LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 03-12-2008, 08:56 AM   #1
epoh
Member
 
Registered: Jan 2008
Posts: 73

Rep: Reputation: 15
Question getent passwd only pulls local info - getent group works?


I have two brand new boxes loaded up with RHEL4AS (2.6.9-67.ELsmp) and Samba 3.0.28a. I am trying to configure them to authenticate via Active Directory.

(I've marked out some info to not expose client info.)

My [smb.conf]
=============================
# Global Perameters
[global]
workgroup = D***
realm = d***.***.atosorigin-asp.com
preferred master = no
server string = Samba file servers
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
winbind use default domain = No
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
#give winbind users a real shell
template homedir = /home/%U
template shell = /bin/bash
password server = 1**.*.***.**
===========================
[nsswitch.conf] has the following entries:
passwd: files winbind
shadow: files winbind
group: files winbind
==========================
[krb5.conf]
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = D***.***.ATOSORIGIN-ASP.COM
default_etypes = dec-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_keytab-name = FILE:/etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
D***.***.ATOSORIGIN-ASP.COM = {
kdc = 1##.#.##.##
admin_server = 1##.#.##.##
default_domain = D**.***.ATOSORIGIN-ASP.COM
}

[domain_realm]
.d***.***.atosorigin-asp.com = D***.***.ATOSORIGIN-ASP.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
=============================
[/etc/pam.d/system-auth]
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
===========================

Now, wbinfo -u and wbinfo -g prints out active directory users and groups as it should. getent group shows me active directory groups. But getent passwd only returns local users. And unfortunately, the port for samba isn't opened on the firewall yet, so I can't test to see how samba is working. Did I make a typo somewhere? Can you see something I've done wrong?
 
Old 03-13-2008, 01:48 AM   #2
leebrent
Member
 
Registered: Oct 2007
Location: Nanaimo
Distribution: Red Hat 5
Posts: 39

Rep: Reputation: 15
This might help you, my students had to join samba to AD in a project last year. This is one of my top student's documentation:

http://www.bryntassell.ca/zambra/samba.php

You will also note that any delay in time will give you issues, ensure that the time's are not out of a sync by more than 4.59 seconds.

Cheers,

Brent.
 
Old 03-14-2008, 07:56 AM   #3
epoh
Member
 
Registered: Jan 2008
Posts: 73

Original Poster
Rep: Reputation: 15
Thank you. The time may be an issue. Everything else appears to be working properly and the users are able to log into the box with their AD credentials. I am going to try and find out today if the AD DCs are using the time servers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
getent passwd errors - no users added jamiegordon Linux - Software 1 01-03-2008 09:33 AM
getent is unable to retrieve info from OpenLDAP mesh2005 Linux - Networking 1 11-08-2007 08:25 AM
nss_ldap not working (getent passwd) WindowBreaker Slackware 2 06-27-2006 02:19 AM
SAMBA getent passwd command doesnt list all the users loganking Linux - Software 0 06-14-2006 11:22 AM
getent passwd and wibinfo -u not working bahadur Linux - Networking 0 06-14-2004 12:20 AM


All times are GMT -5. The time now is 08:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration