LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > SUSE / openSUSE
User Name
Password
SUSE / openSUSE This Forum is for the discussion of Suse Linux.

Notices


Reply
  Search this Thread
Old 07-16-2010, 10:58 AM   #1
jstalewski
LQ Newbie
 
Registered: May 2006
Posts: 4

Rep: Reputation: 0
SLES11, Samba, Kerberos, LDAP integration with Active Directory


I have a SLES11 x86_64 server running the versions of Samba, MIT Kerberos 5, SASL, OpenLDAP client supported by Novell, and have Active Directory integration as a member server working quite nicely, including enumeration of users and groups through nsswitch (getent passwd, getent group). That means in addition to authenticating to the Linux server using their AD identity, they also get filesystem permissions based on their AD identity and/or group membership using extended ACLs on the filesystems. This is in a multi-domain forest; all domains in the forest get enumerated.

I am trying to establish the same situation on a second SLES11 X86_64 server and have partial success - I can only enumerate users and groups through wbinfo -u and wbinfo -g, or individually using getent passwd <username>. This second system was upgraded from SLES10 SP2, but appears to be running all the same modules as the server that works. I tried using the exact same configurations for pam.d, ldap.conf, smb.conf, krb5.conf, nsswitch.conf, and establishing domain membership, but can't get it to work.

I have tried upgrading Samba from 3.2.7 (the Novell-supported version for SLES11) to 3.4.3 and 3.5.4, with mixed results. The problem with anything after 3.3 is that it no longer uses idmap domains, so it seems hit-or-miss which domain it decides to enumerate, when it does decide to enumerate a domain - and yes, I do have "winbind enum user = yes" and "winbind enum group = yes" set in smb.conf. Documentation for the proper usage of idmap in an AD environment post-3.3 is sketchy at best. I am back to the Novell "official" 3.2.7 version, since 3.4.3 and 3.5.4 also don't enumerate the users.

Does anyone have any insight as to where to look? Server is in DNS, both forward and reverse lookup zones. The computer is in the domain as a member server. The kerberos keytab is good, and I've had to re-create it several times through my troubleshooting efforts, both manually and automatically with the net ads join command. Logins appear to work fine. I have double- and triple-checked the libnss_winbind.so file, which is what I would assume to be the problem-child, and it has been replaced each time I have upgraded or downgraded Samba with the correct version for the version of Samba being installed. If I recall correctly, winbindd uses ldap to do the enumeration but I get no errors related to ldap. When I run getent passwd it lists the contents of the passwd file then sits for a minute or two before returning to the command prompt.

I think it has something to do with LDAP, but I am at a loss as to what. I can connect to a DC server with the LDAP browser in YaST and browse AD, using the user ID and password set up in ldap.conf, but it doesn't appear that the problem server is connecting to the AD DC like the fully functional server is, using the same LDAP bind user and credentials, to do the winbind enumeration.

Edit 7/22:

I did a strace on getent passwd and getent group and found I'm getting an ECONNREFUSED on the socket /tmp/.winbindd/pipe. I can't find anything via google that applies to this situation, but that's where the getent enumeration breaks down.
Also, getent passwd <AD username> will properly enumerate the user in passwd file format; it just won't enumerate any AD users if you don't specify a user. More confusing is that getent group will enumerate a handful of AD groups after listing the contents of /etc/group. strace on getent group shows that it does get past /tmp/.winbind/pipe and connects to var/lib/samba/winbindd_privileged/pipe but only enumerates a few groups that are in a particular OU rather than all groups in the domain.

strace getent passwd <ad username> also shows that it's getting past /tmp/.winbindd/pipe and connecting to /var/lib/samba/winbindd_privileged/pipe. I need to track down why getent passwd gets that ECONNREFUSED at the /tmp/.winbindd/pipe stage, so any clues would be greatly appreciated.

Last edited by jstalewski; 07-22-2010 at 12:35 PM. Reason: More information
 
Old 08-02-2010, 02:10 PM   #2
jstalewski
LQ Newbie
 
Registered: May 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Nobody has anything on this? Wow, guess I stumped the lot of you...
 
  


Reply

Tags
kerberos, ldap, samba, sles11, winbind


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS 5.2 LDAP/kerberos authentication fails against Active Directory ccaum Linux - Server 14 03-24-2010 12:15 PM
Active Directory integration on Samba shares Ziggie Linux - Enterprise 7 10-22-2007 08:58 AM
HOW TO: SUSE Linux Enterprise Desktop SLED10 LDAP / Kerberos Authentication to Active Directory / Windows Server 2003 R2 Shannon_VanWagner LinuxAnswers Discussion 0 03-23-2007 03:22 PM
Active Directory, Kerberos, LDAP, PAM, and nsswitch PenguinPwrdBox Linux - Security 1 06-04-2005 10:56 PM
samba ldap winbindd kerberos with active directory errors xtrusion Linux - Software 0 03-21-2005 05:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > SUSE / openSUSE

All times are GMT -5. The time now is 10:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration