Need more info.. What version of samba and kerberos are you running? What does your /etc/nsswitch.conf look like? How about your /etc/pam.d/login did u modify it? Have you tried kinit? Klist? If so what was the output?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark A. Holm Sent: Wednesday, June 08, 2005 1:05 AM To: [email protected] Subject: [Samba] Problems with Samba and Windows 2003 Active Domain Server Can somebody with experience making a RedHat Fedora Core 3 server with Samba installed work in a Windows 2003 Active Domain please give me some pointers? I have a small installation with one Windows 2003 Server running as a domain controller for about 10 Windows XP machines. This is working just fine. I decided that I wanted to add a RedHat Fedora Core 3 server as a Mail server, running Cyrus IMAP and Open Group Ware. The first thing that I wanted to do was get the Fedora machine working as a member of the domain and authenticating users from the domain for local login for mail and SSH access. I found several different tutorials on the web, including the one in the documentation on the samba.org site, about doing this and followed as close as I could to their instructions. For the file samples included below, I have started with the files as supply by RedHat and for the most part stripped out the comments for brevity here. Also changed some names to protect the innocent. My smb.conf file looks like the following: Smb.conf [global] log file = /var/log/samba/%m.log load printers = yes idmap gid = 16777216-33554431 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 winbind trusted domains only = yes realm = PORTLAND-INT.CLIENT.COM winbind use default domain = yes template primary group = "Staff" template homedir = /home/%U template shell = /bin/bash dns proxy = no netbios name = mail cups options = raw server string = Mail Linux Samba Server winbind enum users = yes winbind enum groups = yes idmap uid = 10000-20000 idmap gid = 10000-20000 password server = server.portland-int.client.com workgroup = SKYLINE os level = 20 os level = 20 printcap name = /etc/printcap security = ads preferred master = no max log size = 50 [homes] comment = Home Directories browseable = no writeable = yes ; [netlogon] ; comment = Network Logon Service ; path = /home/netlogon ; guest ok = yes ; writable = no ; share modes = no ;[Profiles] ; path = /home/profiles ; browseable = no ; guest ok = yes [printers] comment = All Printers path = /var/spool/samba browseable = no printable = yes ;[tmp] ; comment = Temporary file space ; path = /tmp ; read only = no ; public = yes [public] comment = Public Stuff path = /home/samba public = yes read only = no ; write list = @staff EOF The KRB5.conf file contains: Krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = PORTLAND-INT.CLIENT.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] PORTLAND-INT.CLIENT.COM = { kdc = server.portland-int.client.com:88 admin_server = server.portland-int.client.com:749 default_domain = portland-int.client.com } [domain_realm] .portland-int.client.com = PORTLAND-INT.CLIENT.COM portland-int.client.com = PORTLAND-INT.CLIENT.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } EOF After doing "/etc/init.d/smb restart; /etc/init.d/winbind restart", I was able to issue a "net ads -U administrator join CLIENT" command and received the Welcome to the CLIENT domain message. At this point I can do either of: wbinfo -a "CLIENT\\markh%MYPASSWD" wbinfo -a "markh%MYPASSWD" And receive the response: plaintext password authentication succeeded challenge/response password authentication succeeded The next steps I tried, was to do a wbinfo -u and a wbinfo -g. These looked close to the examples given, but lacked the Domain specifier for the users that the other examples gave. Example output given below: Wbinfo -u: taaron pfraser DEBRA-DESKTOP$ markh SALES-MGR$ ROGER-PC$ WAREHOUSE2$ kaycee WAREHOUSE$ seanj seane amy mail$ Wbinfo -g: BUILTIN#System Operators BUILTIN#Replicators BUILTIN#Guests BUILTIN#Power Users BUILTIN#Print Operators BUILTIN#Administrators BUILTIN#Account Operators BUILTIN#Backup Operators BUILTIN#Users Domain Admins Domain Users Domain Guests Sales QuickBooks Users Act Users QuoteWerks Users Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Next step it said to do was to issue a "getent passwd" and a "getent group". The Passwd version only shows what is on the local Linux server, while the Group version shows the local groups and the BUILTIN groups from the active directory. None of the Active Directory users or local groups are shown. Example output below: Getent passwd: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash marktest:x:500:500:Mark Test Login:/home/marktest:/bin/bash clamav:x:501:501:CLAM AV User:/home/clamav:/bin/bash dspam:x:502:502:DSPAM User:/home/dspam:/bin/bash Getent group: root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root lp:x:7:daemon,lp mem:x:8: kmem:x:9: wheel:x:10:root mail:x:12:mail news:x:13:news uucp:x:14:uucp man:x:15: games:x:20: gopher:x:30: dip:x:40: ftp:x:50: lock:x:54: nobody:x:99: users:x:100: dbus:x:81: floppy:x:19: vcsa:x:69: nscd:x:28: rpm:x:37: haldaemon:x:68: utmp:x:22: netdump:x:34: slocate:x:21: sshd:x:74: rpc:x:32: rpcuser:x:29: nfsnobody:x:65534: mailnull:x:47: smmsp:x:51: pcap:x:77: apache:x:48: squid:x:23: webalizer:x:67: xfs:x:43: ntp:x:38: gdm:x:42: named:x:25: mailman:x:41: mysql:x:27: marktest:x:500: clamav:x:501: dspam:x:502: BUILTIN#System Operators:x:16777216: BUILTIN#Replicators:x:16777217: BUILTIN#Guests:x:16777218: BUILTIN#Power Users:x:16777219: BUILTIN#Print Operators:x:16777220: BUILTIN#Administrators:x:16777221: BUILTIN#Account Operators:x:16777222: BUILTIN#Backup Operators:x:16777223: BUILTIN#Users:x:16777224: Until I can get past that last step and see more than the BUILTIN groups and actually see users from the domain, I know that I cannot get authorization to work. Can somebody point out what I missed or help walk me through what is needed to make this work? The one thing I have noted is that the profile file defined for the kdc in krb5.conf doesn't exist. Should it and if so what should it contain? Any and all help greatly appreciated. It shouldn't be this hard to make Windows and Linux work together. sigh! markh ==================================================== Mark A. Holm President InfoArch, Inc. 7456 SW Baseline, PMB#123. Phone: (503) 750-9741 Hillsboro, OR 97123 Fax: (503) 591-8584 http://www.infoarch.com <mailto:[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
