Yes, technically we do not need AD4Unix extensions for Windows client
authentication against a samba file share. We use the AD4Unix
extensions for authenticating Mac's and Linux machines is all, we use
the extensions to provide the 4 requirements for a Unix account (UID,
GID, Home dir. & Def. shell).
markus wrote:
Hi Jason,
I don't really understand, why you are extending your schema with
AD4Unix whilst using winbind. You don't need to. If your are using
nss_ldap your schema needs some more entries to fetch unix related
data like gid, uid and so on. Winbind is based on SID's and stores
mappings in so called idmaps.
Markus
Jason Gerfen wrote:
Ok in my test environment I just got done updating the schema on the
Win2K domain to include the AD4Unix package and I am still able to
authentication and view all users from any container including the
CN=Users (default) and a new OU=authenticated. Can someone please
help me out on this? The only major difference between the test
domain and the live domain is the number of users at this point and
the container setup in AD.
Jason Gerfen wrote:
Scenario: Samba-3.0.20b domain member server on SuSE 9.3 (w/ all
available patches applied) providing kerberos authentication through
a Windows 2000 domain with AD4Unix services installed.
Problem(s):
1. Can only view users from one OU in Active Directory (default is:
CN=Users, problem container is: OU=authenticated)
2. According to log.winbind and log.smbd authentication fails with
error: check_ntlm_password: Authentication for user [testj] ->
[testj] FAILED with error NT_STATUS_WRONG_PASSWORD. Is this error
due to falling back to NTLM authentication vs. Kerberos TGT systems?
Troubleshooting performed:
1. Used 'net ads leave' to remove from domain, updated Samba+Winbind
from 3.0.13 to 3.0.20b
2. Manually removed machine trust account from active directory
3. Manually removed cache files for Samba prior to upgrade
4. Attempted using 3.0.21rc1 release with same results
5. Created a Win 2K test domain w/o AD4Unix and Samba-3.0.13 ADS
member server which would authenticate via Kerberos without problems.
6. Upgraded Samba to 3.0.20b and still worked fine on test domain
w/o AD4Unix setup
7. Am in the process of upgrading Win2K domain server (in test env.)
to provide AD4Unix services to see if it breaks.
Any help, insight into this is definately appreciated
Here is the pertinent configuration files:
[smb.conf]
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = new-odin.domain.com
security = ADS
update encrypted = Yes
encrypt passwords = yes
password server = *
preferred master = No
domain master = No
idmap uid = 500-500000
idmap gid = 500-500000
winbind trusted domains only = yes
winbind separator = /
winbind cache time = 5
winbind use default domain = Yes
winbind nested groups = Yes
log level = 2
interfaces = eth*
bind interfaces only = yes
socket options = IPTOS_LOWDELAY TCP_NODELAY
[images]
comment = ODIN
user = %S
path = /odin/images
inherit acls = Yes
browseable = yes
writeable = yes
read only = no
public = yes
[home]
comment = User Home Directories
user = %S
path = /odin/home/%S
inherit acls = Yes
writeable = yes
read only = no
public = no
browseable = yes
[krb5.conf]
[libdefaults]
default_realm = DOMAIN.COM
clockskew = 300
[realms]
UTAH.EDU = {
kdc = 192.168.0.10
default_domain = domain.com
admin_server = 192.168.0.10
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
[nsswitch.conf]
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns winbind
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
--
Jason Gerfen
"Oh I have seen alot of what
the world can do, and its
breaking my heart in two..."
~ Wild World, Cat Stevens
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
