LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   samba ROLE_DOMAIN_MEMBER security ads (https://www.linuxquestions.org/questions/linux-server-73/samba-role_domain_member-security-ads-839529/)

winterMB 10-21-2010 07:31 AM
samba ROLE_DOMAIN_MEMBER security ads
 
centoS 5.5

[root@osra ~]# rpm -q samba3x
samba3x-3.3.8-0.52.el5_5.2

[root@osra ~]# rpm -q krb5-workstation
krb5-workstation-1.6.1-36.el5_5.5

domain controller windows 2k3 sp3

i follow those guides:


http://wiki.samba.org/index.php/Samb...tive_Directory
http://www.samba.org/samba/docs/man/...html#ch9-adsdc

i join the domain, i can test the user


[root@osra ~]# wbinfo -a mbottalico%#########
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root@osra ~]# wbinfo -u
administrator
guest
krbtgt

[root@osra ~]# wbinfo -g
utenti wins
dhcp users
dhcp administrators
computer del dominio
controller di dominio

getent passwd and group ok without "DOMAIN+"


kinit e klist ok.


i can browser the samba server, but i can enter on "temp", but not in "test" (access denied)


[root@osra ~]# smbclient \\\\osra\\test -U administrator
Enter administrator's password:
Domain=[DOMAINSHORT] OS=[Unix] Server=[Samba 3.3.8-0.52.el5_5.2]
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED listing \* (I noticed only writing this message)

[root@osra ~]# smbclient \\\\osra\\tmp -U administrator
Enter administrator's password:
Domain=[DOMAINSHORT] OS=[Unix] Server=[Samba 3.3.8-0.52.el5_5.2]
smb: \> dir
. D 0 Wed Oct 20 15:15:23 2010
.. D 0 Wed Oct 20 11:42:23 2010
T0100000160 D 0 Wed Oct 20 12:33:32 2010
t01tty90 D 0 Wed Oct 20 11:42:23 2010
T01port-mb1 D 0 Thu Oct 21 15:21:51 2010
impexp D 0 Wed Jul 14 12:11:44 2010
T0100000140 D 0 Wed Oct 20 12:05:00 2010
dirvuota.txt A 0 Wed Nov 6 08:15:20 1991
t01tty01 D 0 Wed Oct 20 11:42:23 2010
aggiofix A 5237760 Thu Nov 17 20:27:58 2005
t01tty02 D 0 Wed Oct 20 11:42:23 2010
T0100000150 D 0 Wed Oct 20 12:16:10 2010

53488 blocks of size 2097152. 49908 blocks available
smb: \> q


0 blocks of size 0. 511 blocks available

any help?



config file:

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
default_tkt_enctypes = des-cbc-crc; des-cbc-md5
default_tgs_enctypes = des-cbc-crc; des-cbc-md5

[realms]

DOMAIN.COM = {
kdc = alpha.DOMAIN.com
admin_server = alpha.domain.com
default_domain = domain.com
}

[domain_realm]
shortdomain = DOMAIN.COM
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM

[appdefaults]

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

/etc/smb.conf

[global]
workgroup = SHORTDOMAIN
realm = DOMAIN.COM
preferred master = no
server string = Linux Machine
security = ads
encrypt passwords = yes
log level = 5
log file = /var/log/samba/%m
client use spnego = yes
client ntlmv2 auth = yes
max log size = 50
printcap name = cups
printing = cups
username map = /etc/samba/smbusers
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 100-20000
idmap gid = 100-20000
; template primary group = "Domain Users"
template shell = /bin/bash


[printers]
comment = All Printers
path = /var/spool/cups
browseable = no
printable = yes
guest ok = yes

[test]
comment = test
path = /u/test
Valid Users = DOMAIN.COM+user @DOMAIN.COM+group
writable = yes
browseable = yes

[tmp]
comment = test-no-security-ads
path = /tmp
guest ok = yes
public = yes
browseable = yes
read only = no
create mask = 0777
directory mask = 0777

/etc/nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind

hosts: files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

/etc/pam.d/system-auth


auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account sufficient pam_winbind.so use_first_pass
account required pam_permit.so

password requisite pam_cracklib.so retry=3 type=
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_winbind.so use_first_pass
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
session required pam_winbind.so use_first_pass

winterMB 10-21-2010 08:50 AM
closed, risolved by chmod on the fs.

i'm a dumb.


All times are GMT -5. The time now is 08:33 AM.