LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-24-2010, 04:11 PM   #1
StupidNewbie
Member
 
Registered: Dec 2007
Posts: 71

Rep: Reputation: 16
Samba/Active Directory/SLES 10/Winbind/Kerberos


Ok, I figure this is probably going to be a complicated solution - so I am going to try to simplify the question(s) as much as possible.

Goal:

1. Use Active Directory to control security/authentication for a Samba share hosted on a Linux (SLES10/OES2) server.

Steps taken so far:

1. Install winbind/samba/kerberos/pam/etc.
2. Create Samba share.
3. Join SLES10 server to AD domain.
4. Configure krb5.conf, smb.conf.
5. Test connection to Samba share from Windows workstation via AD username/password (success).

What I'd like to do now:

1. Use AD to assign permissions to the files/folders in the Samba share (very confused on how this should work)

Details:

I have installed Winbind, Samba, Kerberos and PAM, but I am not using PAM. Currently I am able to map to the drive from Windows workstations using the AD usernames and passwords, that's all fine and dandy. Password changes on the AD side take effect on the Unix side when getent runs, so that works fine. I'm having a little trouble understanding how filesystem security can be controlled on Unix through AD, but everything I'm reading says it can be. I know that there are still kinks to work out, because some things don't seem right. I'll post the output I think is relevant and you can take it away from there and tell me if you need more information (coming in just a sec, need to pull this stuff up on the remote console since I'm typing on my workstation right now).

krb5.conf:

Code:
[libdefaults]
	default_realm = VAL-U-TECH.LOCAL
	clockskew = 120

[realms]
VAL-U-TECH.LOCAL = {
	kdc = 10.0.0.5
	default_domain = VAL-U-TECH.LOCAL
        admin_server = 10.0.0.5
}


[domain_realm]
	.val-u-tech.local = VAL-U-TECH.LOCAL

[logging]

        admin_server = FILE:/var/log/log.kerberos
        kdc = FILE:/var/log/log.kdc
        kdc_rotate = {
                      period = 1d
                      versions = 20
                     }
smb.conf (I'm sure there's a lot of stuff in here I don't need. I've commented out most of what I didn't understand/didn't think I needed, but there may be more, and some of it is almost definitely wrong. Some of it was used in various stages of my experimentation and I left it in there as a comment in case it triggered a solution down the road.):

Code:
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2008-04-23

[global]
	
        # Security/mapping stuff

	map to guest = Bad User
	# include = /etc/samba/dhcp.conf
	usershare allow guests = No
	add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/
        encrypt passwords = yes
	
        # Winbind stuff

        winbind separator = +
        winbind use default domain = yes
        winbind refresh tickets = yes
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
	realm = VAL-U-TECH.LOCAL
        workgroup = VAL-U-TECH
	security = ADS

        # Create home directories and default shell

	template homedir = /home/%D/%U
	template shell = /bin/bash

        # Extra/questionable stuff

        # password server = sbs-server.val-u-tech.local
	# printing = cups
	# printcap name = cups
	# printcap cache time = 750
	# cups options = raw

	# idmap backend = ldap:ldap://10.0.0.5:389
	# ldap group suffix = ou=Groups
	# ldap idmap suffix = ou=Idmap
	# ldap machine suffix = ou=Machines
	# ldap passwd sync = Yes
	# ldap suffix = dc=val-u-tech,dc=local
	# ldap user suffix = ou=Users

	# logon path = \\%L\profiles\.msprofile
	# logon home = \\%L\%U\.9xprofile
	# logon drive = P:
	# workgroup = VAL-U-TECH.LOCAL
	# wins server = 10.0.0.5
	# wins support = No
	# domain logons = No
	# domain master = No
	# passdb backend = ldapsam:ldap://10.0.0.5 smbpasswd
	# wins server = 10.0.0.5
	# wins support = No
	# ldap group suffix = ou=Groups
	# ldap idmap suffix = ou=Idmap
	# ldap machine suffix = ou=Machines
	# ldap passwd sync = Yes
	# ldap suffix = dc=val-u-tech,dc=local
	# ldap user suffix = ou=Users
	# idmap gid = 10000-20000
	# idmap uid = 10000-20000
	# realm = VAL-U-TECH.LOCAL
	# template homedir = /home/%D/%U
	# template shell = /bin/bash
	# winbind refresh tickets = yes

