Hi Grant, < ... delete old text ... you wrote > Your join is just fine. That err is the same as happens when I join and > mine works excellently otherwise. The join is ok is the important part. > > There are various tests you can do to see if things are working: > KERBEROS > kinit usernamewithadminprivileges > like: > kinit karsten > should ask for a password works > > klist > should return a tciket cache for the user just authenticated > works > kdestroy > should make it so when you do klist agin there are no more tickets cached > works
> LDAP I don't know. I'm confused, I thought I need winbind to connect to the windows server. I thought that my pam configuration maybe is wrong. So my question: Do I need winbind or ldap or both. There are any modification needed to my pam.d directory? I found a file named samba there. Thanks Karsten > use ldapsearch like: > > ldapsearch -x -D > 'cn=yourldapuserthatyouusetoauthenticate,ou=veryspeicifou,ou=users,ou=yourou,dc=yourad,dc=yourdomain,dc=yourtld' > -H ldaps://ldap.yourad.yourdomain.yourtld -W -b > 'ou=yourou,dc=yourad,dc=yourdomain,dc=likecom' > > you don't have to be quite that specific but you get the idea. It > returns all the users in your ou. > > you need to set your /etc/ldap.conf and /etc/ldap/ladp.conf (might be > /etc/openldap/ldap.conf depending on your OS) > to look at the right places, fer instance: > > /etc/ldap.conf > ssl on > port 636 > ldap_version 3 > tls_checkpeer no > uri ldaps://ldap.yourldapurl > # limit the base to your departmental OU, wider scopes can affect the output > time and entries to be displayed > binddn CN=yourkerberosldapaccount,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld > #password for the AD user account used to bind to AD LDAP > bindpw yourldapuserpassword > base OU=yourou,DC=AD,DC=yourdoain,DC=yourtld > nss_map_objectclass posixAccount user > nss_map_objectclass shadowAccount user > nss_map_objectclass posixGroup group > nss_map_attribute uid sAMAccountName > nss_map_attribute uidNumber uidNumber > nss_map_attribute gidNumber gidNumber > nss_map_attribute cn sAMAccountName > nss_map_attribute homeDirectory unixHomeDirectory > nss_map_attribute uniqueMember member > nss_map_attribute loginShell loginShell > nss_map_attribute shadowLastChange pwdLastSet > pam_login_attribute sAMAccountName > pam_filter objectclass=user > > and fer the odder wun: > > #/etc/ldap/ldap.conf or /etc/openldap/ldap.conf on some OS > #Secure LDAP URI/Server > uri ldaps://ldap.yourldapurl > # restrict to your ou > BASE OU=yourou,DC=AD,DC=yourdoain,DC=yourtld > # set to the cn for the kerberos user used for authenticating > BINDDN cn=yourkerberosuser,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld > # during testing switch off ssl cert checking, later you should install the > certs from your ldap server and set this always > TLS_REQCERT never > > > > if those tests are working and you have set up the ldap conf files right > and nsswitch.conf as well you should get back the users/groups from > your ou when you do > getent passwd. > or getent group > > You might try nsswitch.conf settings like > passwd: files ldap > group: files ldap > shadow: files ldap > > > there's some description here: > http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss > but you might also google for more. > > Have fun! > > Grant -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba