LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-01-2009, 05:36 AM   #1
wato83
LQ Newbie
 
Registered: Oct 2009
Posts: 3

Rep: Reputation: 0
samba using active directory for authentication- samba caching details


Heres the scenario-

The business I work for has over 50 servers that are on different sites across Australia. They are currently running centos with samba running as its own separate domain on each site. We are being forced down the path of Active Directory as central authentication due to the rest of the business around the Globe using AD.

We will like to keep using Open Source on all our files servers. We are also currently running Centos 4.6 with domino, DHCP and CUPS on all file servers.

What we have done so far-

We have configured a W2k3 with the SP for the Unix module, where accounts, groups and computers have been added.
The linux files servers have connected to the AD server.
wbinfo –u and –g shows all the users and groups from the AD. We can change permissions on the linux file server to users and groups from the AD.
Users can login and map drives to the samba shares and connect and print to the samba printer shares which backends onto cups.

The two main issues we are having are:
1. It takes users 10x longer to copy files from one place on the share to another folder on the share when they are not in the admin user= group. When the user is in this admin user group, it copies files at the correct speed (ie not in group 200mb file copy takes 15minutes, in the group, 200mb takes 50 seconds). As you may also know, when they are in this admin user = group, they have access to all folders on the share.
2. Winbind does not seem to be caching the permissions, users can access the shares when the network link is up and the server can communicate with the AD Domain Controller, but as soon as the site network link goes down, users can not access the shares until the link is restored. I did get this working in my dev environment but doesn’t seem to be working after I upgrade the existing servers.
If anyone can help or has any suggestions, I would really appreciate it. 

Heres some more technical info-
Samba version 3.0.33-0.17.el4

Smb.conf
[global]
log file = /var/log/samba/%m
winbind offline logon = yes
idmap gid = 500-100000000
winbind trusted domains only =yes
idmap cache time = 900000
winbind enum users = Yes
winbind enum groups = Yes
encrypt passwords = yes
idmap backend = ad
winbind use default domain = yes
realm = DOMAIN.NET
use kerberos keytab = Yes
netbios name = PACSRV
server string = File Server
idmap uid = 500-100000000
ldap suffix = dc=domain,dc=net
workgroup = DOMAIN
os level = 20
ldap admin dn = cn=LDAP,cn=Users,dc=domain,dc=net
security = ads
syslog = 0
unix charset = LOCALE
ldap idmap suffix = dc=pacdomain,dc=net
winbind cache time = 900000
log level = 2
template homedir = /data/home/%u
winbind separator = +
#template shell = /bin/false
winbind nested groups = yes
printcap = cups
#printing = cups
printer admin = @DOMAIN.NET+it,
winbind nss info = rfc2307

[home]
path = /data1/home/%u
comment = Home Directory
root preexec = /usr/local/sbin/mkhomedir.sh %u
directory mask = 0777
create mask = 0777
inherit owner = yes
write list = %u
read only = no
force create mode = 0755
force directory mode = 0755

[groups]
inherit owner = Yes
writeable = yes
admin users = @DOMAIN.NET+it
write list = @DOMAIN.NET+it
path = /data1/groups
create mask = 0777
comment = Group Data
directory mask = 0777

[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
guest ok = yes
writeable = No
printable = Yes
printer admin = @DOMAIN.NET+it,

[print$]
comment = Print Drivers
path = /var/spool/samba/printers
guest ok = Yes
read only = No
browseable = yes
write list = @DOMAIN.NET+it,

/etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so

/etc/ldap.conf
host 10.0.0.2
base dc=domain,dc=net
uri ldap://dc00.domain.net/
binddn ldap@domain.net
bindpw password
scope sub
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap
referrals no
ssl no
nss_base_passwd dc=pacdomain,dc=net?sub
nss_base_shadow dc=pacdomain,dc=net?sub
nss_base_group dc=pacdomain,dc=net?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute gecos cn
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password md5
tls_cacertdir /etc/openldap/cacerts

nsswitch
passwd: files ldap winbind
shadow: files ldap winbind
group: files ldap winbind
hosts: dns files
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: files
automount: files winbind
aliases: files

krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
PACDOMAIN.NET = {
kdc = dc00.domain.net:88
admin_server = dc00.domain.net:749
kpasswd_server = dc00.domain.net:464
kpasswd_protocol = SET_CHANGE
default_domain = true
}

