Ok, I figure this is probably going to be a complicated solution - so I am going to try to simplify the question(s) as much as possible.
Goal:
1. Use Active Directory to control security/authentication for a Samba share hosted on a Linux (SLES10/OES2) server.
Steps taken so far:
1. Install winbind/samba/kerberos/pam/etc.
2. Create Samba share.
3. Join SLES10 server to AD domain.
4. Configure krb5.conf, smb.conf.
5. Test connection to Samba share from Windows workstation via AD username/password (success).
What I'd like to do now:
1. Use AD to assign permissions to the files/folders in the Samba share (very confused on how this should work)
Details:
I have installed Winbind, Samba, Kerberos and PAM, but I am not using PAM. Currently I am able to map to the drive from Windows workstations using the AD usernames and passwords, that's all fine and dandy. Password changes on the AD side take effect on the Unix side when getent runs, so that works fine. I'm having a little trouble understanding how filesystem security can be controlled on Unix through AD, but everything I'm reading says it can be. I know that there are still kinks to work out, because some things don't seem right. I'll post the output I think is relevant and you can take it away from there and tell me if you need more information (coming in just a sec, need to pull this stuff up on the remote console since I'm typing on my workstation right now).
krb5.conf:
Code:
[libdefaults]
default_realm = VAL-U-TECH.LOCAL
clockskew = 120
[realms]
VAL-U-TECH.LOCAL = {
kdc = 10.0.0.5
default_domain = VAL-U-TECH.LOCAL
admin_server = 10.0.0.5
}
[domain_realm]
.val-u-tech.local = VAL-U-TECH.LOCAL
[logging]
admin_server = FILE:/var/log/log.kerberos
kdc = FILE:/var/log/log.kdc
kdc_rotate = {
period = 1d
versions = 20
}
smb.conf (I'm sure there's a lot of stuff in here I don't need. I've commented out most of what I didn't understand/didn't think I needed, but there may be more, and some of it is almost definitely wrong. Some of it was used in various stages of my experimentation and I left it in there as a comment in case it triggered a solution down the road.):
Code:
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2008-04-23
[global]
# Security/mapping stuff
map to guest = Bad User
# include = /etc/samba/dhcp.conf
usershare allow guests = No
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/
encrypt passwords = yes
# Winbind stuff
winbind separator = +
winbind use default domain = yes
winbind refresh tickets = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
realm = VAL-U-TECH.LOCAL
workgroup = VAL-U-TECH
security = ADS
# Create home directories and default shell
template homedir = /home/%D/%U
template shell = /bin/bash
# Extra/questionable stuff
# password server = sbs-server.val-u-tech.local
# printing = cups
# printcap name = cups
# printcap cache time = 750
# cups options = raw
# idmap backend = ldap:ldap://10.0.0.5:389
# ldap group suffix = ou=Groups
# ldap idmap suffix = ou=Idmap
# ldap machine suffix = ou=Machines
# ldap passwd sync = Yes
# ldap suffix = dc=val-u-tech,dc=local
# ldap user suffix = ou=Users
# logon path = \\%L\profiles\.msprofile
# logon home = \\%L\%U\.9xprofile
# logon drive = P:
# workgroup = VAL-U-TECH.LOCAL
# wins server = 10.0.0.5
# wins support = No
# domain logons = No
# domain master = No
# passdb backend = ldapsam:ldap://10.0.0.5 smbpasswd
# wins server = 10.0.0.5
# wins support = No
# ldap group suffix = ou=Groups
# ldap idmap suffix = ou=Idmap
# ldap machine suffix = ou=Machines
# ldap passwd sync = Yes
# ldap suffix = dc=val-u-tech,dc=local
# ldap user suffix = ou=Users
# idmap gid = 10000-20000
# idmap uid = 10000-20000
# realm = VAL-U-TECH.LOCAL
# template homedir = /home/%D/%U
# template shell = /bin/bash
# winbind refresh tickets = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
# [groups]
# comment = All groups
# path = /home/groups
# read only = No
# inherit acls = Yes
# [printers]
# comment = All Printers
# path = /var/tmp
# printable = Yes
# create mask = 0600
# browseable = No
# [print$]
# comment = Printer Drivers
# path = /var/lib/samba/drivers
# write list = @ntadmin root
# force group = ntadmin
# create mask = 0664
# directory mask = 0775
[company] # BTW - this is my Samba share
comment = New I Drive
inherit acls = No
path = /company
read only = No
## Share disabled by YaST
# [netlogon]
Output from getent passwd:
Code:
Shows both local /etc/passwd file as well as passwords from AD. I will not post this output here for confidentiality reasons.
Output from getent group:
Code:
Shows both local /etc/group file as well as groups from AD. I will not post this output here for confidentiality reasons.
Output from wbinfo -u:
Code:
Shows ONLY AD users.
Output from wbinfo -g:
Code:
Shows ONLY AD groups
Output from wbinfo -t:
Code:
oes4:~ # wbinfo -t
checking the trust secret via RPC calls succeeded
oes4:~ #
Output from wbinfo -a username%password:
Code:
oes4:~ # wbinfo -a **********%*********
plaintext password authentication succeeded
challenge/response password authentication succeeded
oes4:~ #
Output from kinit -V username@domain:
Code:
Ummm...ok - this was working before. Now it says command not found. WTF...guess I need to go reinstall Kerberos now. Anyway, continuing on...the point is this worked fine, it would say something like "Kerberos 5 Authentication Succeeded."
Somewhat strange entry in /var/log/samba/log.winbindd (I think this may be part of the problem, and this was here before the kinit command stopped working as of 3 seconds ago. This happens every time I restart the winbind service):
Code:
[2010/02/24 16:05:47, 1] nsswitch/winbindd.c:main(990)
winbindd version 3.0.28-0.5-1657-SUSE-CODE10 started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
[2010/02/24 16:05:47, 1] lib/util_tdb.c:tdb_validate_and_backup(1334)
tdb '/var/lib/samba/winbindd_cache.tdb' is valid
[2010/02/24 16:05:47, 1] lib/util_tdb.c:tdb_validate_and_backup(1344)
Created backup '/var/lib/samba/winbindd_cache.tdb.bak' of tdb '/var/lib/samba/winbindd_cache.tdb'
[2010/02/24 16:05:47, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2230)
initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2010/02/24 16:05:47, 0] libsmb/cliconnect.c:cli_session_setup_spnego(859)
Kinit failed: KDC reply did not match expectations
I also see this all over the place in the winbindd log:
Code:
[2010/02/24 17:28:59, 1] nsswitch/winbindd_ads.c:query_user_list(215)
Not a user account? atype=0x30000000
[2010/02/24 17:28:59, 1] nsswitch/winbindd_ads.c:query_user_list(215)
Not a user account? atype=0x30000000
[2010/02/24 17:28:59, 1] nsswitch/winbindd_ads.c:query_user_list(215)
Not a user account? atype=0x30000000
[2010/02/24 17:28:59, 1] nsswitch/winbindd_ads.c:query_user_list(215)
Not a user account? atype=0x30000000
Thanks in advance for any help you can offer. I will be happy to post a detailed writeup here for you to sticky once I get this all working. I am close, just need to put the final pieces into place!
Please let me know if you need more information. As you have surely noticed, there's a reason my handle is "StupidNewbie"
Edit:
Oh, and of course - /etc/hosts:
Code:
#
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#
127.0.0.1 OES4.val-u-tech.local OES4 localhost
# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
10.0.0.4 oes4.ourdomain.com oes4
10.0.0.5 sbs-server.OUROTHERDOMAIN.LOCAL # Yes, this is in CAPS to make sure Kerberos doesn't bitch about it!
