I decided to start over on my configuration, and this time I used the
GUI tools available in CentOS for configuring Samba, Winbind, etc. As a
result I've made considerable progress. I can:
- login using network credentials authenticated
by the domain controller
- automatically generate home directories on the
machine when new users login
- link to network shares for which I'm authorized
- link to a printer and print
What I don't have right now is:
- single sign-on -- once I login, I've got resubmit my password once to
connect to a network share. Having done so once, I don't need to do it
again, but my login isn't sufficient.
- network browsing -- within Nautilus, if I double-click on Network, I
see two SFPT servers on the two Linux machines on the wire, and a
"Windows Network" icon. If I double-click on Windows Network, I get an
empty Nautilus window, and none of the network machines ever appear,
even though they're part of the domain and a number of them have visible
shares.
I think what's happening is that somehow the network login isn't
resulting in a Kerberos ticket, but I'll admit that's a guess. So I'm
hoping someone can help my trouble-shoot my configuration files to
overcome these last two items. Configs are below. Thanks much.
DaveL
======================== smb.conf =========================
[global]
workgroup = MYCOMPANY
realm = MYCOMPANY.LOCAL
server string = Samba Server / LLINDELL01
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
password server = mailserver.mycompany.local
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = true
winbind enum users = true
winbind enum groups = true
template homedir = /home/%D/%U
============================ (end) smb.conf ================
========================= krb5.conf ========================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYCOMPANY.LOCAL
[domain_realm]
.mycompany.local = MYCOMPANY.LOCAL
mycompany.local = MYCOMPANY.LOCAL
# added to try and achieve SSO (2008-03-11)
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
===================== (end) krb5.conf =======================
====================== nsswitch.conf ========================
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
======================(end) nsswitch.conf ===================
========================== /etc/pam.d/system-auth ===========
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_winbind.so use_first_pass
password required pam_cracklib.so retry=3 type=
# above line is complete, should end w/the equals sign
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_winbind.so use_first_pass
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session required pam_limits.so
session sufficient pam_unix.so
session sufficient pam_winbind.so use_first_pass
==================== (end) /etc/pam.d/system-auth ===========
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