[domain_realm]
*.domain.net = DOMAIN.NET
.domain.net = DOMAIN.NET

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

krb.realms

.domain.net DOMAIN.NET

1. /etc/krb.conf

DOMAIN.NET dc00.domain.net:88
DOMAIN.NET dc00.domain.net:749 admin server

Ta
wato
 
Old 10-02-2009, 10:03 AM   #2
SethsdadtheLinuxer
Member
 
Registered: Jun 2007
Posts: 152

Rep: Reputation: 37
Just a thought... Why not set up a daemon to poll LDAP every 15 minutes (hour) and update a local repository (.htaccess?) instead of having a "live" dependency on LDAP? Right now you're at their mercy (ha ha) and by doing a poll update, you could be at least somewhat independent and save some bandwidth and other headaches.
 
Old 10-05-2009, 12:34 AM   #3
wato83
LQ Newbie
 
Registered: Oct 2009
Posts: 3

Original Poster
Rep: Reputation: 0
hi, thanks for the reply, can you please provide me with some more details or to some links regarding getting ldap to update the local repository?
 
Old 10-06-2009, 10:02 AM   #4
SethsdadtheLinuxer
Member
 
Registered: Jun 2007
Posts: 152

Rep: Reputation: 37
YMMV, but this might be a good starting point:
http://search.cpan.org/~ghenry/Samba...a/LDAP/User.pm
 
Old 10-06-2009, 03:19 PM   #5
okcomputer44
Member
 
Registered: Jun 2008
Location: /home/laz
Distribution: CentOS/Debian
Posts: 241

Rep: Reputation: 51
I have made a squid server with AD authentication and I had a problem with the caching mechanism.

I just simple didn't use the cache users informations, cos sometimes the authentication between the servers didn't worked well.

The squid authenticated itself through the samba to join to the AD.

Take a look this site it might help you. :http://www.linuxmail.info/active-dir...amba-centos-5/

For me just this one worked out properly with the squid.

Laz.
 
Old 10-06-2009, 06:37 PM   #6
wato83
LQ Newbie
 
Registered: Oct 2009
Posts: 3

Original Poster
Rep: Reputation: 0
thanks for the replies,
i managed to fix both the caching issue and the copying files issue.

it turns out to be after looking through log files, I had the permissions on our group directory set as root:group name, where I didnt worry about the username as it didnt have any permission to the group directories, but for some reason, it was trying to lookup root which was not in the AD thus having no unix attributes. I then setup a gquota username (helps when using quotes to find total of group share) on the AD and it then works.

It now caches when the link goes down and users dont have to be in the admin users smb conf group. Fixing the slowness of the copy files from one palce on the share to the other as it was constantly trying to lookup root..

The only one issue that I am still having is, if the link goes down, then the user logs in, they can not attach to the server. I will read up on the documents posted and see if I can get anymore info from them.

thanks again, I will post if i find anything else on logging in when it cant find the AD.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
samba simple ldap - active directory authentication hopbyhop Linux - Server 3 04-07-2009 07:05 PM
[OpenSUSE 10.3] SAMBA Active Directory authentication noir911 Suse/Novell 2 01-29-2009 11:45 AM
Samba with Active Directory authentication Ziggie Linux - Enterprise 5 02-02-2006 08:43 AM
Samba Active Directory Authentication zenix Linux - Networking 1 09-17-2005 05:26 AM
samba-authentication with Active Directory sanjeevsagoo Linux - Networking 2 05-07-2004 04:09 AM


All times are GMT -5. The time now is 08:46 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration