharing. your server does not have to be on the same domain with windows users to be accessed.
Quote:
centos123rompt me to enter PASSWORD FOR Administrator@<WINDOW DOMAIN SERVER> and in red color a warning message is written as " your credential has been expired. in tab written "Renew Ticket" "cancel"...
Asking for domain administrator password and expired TICKETS shouts Kerberos trouble. Centos123, you MUST start using your log files and look for error and warning messages. Troubles like "my gnome problem" are not nearly descriptive enough to provide accurate answers to.

The question also remains as to what is your end objective? The instructions above by Panseluta are for a SIMPLE Samba share that will give everyone read, write permission without authentication. Is this what you want? From what you have been describing you are trying to implement domain authentication to access a Linux machine. There are three components to this: Samba, kerberos and LDAP. The Samba provides the windows networking compatibility, Kerberos allows the machines to authenticate and trust each other via tickets, and LDAP handles the user authentication.
 
Old 07-05-2011, 12:35 AM   #27
centos123
Member
 
Registered: Apr 2011
Posts: 394

Original Poster
Rep: Reputation: 15
i wanna secure sharing between linux and windows...all the file are confidential as departmental wise..so required is secure sharing..
 
Old 07-05-2011, 05:22 AM   #28
centos123
Member
 
Registered: Apr 2011
Posts: 394

Original Poster
Rep: Reputation: 15
@pensulat ......thanks for solving my issue of Domain and samba authentication.now iam able to share data of domain user also..
 
Old 07-06-2011, 10:06 AM   #29
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
If you followed the suggestions by Pensulat where you create a storage folder with 0777 permissions and make it browseable = yes, writeable = yes, guest ok = yes, this did not solve your domain and samba authentication issues. Instead it simply masked the problem by creating an insecure free access for anybody communal space. If you really are trying to handle confidential, departmental files, this would be the absolute wrong approach. At a minimum, you will need to create Samba users and Passwords. Your idea of using a true authentication system is a much better approach.

I am not trying to be harsh with you, but I also don't want to see you wind up in the security forum saying "please help, my system has been hacked", which is what the approach outlined above is setting you up for.

Here are a couple of links, and yes it is a lot of information to wade through, that I found helpful when setting up a Samba + kerberos system:
http://samba.org/samba/docs/man/Samb...ts.html#adssdm
and
http://www.linuxquestions.org/questi...-users-768729/
 
Old 07-06-2011, 01:32 PM   #30
panseluta
LQ Newbie
 
Registered: Dec 2008
Posts: 20

Rep: Reputation: 1
well norwayZ giving a newbie "a lot of information to wade through" instead of a solution doesnt solve his problem. I was not masking his problem but helped him to get started.

centos123 if you want user access to your shares edit smb.conf and change "security = share" to "security = user", then change from "guest ok = yes" to "valid users = chucknorris"

Here is what I'm talking about:

[STORAGE]
path = /home/storage
browseable = yes
writeable = yes
valid users = liukang

[WORK]
path = /home/work
browseable = yes
writeable = yes
valid users = mileena

[NEWS]
path = /home/news
browseable = yes
writeable = yes
valid users = reptile sonya scorpion (you can also enumerate a bunch of users separated by spaces but you also have to use "create mask = " and "directory mask = ")
create mask = 0660 (for example)
directory mask = 0770 (for example)

to add a user type in terminal:

useradd subzero

to create a group for samba users:

groupadd mortalkombat

to add a user directly to that group:

useradd -G mortalkombat subzero

to set password for that user:

smbpasswd -a subzero
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Linux Domain Controller on a current Windows Server Domain LaurelRaven Linux - Server 3 02-02-2012 08:43 AM
New domain controller/directory server on Linux? humbletech99 Linux - Networking 2 12-16-2005 06:03 AM
domain controller in samab server ali_hammad Linux - Networking 3 06-13-2005 04:36 PM
Samba and WIndow NT Domain Controller vinhhv Linux - Networking 1 07-31-2003 03:26 AM


All times are GMT -5. The time now is 08:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration