Basic problem is that domain users can't successfully log into the linux box. I'm trying to set this box up as an ltsp server authenticating against our existing AD (although this is actually in a test lab - I didn't really want to trash anything real just yet). The test lab is configured as follows to duplicate the basic layout of our network:
LTSP-DC1: Win2k server ("more equal" than LTSP-DC2) running AD, DNS, DHCP, etc
LTSP-DC2: Win2k server ("less equal" than LTSP-DC1) configured same as DC1
LTSP-FS1: Win2k server serving a share called "Staff" with all the staff OU members' home directories
LTSP-STU: Win2k server serving a group of shares with the different student OU members' home directories.
LTSPSRV: SuSE 8.2 Box with Samba 3.0, ultimately intended to be a terminal services box.
Compiling Samba 3.0 went fine on LTSPSRV, passing the following flags to the configure script:
--with-ads=yes --with-krb5=/usr/local/ --with-automount=yes --with-smbmount=yes --with-winbind=yes --with-pam=yes
Here's my smb.conf:
[global]
realm = LTSP.FOO.BAR
workgroup = LTSP
security = ADS
encrypt passwords = yes
winbind separator = +
idmap uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
local master = no(Note: the FOO.BAR isn't what's actually in there. It has a good FQDN) Kerberos is the current version from MIT. Here's the krb5.conf
[libdefaults]
default_realm = LTSP.FOO.BAR
dns_lookup_realm = false
dns_lookup_kdc = true [realms]
LTSP.FOO.BAR = {
kdc = ltsp-dc1
kdc = ltsp-dc2
default_domain = ltsp.foo.bar
} [domain_realm]
.ltsp.foo.bar = LTSP.FOO.BAR
ltsp.foo.bar = LTSP.FOO.BARI can successfully join the domain using "net ads join -U username" and all that. Net ads info looks right, and smbd, nmbd, and winbindd start up successfully at boot (although winbindd shows up twice when I do "ps -ae | grep winbindd").
kinit [EMAIL PROTECTED] works as it should, I think. I get prompted for a password, and then klist shows the ticket, although the following also shows up with klist
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cachedwbinfo -u shows all my top-level users, and wbinfo shows all my top-level groups - anyone in a secondary OU is not visible to wbinfo - problem 1.
Now, as root, I can change users to any domain user I want to without entering a password, using, for example:
su LTSP+fred
and "whoami" returns the correct value. However, if I log in as a local non-root account and try the same thing, or if I attempt to connect remotely using "ssh -l LTSP+fred" I get a failed password error even though I'm using a known-good password for that account. BIG problem #2.
I'm sure there's something simple that needs to be changed and all will suddenly Just Work. Once that happens, perhaps someone could answer this: how do I automatically map the home directory of a domain user to their AD-defined home directory (//ltsp-fs1/staff/fred <--> /home/LTSP/fred, for example)? I want to have no local storage for domain users on the linux box.
Thanks for reading this far, and I look forward to hearing an answer.
Regards, Mike Ely
--- [This E-mail scanned for viruses by Declude Virus]
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
