tanveer |
12-22-2007 02:28 AM |
Asking for authentication even after getting authenticated with ADS
Dear all,
Need some help of all of yours.
I am facing with a problem with after joining an ubuntu PC with Windows server 2003 and its authenticating with the ADS. No problem in that authenticating. But after getting logged in with AD username and password its keep asking me for password for almost everything like get access to a shared dir, access to shared printer, after configuring evolution I can easily can get synchorized with exchange server 2003 but it keeps asking me everytime for password whenever I try to open evolution, when want to even reply a mail, when even try to open a new mail; almost for everything.
What I am trying achieve here is to migrate all my users from windows to linux platform and as a first step authenticating ubuntu7.10 with windows AD was successful. But now this authentication problem is getting in the way.
I followed the steps here for authenticating with windows AD:
https://help.ubuntu.com/community/Ac...ryWinbindHowto.
I also posted it in ubuntu forum but nobody seems to be interested or may be its a dumb question to answer.The link is below:
http://ubuntuforums.org/showthread.php?t=635967
Here are the steps I followed along with above tutorial:
PHP Code:
Ubuntu Users Authentication through ADS We have to install all the required packages as follows: samba samba-common (installed by default) smbclient (installed by default) winbind openssh-server openssh-client Kerberos krb5-config krb5-user Configuration Settings on Ubuntu Verify Kerberos, LDAP, AD, and Winbind support You will need to check you have support for Kerberos, LDAP, AD, and Winbind. # smbd -b | grep LDAP HAVE_LDAP_H HAVE_LDAP HAVE_LDAP_DOMAIN2HOSTLIST ... # smbd -b | grep KRB HAVE_KRB5_H HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_KRB5 ... # smbd -b | grep ADS WITH_ADS WITH_ADS # smbd -b | grep WINBIND WITH_WINBIND WITH_WINBIND If you're missing any of these options, you need to recompile Samba Configure and Test Kerberos ------------------------------ /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IMATION.COM [realms] IMATION.COM = { kdc = ubuntu.imation.com kdc = kubuntu.imation.com kdc = edubuntu.imation.com } [domain_realm] .kerberos.server = IMATION.COM Be sure to use uppercase where applicable as shown above, and when you test the connection with kinit. If you mess up your cases, you will get an error “Cannot find KDC for requested realm while getting initial credentials”. Test the connection with: # kinit xp@IMATION.COM Password for xp@IMATION.COM Now here xp is the admin user with admin right to join pc to AD. [root@pc-2165 squid]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: xp@IMATION.COM Valid starting Expires Service principal 09/30/07 18:44:17 10/01/07 04:44:27 krbtgt/IMATION.COM@IMATION.COM renew until 10/01/07 04:44:17 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Configure and Test Samba ------------------------ samba.conf [global] workgroup = IMATION realm = IMATION.COM server string = Linux Web Server security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 preferred master = No idmap uid = 10000-20000 idmap gid = 10000-20000 winbind separator = + [homes] comment = Home Directories valid users = %S read only = yes browseable = No Save your changes and run 'testparm' to check for any syntax errors. # testparm # /etc/init.d/smb start Finally, join your Samba machine to Active Directory: # net ads join -U xp@IMATION.COM xp@IMATION.COM's password: Using short domain name -- IMATION Joined 'SSO-ADS' to realm 'IMATION.COM' If this works, shut down samba and enable winbind (as below). If not, you'll need to do some troubleshooting. # ntlm_auth --username=<Any AD username> you should get this output "NT_STATUS_OK: Success (0x0)" Enabling Windbind /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files dns protocols: db files services: db files ethers: db files rpc: db files Save your changes, and fire up windbind and Samba: # service winbind stop # /etc/init.d/smb start # service winbind start Confirm winbindd is running # pgrep winbindd You can verify winbind is working with: # wbinfo -u # wbinfo -g Modify the PAM settings: 1) /etc/pam.d/common-account should contain only the following lines account sufficient pam_winbind.so account required pam_unix.so 2) /etc/pam.d/common-auth should contain only the following lines auth sufficient pam_winbind.so auth required pam_unix.so nullok_secure use_first_pass auth required pam_deny.so 3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below password required pam_unix.so nullok obscure min=4 max=50 md5 4) Make sure the /etc/pam.d/common-session file contains the following line session required pam_unix.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel 5) Make a directory to hold domain user home directories Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file mkdir /home/IMATION
Any help will be greatly appreciated.
Thanks in advance.
|