|
getent passwd only pulls local info - getent group works?
I have two brand new boxes loaded up with RHEL4AS (2.6.9-67.ELsmp) and Samba 3.0.28a. I am trying to configure them to authenticate via Active Directory.
(I've marked out some info to not expose client info.) My [smb.conf] ============================= # Global Perameters [global] workgroup = D*** realm = d***.***.atosorigin-asp.com preferred master = no server string = Samba file servers security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 winbind separator = + winbind use default domain = No printcap name = cups printing = cups idmap uid = 10000-20000 idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes #give winbind users a real shell template homedir = /home/%U template shell = /bin/bash password server = 1**.*.***.** =========================== [nsswitch.conf] has the following entries: passwd: files winbind shadow: files winbind group: files winbind ========================== [krb5.conf] [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = D***.***.ATOSORIGIN-ASP.COM default_etypes = dec-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 default_keytab-name = FILE:/etc/krb5.keytab dns_lookup_realm = false dns_lookup_kdc = false [realms] D***.***.ATOSORIGIN-ASP.COM = { kdc = 1##.#.##.## admin_server = 1##.#.##.## default_domain = D**.***.ATOSORIGIN-ASP.COM } [domain_realm] .d***.***.atosorigin-asp.com = D***.***.ATOSORIGIN-ASP.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ============================= [/etc/pam.d/system-auth] auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077 session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so =========================== Now, wbinfo -u and wbinfo -g prints out active directory users and groups as it should. getent group shows me active directory groups. But getent passwd only returns local users. And unfortunately, the port for samba isn't opened on the firewall yet, so I can't test to see how samba is working. Did I make a typo somewhere? Can you see something I've done wrong? |
This might help you, my students had to join samba to AD in a project last year. This is one of my top student's documentation:
http://www.bryntassell.ca/zambra/samba.php You will also note that any delay in time will give you issues, ensure that the time's are not out of a sync by more than 4.59 seconds. Cheers, Brent. |
Thank you. The time may be an issue. Everything else appears to be working properly and the users are able to log into the box with their AD credentials. I am going to try and find out today if the AD DCs are using the time servers.
|
| All times are GMT -5. The time now is 05:34 PM. |