Well I made the changes you suggested but I am still not able to view
any other container contents. I even used the net ads cache flush to
see if I could get it to work.
Thanks for the suggestions.
Edward Brookhouse wrote:
Try changing your winbind separator to a + instead of a /
Here is my global in smb.conf
[global]
netbios name = GOETHE
server string = IT Dev Server
realm = CORP.PHILLIPS.COM
workgroup = CORP
password server = 172.17.17.110
security = ADS
encrypt passwords = yes
socket options = TCP_NODELAY
local master = no
dns proxy = yes
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
Then in my homes definition:
[homes]
comment = Home Directories
browseable = no
writable = yes
user = @"CORP+domain users"
Where 'CORP' is my domain
-----Original Message-----
From: Jason Gerfen [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 2:26 PM
To: Edward Brookhouse
Subject: Re: [Samba] AD Authentication help please?
Here is the krb5.conf
<KRB5.CONF>
[libdefaults]
default_realm = DOMAIN.COM
clockskew = 300
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
[realms]
DOMAIN.COM = {
kdc = 192.168.0.10
default_domain = domain.com
admin_server = 192.168.0.10
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
now the contents of the smb.conf
<SMB.CONF>
[global]
#
# Network configuration
#
server string = odin-newb
workgroup = DOMAIN.COM
netbios name = ODIN-NEWB
realm = DOMAIN.COM
security = ADS
password server = 192.168.0.10
#
# Domain configuation options
#
prefered master = no
local master = no
domain master = no
prefered master = no
domain logons = no
#
# Security options
#
encrypt passwords = yes
update encrypted = yes
password level = 20
#
# Enumeration options
#
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
#
# User/Group mapping options
#
idmap uid = 15000-20000
idmap gid = 15000-20000
#
# LDAP/AD configuration options
#
ldap admin dn = "cn=XXXXX,ou=users,dc=domain,dc=com"
ldap delete dn = no
use spnego = yes
#
# Networking options
#
hide unreadable = no
wins support = no
dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
#
# Miscellaneous options
#
os level = 20
template shell = /bin/bash
template homedir = /odin/%D/%U
load printers = no
#
# Logging options
#
log level = 4
log file = /var/log/samba.log.%m
The only container I can view (as far as using the wbinfo -u command) is
anything in
LDAP://192.168.0.10/OU=Test,DC=domain,DC=com # I can view these
users
And the users I need to authenticate are in
LDAP://192.168.0.10/CN=auth,DC=domain,DC=com
???
Edward Brookhouse wrote:
No need to be sorry :)
That link you sent speaks to adding the Computer into a particular
container - nothing about users.
What is the layout of your domain? Which container can you see? Which
can you not?
How is your realm setup in krb5.conf ?
-----Original Message-----
From: Jason Gerfen [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 2:10 PM
To: Edward Brookhouse; [email protected]
Subject: Re: [Samba] AD Authentication help please?
Strange, I guess that is my misunderstanding of the how it aquires the
list of users when running a wbinfo -u command.
Yep, here is the output:
[EMAIL PROTECTED]:~> sudo net ads join -U [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password: xxxxxx
Using short domain name -- DOMAIN.COM
Joined 'ODIN-NEWB' to realm 'DOMAIN.COM'
And when I check to see if it is avialable within Active Directory
(member server of Win2k domain) I can clearly see the
CN=odin-newb,cn=computers,dc=domain,dc=com listed in the appropriate
container.
My problem at this point is the only users I can view are in a
different
container. You say you can view all users for all containers right?
Well after joining the domain the first time I followed the
samba3-howto
and attempted to point to a container of users and now those are the
only ones I can view.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-membe
r
.html#ads-create-machine-account
I am sorry about any confusion.
Edward Brookhouse wrote:
I still do not understand what you mean by map ?
In my setup wbinfo -u shows me 'everything' regardless of the
container
it's in.
It sounds like you think there should be some kind of authentication
mapping but there does not need to be one -
By adding the computer to the domain - and setting up the kerb conf -
when an auth request hits samba he will hand it to the domain and the
domain should do a recursive search for user objects under
dc=your,dc=toplevel,dc=com
The only reason you see the ou=Users in your trace is because Admin
lives in ou=Users by default.
Can you authenticate ? Have you tried?
-----Original Message-----
From: Jason Gerfen [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 1:46 PM
To: Edward Brookhouse
Subject: Re: [Samba] AD Authentication help please?
Sorry, I suppose I am leaving things out.
I am able to see the machine in the computers container after I
successfully joined the domain using the net ads join command.
However
while trying (multiple times) to map to the CN=users container in
Active
directory I mapped to an OU=otherUsers which is now what I see when I
do
a wbinfo -u command.
If what you are saying is correct about the default mapping to the
cn=users I need to revert back to this somehow.
Edward Brookhouse wrote:
Try to forget about where the users live for a sec - get the computer
in
the domain first. Your net ads join command should return a welcome
to
the domain if it does not - use a net rpc join command in the same
fashion -=
Then go look in AD to see if that computer showed up in your
Computers
container -
If It did great .. you should be golden
If not - go back to the net join until it works :)
-----Original Message-----
From: Jason Gerfen [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 1:22 PM
To: Edward Brookhouse
Subject: Re: [Samba] AD Authentication help please?
Hmm, that might be my problem. I am using the HOWTO and running the
commands in this order:
%> net ads join -U <username>
%> kinit <username>
%> net ads join -U <username> "users" as the container which is not
found.
Do I need to do a net ads leave command? In order to attempt a new
mapping for the users container?
Edward Brookhouse wrote:
I'm still confused on what you are saying - here is why:
# net ads join
Should join the 'computer' to the domain - the user should already
be
in
there -the ou=users is the default implied container where users
live,
but it should not matter where the users is in the directory -
For example -
My domain is laid out like:
dc=corp,dc=example,dc=com
with ou=users being where admin lives
but all my other users live in ou=HD,ou=7811
once you do net ads join the computer should show up in the
Computers
container.
-----Original Message-----
From: Jason Gerfen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 20, 2005 3:35 PM
To: Edward Brookhouse; [email protected]
Subject: Re: [Samba] AD Authentication help please?
When joining the samba box to a domain:
%> net ads join -U <username>
%> kinit [EMAIL PROTECTED]
%> net ads join -U <username> <LDAP/AD Container of users>
The last command fails and when doing an strace you can clearly see
that
it is expecting an Organizational Unit (OU) vs. a Common Name (CN)
which
is where the users I need to authenticate are currently residing.
Do I need to move these to an OU vs. a CN? Here is the strace
output
I
am refering to:
%> strace -o tmp net ads join -U "Admin" "users"
(only inclusing pertinant lines with searching for container to map
to)
write(6, "0C\2\1\5c>\4\36ou=users,dc=DOMAIN,dc=COM"..., 69) = 69
<--
here is the hard coded ou, I am not 100% familiar with the LDAP RFC
but
on a windows Active Directory there are CN and OU containers
See how it is appending the OU=USERS?
Edward Brookhouse wrote:
Not sure I understand your question. What are you trying to map?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On
Behalf Of Jason Gerfen
Sent: Tuesday, September 20, 2005 11:25 AM
To: [email protected]
Subject: [Samba] AD Authentication help please?
I am having a problem which with much help from this list I have
gotten
90% complete. I am attempting to create a samba server which will
authenticate users as a Domain member server using active
directory.
The question I have is how can I map a specific container which is
not
an OU but a CN in the active directory?
Any help is appreciated.
--
Jason Gerfen
"My girlfriend threated to
leave me if I went boarding...
I will miss her."
~ DIATRIBE aka FBITKK
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
