Christoph Scheeder wrote:
first:
STOP,
Too late, but not a problem. I was begining to suspect the Free BSD 5.x guide I was using was problematic. I just did a clean install of 5.3, and am installing software. I had already considered getting rid of ldap refences. Should I also get rid of nss_ldap?
Thanks for the fresh pair of eyes looking at this for me.
TMS III
you want your samba-server to be a membersever in ADS, do you?,
then *remove* *all* bits referencing ldap from your smb.conf.
you entrust all user and groupmanagment to ADS via winbindd and only via winbindd.
second: you have configured winbindd not to give you the domain part from ADS by setting:
winbindd use default domain = Yes
set it to no and you will get the domain part for your domain users/groups
third: don't use "/" as domain-seperator in linux/unix.
Yeah, I thought about that I will switch back to _ as a separator.
it has special meaning (path-seperator) and using it probably will give you strange problems.
Christoph
Tom Skeren schrieb:
Edward Wissner wrote:
I have similar issues, but am not using an ldap server, rather a W2k Active Directory domain controller.
Yes, so am I. The ldap server listed in ldap.conf is named w2000
And am not interested in lging into the linux server with AD.
Domain users and groups list without the domain ID for me as well. I don't know if that is proper as I have never seen a working setup.
No...it should be DOMAIN_NAME/user1 DOMAIN_NAME/group1 etc. The "/" is specified in smb.conf as winbindd separator.
I see my shares on the samba server from a w2k client, but am prompted again for usr/passwd when attempting to open a shared directory. That's when I get a failure.
Try mapping a drive by \\ip-addy\share....bet it works.
I'm ready to toss it and start over, migrating completely away from w2k AD and setting up an ldap directory instead.
I can't unfortunately.
Samba works great if I create my users locally.
It works pretty well as an NT style PDC, yes, but this project requires a samba server become a member server in ADS.
ed -----Original Message----- *From:* Tom Skeren [mailto:[EMAIL PROTECTED] *Sent:* Wednesday, December 08, 2004 10:32 AM *To:* Edward Wissner; samba *Subject:* Re: [Samba] ADS Authentication
Edward Wissner wrote:
What did you change in your smb.conf file?Well, I managed to get samba to authenticate, however, continued
winbindd problems make the setup worthless. Group searches fail,
or are incomplete. Domain users and groups list without domain
id. net groupmap fails. Attempts to re-join via "net ads join"
fail.
If your interested, I have copied all the relevant config files here:
_*smb.conf:*_
workgroup = FSK realm = FSKLAW.NET server string = SSERVER netbios name = SSERVER security = ADS client schannel = Yes server schannel = Yes passdb backend = ldapsam:ldap://w2000.fsklaw.net socket options = TCP_NODELAY dns proxy = No ldap admin dn = cn=Administrator,cn=users,DC=fsklaw,DC=net ldap suffix = DC=fsklaw,DC=net idmap uid = 10000-20000 idmap gid = 10000-20000 winbind separator = / winbind enum users = No winbind enum groups = No winbind use default domain = Yes dos filemode = Yes acl compatibility = win2k inherit acls = yes inherit permissions = yes
[FSK] path = /home/FSK public = yes only guest = no browseable = yes writeable = yes printable = no create mask = 0777 force create mode = 0777 force directory mode = 0777 directory security mask = 0777
_*ldap.conf: *_ host w2000.fsklaw.net base dc=fsklaw,dc=net ldap_version 3 URI ldaps:w2000.fsklaw.net scope sub pam_login_attribute Administrator pam_password md5 idle_timelimit 3600 nss_base_passwd cn=Users,dc=fsklaw,dc=net?one nss_base_group cn=Users,dc=fsklaw,dc=net?one ssl on TLS_CACERT /etc/CA/fsk.pem tls_ciphers TLSv1 sasl_secprops maxssf=0 krb5_ccname FILE:/tmp/krb5cc_0
_*nsswitch.conf: *_ passwd: files winbind shadow: files winbind group: files winbind hosts: dns winbind ldap files nis automount: files winbind ldap nisplus aliases: files winbind ldap nisplus
_*krb5.conf:*_
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] ticket_lifetime = 24000 default_realm = FSKLAW.NET dns_lookup_realm = false dns_lookup_kdc = false default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 default_keytab-name = FILE:/etc/krb5.keytab [realms]
FSKLAW.NET = { kdc = KERBEROS.FSKLAW.NET admin_server = w2000.fsklaw.net default_domain= fsklaw.net }
[domain_realm] .fsklaw.net = FSKLAW.NET fsklaw.net = FSKLAW.NET .FSKLAW.NET = FSKLAW.NET .kerberos.server = KERBEROS.FSKLAW.NET [kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
_*pam.d/login:
*_
#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#
# auth auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth include system auth sufficient /usr/local/lib/pam_winbind.so # account account requisite pam_securetty.so account include system account sufficient /usr/local/lib/pam_winbind.so
# session session include system
# password password include system
-----Original Message----- From: Tom Skeren [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 07, 2004 4:04 PM To: Jeremy Allison Cc: samba Subject: Re: [Samba] ADS Authentication
Jeremy Allison wrote:
It was an smb.conf issue. Authentication against ADS is now
functioning. Now it's time to wrestle with ACLs. Thanks for the help.
TMS III
On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote:
I'm about ready to smash my head through a wall...I could use a few
answers.
1. When using security = ads, and completing net ads join, it was my
understanding that samba authenticated username/pword against ads, and
local posix accounts were nolonger needed, is this true?
Yes, so long as you have nsswitch and pam set up correctly. It sounds like you don't.
Jeremy.
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