[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes

[profiles]
	comment = Network Profiles Service
	path = %H
	read only = No
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700

[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/

# [groups]
	# comment = All groups
	# path = /home/groups
	# read only = No
	# inherit acls = Yes
# [printers]
	# comment = All Printers
	# path = /var/tmp
	# printable = Yes
	# create mask = 0600
	# browseable = No
# [print$]
	# comment = Printer Drivers
	# path = /var/lib/samba/drivers
	# write list = @ntadmin root
	# force group = ntadmin
	# create mask = 0664
	# directory mask = 0775

[company] # BTW - this is my Samba share
	comment = New I Drive
	inherit acls = No
	path = /company
	read only = No

        

## Share disabled by YaST
# [netlogon]

Output from getent passwd:
Code:
Shows both local /etc/passwd file as well as passwords from AD. I will not post this output here for confidentiality reasons.
Output from getent group:
Code:
Shows both local /etc/group file as well as groups from AD. I will not post this output here for confidentiality reasons.
Output from wbinfo -u:
Code:
Shows ONLY AD users.
Output from wbinfo -g:
Code:
Shows ONLY AD groups
Output from wbinfo -t:
Code:
oes4:~ # wbinfo -t
checking the trust secret via RPC calls succeeded
oes4:~ #
Output from wbinfo -a username%password:
Code:
oes4:~ # wbinfo -a **********%*********
plaintext password authentication succeeded
challenge/response password authentication succeeded
oes4:~ #
Output from kinit -V username@domain:
Code:
Ummm...ok - this was working before. Now it says command not found. WTF...guess I need to go reinstall Kerberos now. Anyway, continuing on...the point is this worked fine, it would say something like "Kerberos 5 Authentication Succeeded."
Somewhat strange entry in /var/log/samba/log.winbindd (I think this may be part of the problem, and this was here before the kinit command stopped working as of 3 seconds ago. This happens every time I restart the winbind service):
Code:
[2010/02/24 16:05:47, 1] nsswitch/winbindd.c:main(990)
  winbindd version 3.0.28-0.5-1657-SUSE-CODE10 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2007
[2010/02/24 16:05:47, 1] lib/util_tdb.c:tdb_validate_and_backup(1334)
  tdb '/var/lib/samba/winbindd_cache.tdb' is valid
[2010/02/24 16:05:47, 1] lib/util_tdb.c:tdb_validate_and_backup(1344)
  Created backup '/var/lib/samba/winbindd_cache.tdb.bak' of tdb '/var/lib/samba/winbindd_cache.tdb'
[2010/02/24 16:05:47, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2230)
  initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2010/02/24 16:05:47, 0] libsmb/cliconnect.c:cli_session_setup_spnego(859)
  Kinit failed: KDC reply did not match expectations
I also see this all over the place in the winbindd log:
Code:
[2010/02/24 17:28:59, 1] nsswitch/winbindd_ads.c:query_user_list(215)
  Not a user account? atype=0x30000000
[2010/02/24 17:28:59, 1] nsswitch/winbindd_ads.c:query_user_list(215)
  Not a user account? atype=0x30000000
[2010/02/24 17:28:59, 1] nsswitch/winbindd_ads.c:query_user_list(215)
  Not a user account? atype=0x30000000
[2010/02/24 17:28:59, 1] nsswitch/winbindd_ads.c:query_user_list(215)
  Not a user account? atype=0x30000000
Thanks in advance for any help you can offer. I will be happy to post a detailed writeup here for you to sticky once I get this all working. I am close, just need to put the final pieces into place!

Please let me know if you need more information. As you have surely noticed, there's a reason my handle is "StupidNewbie"

Edit:

Oh, and of course - /etc/hosts:

Code:
#
# hosts         This file describes a number of hostname-to-address
#               mappings for the TCP/IP subsystem.  It is mostly
#               used at boot time, when no name servers are running.
#               On small systems, this file can be used instead of a
#               "named" name server.
# Syntax:
#    
# IP-Address  Full-Qualified-Hostname  Short-Hostname
#

127.0.0.1       OES4.val-u-tech.local OES4 localhost

# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet

ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts
10.0.0.4        oes4.ourdomain.com oes4
10.0.0.5        sbs-server.OUROTHERDOMAIN.LOCAL # Yes, this is in CAPS to make sure Kerberos doesn't bitch about it!

Last edited by StupidNewbie; 02-24-2010 at 04:48 PM.
 
Old 02-25-2010, 08:27 AM   #2
StupidNewbie
Member
 
Registered: Dec 2007
Posts: 71

Original Poster
Rep: Reputation: 16
Bump! Still looking for some help on this if anyone has any insight.
 
Old 03-09-2010, 02:08 PM   #3
StupidNewbie
Member
 
Registered: Dec 2007
Posts: 71

Original Poster
Rep: Reputation: 16
No one has any info on this? I just got back from vacation, figured we'd have at least some brainstorming. Any ideas? Thanks again in advance, I'll keep plugging away at it
 
Old 03-16-2010, 10:10 AM   #4
mrsmith317
LQ Newbie
 
Registered: Mar 2010
Posts: 4

Rep: Reputation: 0
I just joined and it seems like KRB/SMB are sore subjects around here.. If I understood your question properly, you want to assign permissions to the shares on the Linux server using the standard AD toolset, correct? I don't think things will work out how you would expect them to. What I do is the opposite. I create smb shares on the Linux server and assign Linux groups to those shares in smb.conf. Then assign Linux users(with windows equivalence) to those groups. I'll try to show you what I mean.


smb.conf:
[interfaces]
path = /apps/interfaces
valid users = interface @mis
writeable = yes
force group = mis
inherit acls = yes
inherit permissions = yes

Windows User johndoe has a Linux account johndoe in the mis group. johndoe can access this samba share from his windows workstation. When I look at the permission set on the interfaces directory, I see:

drwxrwxr-x 6 root mis 4096 Mar 00 00:00 /apps/interfaces

and on the windows side "root" and "mis" have special permissions meaning that windows doesn't care and will follow the Linux permission set.

Hope it helps!
 
Old 03-17-2010, 08:22 AM   #5
StupidNewbie
Member
 
Registered: Dec 2007
Posts: 71

Original Poster
Rep: Reputation: 16
Thanks for the response, but this is actually a little outdated now. I've made progress and have created a new thread - this is almost working. I will post back soon when I figure it out and do a tutorial. The solution will be immensely useful as it will allow you to use AD to log on to a linux share via Samba, and use Windows Explorer viz a windows server to change permissions on the share and the files within it. In other words, in mixed environments, a single windows server could be used to provide security/administration to the entire network, be it OSX, Linux or Windows.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
User mapping on RHEL AS 4.6 with Samba/Winbind to Active Directory ? GoBieN Linux - Server 1 04-03-2009 05:34 AM
Active Directory groups via Samba/Winbind? dsdonut Linux - Newbie 3 01-23-2009 03:26 PM
replacing active directory when using samba and winbind wastingtime Linux - Server 0 09-14-2008 03:20 PM
SAMBA, WINBIND and KERBEROS against Windows 2000 Active Directory mago Linux - Networking 2 07-28-2006 11:52 PM
Samba 3.0.4 with winbind and active directory upgrade problem jhibbets Red Hat 0 08-16-2004 11:24 AM


All times are GMT -5. The time now is 11:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration