LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 11-12-2009, 02:03 PM   #1
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Rep: Reputation: 23
Slackware 13 + Active directory users


Hi all I'm running a fresh install of Slackware 13, I removed the samba package that comes with slackware and compiled the latest kerberos, openldap and samba sources.

I can enumerate users on active directory with wbinfo and getent but I can't log in via ssh or the console. I can however su to any AD user once I am logged in as root and set permissions by users and groups from AD.

Hoping someone can steer me in the right direction, I will post my configs if that helps

thanks
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 11-22-2009, 08:19 PM   #2
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Original Poster
Rep: Reputation: 23
I solved this with a small catch, if anyone wants to know how to do this let me know. Its long but it works as I've now tested on 3 separate Slackware 13 installs and one Slacware 12.2 install
 
Old 11-23-2009, 05:43 AM   #3
Slax-Dude
Member
 
Registered: Mar 2006
Location: Valadares, Portugal
Distribution: Slackware
Posts: 253

Rep: Reputation: 70
I was planing to try this out, but it's way over my head
It would be great if you could help me out.

The goal here is making a distributed shared folder using slackware, or perhaps slax, and samba so that my AD users can make files that have certain permissions.

I have zero experience with samba + AD, so any help you can provide would be most appreciated.

Right now I'm avoiding the issue by having several slax machines exporting a distributed RAID5 over AoE.
Since the array is mounted by a win2k3 machine as a block device I don't have to configure samba to work with AD...
Although it's working, it's not an ideal solution.
 
Old 11-23-2009, 06:08 AM   #4
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Original Poster
Rep: Reputation: 23
Quote:
Originally Posted by Slax-Dude View Post
I was planing to try this out, but it's way over my head
It would be great if you could help me out.

The goal here is making a distributed shared folder using slackware, or perhaps slax, and samba so that my AD users can make files that have certain permissions.

I have zero experience with samba + AD, so any help you can provide would be most appreciated.

Right now I'm avoiding the issue by having several slax machines exporting a distributed RAID5 over AoE.
Since the array is mounted by a win2k3 machine as a block device I don't have to configure samba to work with AD...
Although it's working, it's not an ideal solution.
Do you just need samba shares to work and slackware to be apart of the domain or do you want AD users to be able to ssh in or login in via the console? The catch with my config is if you want to login with an AD user via the console you can't login with a local user via the console but you can still ssh with a local user... let me know and I'll post up the configs and steps
 
Old 11-23-2009, 09:42 AM   #5
Slax-Dude
Member
 
Registered: Mar 2006
Location: Valadares, Portugal
Distribution: Slackware
Posts: 253

Rep: Reputation: 70
Quote:
Originally Posted by TheMadIndian View Post
Do you just need samba shares to work and slackware to be apart of the domain or do you want AD users to be able to ssh in or login in via the console?
No need for AD users to login into the linux box(es) at all.
 
Old 11-23-2009, 12:42 PM   #6
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Original Poster
Rep: Reputation: 23
Quote:
Originally Posted by Slax-Dude View Post
No need for AD users to login into the linux box(es) at all.
**Remove slackware samba package
Code:
slackpkg remove samba
**Save these downloads to the Downloads dir
Kerberos
http://web.mit.edu/Kerberos/dist/ (i used this one http://web.mit.edu/Kerberos/dist/krb...1.7-signed.tar)

Berkley DB (i used an old version that i know works with both versions of slackware i mentioned and tested)
http://www.bayour.com/kerberos/sleepycat_3.0.55.tar.gz

Openldap
http://www.openldap.org/software/download/ (I used this one ftp://ftp.openldap.org/pub/OpenLDAP/...dap-2.4.19.tgz )

Samba
http://www.samba.org/samba/ftp/ (I used this one http://www.samba.org/samba/ftp/samba-3.4.3.tar.gz )

**Start installing (Order does matter)
Kerberos
Code:
cd ~
        *  Extract source
              o tar -xvf Downloads/krb5-1.7-signed.tar
              o tar -xzvf krb5-1.7.tar.gz 
        * Configure source
              o cd krb5-1.7/src
              o ./configure --prefix=/usr --enable-shared --with-ccopts="-g -02 -D_REENTRANT" --localstatedir=/etc --mandir=/usr/share/man --without-tcl 
        * Compile and Install
              o make all
              o make install
              o vi /etc/krb5.conf
Paste this and replace WHATEVER.COM with your domain and server.whatever.com with the fqdn of your domain controller
Code:
[libdefaults]
           default_realm = WHATEVER.COM
	   dns_lookup_realm = true
 	   dns_lookup_kdc = true
 	   ticket_lifetime = 24h
 	   forwardable = yes
	   clockskew = 300

        [realms]
	  WHATEVER.COM = {
		kdc = server.whatever.com:88
  		admin_server = server.whatever.com:749
		default_domain = whatever.com
		passwd_server = server.whatever.com
	   }

        [domain_realm]
	   .whatever.com = WHATEVER.COM
	   whatever.com = WHATEVER.COM

        [logging]
	   default = FILE:/var/log/krb5libs.log
 	   kdc = FILE:/var/log/krb5kdc.log
 	   admin_server = FILE:/var/log/kadmind.log
Test installation (again replacing with your domain info (caps matter) and a valid user on AD
Code:
kinit aduser@WHATEVER.COM 
kilst
Berkley DB
Code:
cd ~

        * Extract source
              o tar -xzvf Downloads/cyrus-sasl-2.1.23.tar.gz 
        * Configure source
              o cd sleepycat-3.0.55.orig/
              o cd build_unix/
              o ../dist/configure 
        * Compile and Install
              o make all
              o make install
OpenLDAP
Code:
cd ~

        * Extract source
              o tar -xzvf Downloads/openldap-2.4.19.tgz 
        * Configure source
              o cd openldap-2.4.19/
              o CPPFLAGS="-I/usr/local/BerkeleyDB.3.0/include";LDFLAGS="-L/usr/local/BerkeleyDB.3.0/lib";./configure --prefix=/usr --sysconfdir=/etc/ldap --disable-debug --disable-ipv6 --with-tls --with-kerberos --with-cyrus-sasl --with-threads --enable-null --enable-kpasswd --enable-slapd --enable-crypt --enable-spasswd 
        * Compile and Install
              o make depend
              o make all
              o make install
Samba
Code:
cd ~

        * Extract source
              o tar -xzvf Downloads/samba-3.4.3.tar.gz 
        * Configure source
              o cd samba-3.4.3/source3/
              o ./configure --prefix=/usr --sysconfdir=/etc/samba --with-privatedir=/etc/samba/private --with-ldap --with-ads --with-krb5=/usr --with-cifsmount --without-sys-quotas 
        * Compile and Install
              o make all
              o make install
              o cd ..
              o cp nsswitch/libnss_wins.so /lib/
              o cp nsswitch/libnss_winbind.so /lib/
              o cd /lib/
              o ln -s libnss_wins.so libnss_wins.so.2
              o ln -s libnss_winbind.so libnss_winbind.so.2
Configure rc.samba (if it doesn't exist create and make it executable /etc/rc.d/rc.samba)
Code:
#!/bin/sh
#
# /etc/rc.d/rc.samba
#
# Start/stop/restart the Samba SMB file/print server.
#
# To make Samba start automatically at boot, make this
# file executable:  chmod 755 /etc/rc.d/rc.samba
#

samba_start() {
  if [ -x /usr/sbin/smbd -a -x /usr/sbin/nmbd -a -r /usr/lib/smb.conf ]; then
    echo "Starting Winbind /usr/sbin/winbindd -D"
    /usr/sbin/winbindd -D
    echo "Starting Samba:  /usr/sbin/smbd -D"
    /usr/sbin/smbd -D
    echo "                 /usr/sbin/nmbd -D"
    /usr/sbin/nmbd -D
  fi
}

samba_stop() {
  killall smbd nmbd winbindd
}

samba_restart() {
  samba_stop
  sleep 2
  samba_start
}

case "$1" in
'start')
  samba_start
  ;;
'stop')
  samba_stop
  ;;
'restart')
  samba_restart
  ;;
*)
  # Default is "start", for backwards compatibility with previous
  # Slackware versions.  This may change to a 'usage' error someday.
  samba_start
esac
Configure smb.conf (if it doesn't exist create it /usr/lib/smb.conf) **(Caps matter replace as before)
Code:
[global]
   workgroup = WHATEVER
   server string = Slackware Samba Server
 netbios name = slackserv
   security = ADS
   load printers = yes
   log file = /var/log/samba.%m
   max log size = 50
	realm = WHATEVER.COM
	password server = SERVER.WHATEVER.COM
        security = ADS
        encrypt passwords = yes
	map to guest = never
	client use spnego = yes
#        idmap backend = rid:WHATEVER=10000-20000
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        winbind use default domain = yes
	winbind enum users = yes
        winbind enum groups = yes
        template shell = /bin/bash
	template homedir = /home/%D/%u
	loglevel = 10
   passdb backend = tdbsam
	bind interfaces only = yes
   dns proxy = no 
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes
Configure etc hosts (make sure server name is properly set against IP)
Code:
127.0.0.1		localhost
10.8.0.38		server.Whatever.com server
Test the install

Code:
grep nobody /etc/passwd (should list the user nobody) 
ldd /usr/sbin/smbd |grep krb5 (should list krb5 modules)
Join the domain if those were successful
Code:
net ads join -U administrator
If successful start the services

Code:
/etc/rc.d/rc.samba start
Verify they are running
Code:
echo smbd processes;pgrep smbd;echo winbindd processes;pgrep winbindd;echo nmbd processes;pgrep nmbd
Test you can retrieve an AD user
Code:
getent passwd aduser
Verify Domain trusts
Code:
wbinfo -m
Test local shares
Code:
smbclient -L server -U%

And that's it if you need AD login there are more steps and the installation order changes a little for the missing packages

Keep me posted on how it works out

Last edited by TheMadIndian; 12-02-2009 at 08:25 AM. Reason: rid.so seems to be missing on some compiles
 
4 members found this post helpful.
Old 01-06-2010, 02:03 PM   #7
crabboy
Moderator
 
Registered: Feb 2001
Location: Atlanta, GA
Distribution: Slackware
Posts: 1,823

Rep: Reputation: 120Reputation: 120
Excellent, thanks. Saved me a lot of time.

I had trouble with the kinit step that this post helped with:
http://www.linuxquestions.org/questi...8/#post2380396

Also had to modify my nsswitch.conf from the default to use: files winbind
 
Old 01-06-2010, 02:06 PM   #8
SqdnGuns
Member
 
Registered: Aug 2005
Location: Fountain Valley, CA / Thailand
Distribution: Slackware64 14.0
Posts: 981

Rep: Reputation: 88
Thumbs up

@ TheMadIndian, nice write-up, no doubt some will find it beneficial.
 
Old 01-29-2012, 01:17 PM   #9
gmjs
LQ Newbie
 
Registered: Feb 2010
Location: UK
Distribution: ArchLinux, Ubuntu 10.04, Slackware
Posts: 13

Rep: Reputation: 0
Quote:
Originally Posted by TheMadIndian View Post
And that's it if you need AD login there are more steps and the installation order changes a little for the missing packages
Thanks for this guide--it's been very helpful.

Currently I have this working (Slackware 13.37 and later packages) but would also like to be able to use the AD accounts to log in. It'd be great if you could share how to achieved that too!

Many thanks,

Graham
 
Old 02-19-2012, 03:55 PM   #10
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Original Poster
Rep: Reputation: 23
Quote:
Originally Posted by gmjs View Post
Thanks for this guide--it's been very helpful.

Currently I have this working (Slackware 13.37 and later packages) but would also like to be able to use the AD accounts to log in. It'd be great if you could share how to achieved that too!

Many thanks,

Graham
I ran into a fair amout of issues with it in regard to time drift, I can't use that system for reference as it's currently a freenas system

I may have my notes on a server currently offline. I'll see if i can get in on and get my notes.

Post later
 
Old 02-21-2012, 04:55 AM   #11
santaslilslacker
LQ Newbie
 
Registered: Nov 2007
Distribution: Slackware64_current
Posts: 28

Rep: Reputation: 4
Quote:
Originally Posted by TheMadIndian View Post
I ran into a fair amout of issues with it in regard to time drift, I can't use that system for reference as it's currently a freenas system
Post later
You can add domain controller(s) or your preferred ntp server in /etc/ntp.conf as a time source. (edit around line 19)
Code:
# NTP server (list one or more) to synchronize with:
#server pool.ntp.org iburst
server pdc.domain.local
server bdc.domain.local
In order to make it work, your DC(s) should be either ntp source as above or it should have some ntp server too.
After editing ntp.conf, chmod +x /etc/rc.d/rc.ntpd and start it. To check time sync, issue

Code:
# ntpq -p
to verify
If you don't like ntpd, you can add a crontab entry like this one that will do the same thing once per hour.
Code:
# crontab -e
59 * * * * /usr/sbin/ntpdate -b ntp.youlike.org
At least, all that above solved my issues with time drift. YMMV
 
Old 02-26-2012, 11:31 AM   #12
TheMadIndian
Member
 
Registered: Dec 2007
Distribution: Fedora Slackware CentOS slax RHEL
Posts: 114

Original Poster
Rep: Reputation: 23
Quote:
Originally Posted by gmjs View Post
Thanks for this guide--it's been very helpful.

Currently I have this working (Slackware 13.37 and later packages) but would also like to be able to use the AD accounts to log in. It'd be great if you could share how to achieved that too!

Many thanks,

Graham
Sorry it took me so long

a word of caution, kerberos calls login.krb5 not login for kerberos auth once you make this change local accounts will not be able to log in, you can reverse this by going into single user mode

Code:
mv -v /bin/login /bin/login.shadow && install -m755 -v /usr/sbin/login.krb5 /bin/login
I had ntpdate in rc.local which is fine for boot but follow what santaslilslacker said for ntpd that is a much better solution to avoid drift
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RSSH for Active Directory Users vicjalan Linux - General 0 02-13-2009 12:37 PM
Proftpd with Active Directory Users odcheck Linux - Server 0 10-27-2008 09:50 AM
Active directory users to Samba users alexpacio Linux - Networking 0 05-19-2006 08:44 AM
Syncing users with Active directory alexpacio Linux - Networking 1 04-09-2006 05:15 PM
AUthenticat users in Active Directory through Squid sharma_arpit Linux - Networking 3 10-14-2005 07:40 AM


All times are GMT -5. The time now is 07:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration