samba 3.0.28 on 7.0-RELEASE with base heimdal
Hello, I've been trying to get samba installed and connecting to a Win2k03 AD using RFC2307 and having problems getting it to join the domain. I've got a 6.2 machine which is working with nearly the same configuration (I think the only differences are the idmap backends). I installed from the port after enabling the ADS support (and EXP_MODULES as I want the idmap backends provided there). I installed the openldap23-sasl-client as that is what I installed on the 6.2 machine (somewhere I read that was needed for things to work correctly). I copied a working krb5.conf file from my 6.2 machine and verified that I could successfully do kinit (this works great, I get a ticket for myself). However, when I try to do the net ads join command (after I kinit as the user who has permission to add the computer account to AD), I get prompted for my password, and then get the Response too big for UDP, retry with TCP error and am unable to join the domain. I *thought* that I didn't get prompted for my password with the 6.2 machine, but it has been since last summer that I set it up. I see that net ads join creates its own krb5.conf file in /var/db/samba/smb_krb5/krb5.conf.IASTATE which doesn't have the tcp/ service flag preceding the IP addresses. I ran the command with debug level at 10, and after a whole bunch of query stuff after it asked for my password, I got this: [2008/04/09 15:42:44, 4] libads/ldap.c:ads_current_time(2414) time offset is 0 seconds [2008/04/09 15:42:44, 4] libads/sasl.c:ads_sasl_bind(521) Found SASL mechanism GSS-SPNEGO [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2008/04/09 15:42:44, 3] libads/sasl.c:ads_sasl_spnego_bind(222) ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED] [2008/04/09 15:42:44, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2008/04/09 15:42:44, 10] libads/sasl.c:ads_sasl_spnego_bind(262) ads_sasl_spnego_krb5_bind failed with: No such file or directory, calling kinit [2008/04/09 15:42:44, 10] libads/kerberos.c:kerberos_kinit_password_ext(91) kerberos_kinit_password: using [MEMORY:net_ads] as ccache and config [/var/db/samba/smb_krb5/krb5.conf.IASTATE] [2008/04/09 15:42:44, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password [EMAIL PROTECTED] failed: Response too big for UDP, retry with TCP [2008/04/09 15:42:44, 1] utils/net_ads.c:net_ads_join(1470) error on ads_startup: Response too big for UDP, retry with TCP Failed to join domain: NT_STATUS_PROTOCOL_UNREACHABLE [2008/04/09 15:42:44, 2] utils/net.c:main(1036) return code = -1 --- Does any of this mean anything to anybody? I thought from reading the samba docs that it would automatically retry with TCP when it got this error. I can't find a whole lot on the net -- what I did find, people weren't able to successfully kinit at the command prompt either, but that works for me. -- Stephanie Bridges Department of Economics Iowa State University [EMAIL PROTECTED] A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. --Herm Albright ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD to authenticate against Active Directory
On Wednesday, October 03, 2007 7:32 AM Chris wrote: On Wed, 03 Oct 2007 03:33:50 +0100 Stephen Allen [EMAIL PROTECTED] wrote: Hello, Is there any up-to-date definitive resource which explains how to get FreeBSD (6.2) to authenticate against Active Directory (in my case Windows 2003 R2 which includes SFU). There are a few informative articles floating around, but most date back to 2004/2005 and most involve the use of Samba and Winbind (I'd like to avoid this if possible). I don't really know what is possible here, I'm coming from only a basic understanding of how things like pam work. Would I have to configure every service separately to use Active Directory or could I tell FreeBSD to blindly rely on AD for user authentication? I read about pam_mkhomedir, so users could have homedirs created automatically when they logged in. Is this possible in FreeBSD? Would I be able to map this automatically to their existing My Documents folder which is redirected to the network by group policy? Please feel free to tell me what can/can't be done and if doing so is a good/bad thing. I can explain bits in more detail if needed. Steve - You have a few options. 1. LDAP 2. OpenLDAP 3. The use of WinBind and it's companion apps (using ntlm etc.) 4. Google AD Auth Unix (or, insert your personal choice) What you may find - is that installing Winbind etc may be your easiest way to go however, I'm unsure how SFU will play along with the mix. I also have not seen anything particularly recent; and every reference I have seen is slightly different. I have gotten FreeBSD to successfully authenticate to our AD servers here (Win2003, not sure of service pack level) using pam/winbind. Pam_winbind is configured to authenticate with Kerberos. I use the RID IDMAP scheme with winbind for user id mapping. The AD servers have had Unix attributes added, but I have not tested how this works for me yet. I am also using pam_mkhomedir to create user home directories. My setup: 1. Nsswitch.conf has group and passwd set to files winbind 2. Krb5.conf points to the AD servers 3. /etc/pam.d/system: - # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient /usr/local/lib/pam_winbind.so try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass n ullok # account #accountrequiredpam_krb5.so account sufficient /usr/local/lib/pam_winbind.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session required /usr/local/lib/pam_mkhomedir.so session requiredpam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass -- 4. pam_winbind now has its own conf file (copy from /usr/local/share/examples/samba/pam_winbind to /etc/security and modify). (contents follow) I have not tried caching. --- # # /etc/security/pam_winbind.conf # [global] # turn on debugging debug = yes # request a cached login if possible # (needs winbind offline logon = yes in smb.conf) ;cached_login = no # authenticate using kerberos krb5_auth = yes # when using kerberos, request a FILE krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) krb5_ccache_type = FILE # make successful authentication dependend on membership of one SID # (can also take a name) require_membership_of = S-1-5-21-x-xxx-xxx 5. smb.conf is attached; this is for Samba 3.0.25a. I do not believe pam_mkhomedir will automatically mount an external filesystem; however there is a pam module which will allow you to auto mount filesystems at user login of various types called pam_mount [1] which we have used successfully on our university-blessed RHEL5 systems. I have not tried to compile it yet on FreeBSD. One thing we discovered on RHEL5 (we are not using the most recent version of pam_mount, so ymmv) is that it needs to be the module that actually grabs the password and then passes it on to the rest of the pam stack. It was unable to retrieve the credentials from whoever was ahead of it. We used CIFS instead of SMB which performed much better. [1] http://pam-mount.sourceforge.net/ ~~ Stephanie Bridges Department of Economics Iowa State University 80B Heady Hall Ames, IA 50011 [EMAIL PROTECTED] smb-xx.conf
RE: Is Active Directory integrated file sharing possible on FreeBSD?
Ashley Moran wrote: On 19 Sep 2006, at 12:51, Bob M. wrote: It's absolutely possible Ashley. We have samba 2.x running on a few solaris 8 through 10 servers, one might be 3.x. One of our solaris admins made the mistake of making one of them a domain controller and it was authenticating users in an AD domain. I've run samba at home on various releases of FreeBSD over the past few years. You're just looking to setup file shares with permissions, right? Bob Hi Bob Yep, all we need is a file server. We want folders in /var/share available to users in Active Directory, eg /var/share/ashleymoran for just me, and maybe a shared one for the office or the design team etc. Nothing complicated really. Our network admin said winbindd is broken on FreeBSD so he tried compiling the Solaris version(!) but couldn't make that work. Unfortunately he's beeyessdeephobic, but I want to avoid looking into it myself because, well, it's not my job :) If I have no choice, do you think it will take long to learn how to set it up? I don't want to lose a whole day to it. Ashley, This is quite doable, and winbindd isn't broken on FreeBSD. It took me a bit to figure out how to make it work correctly, however. I have a FBSD system here that authenticates to our university AD server, and allows access based upon membership in certain security groups. We don't have any services for unix support on our AD server either. If your linux boy needs a little help, I'd be happy to send you my config files, sounds like maybe he hasn't actually done it on linux either as my FreeBSD/Linux setups are nearly identical. ~~~ Stephanie Bridges Economics Department -- Iowa State University 80B Heady Hall, Ames, IA 50011 ph: 515.294.8732 ~~ fax: 515.294.0221 http://www.econ.iastate.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Problem with cordless mouse/Keyboard combo set
Lennon Cook wrote: Stephanie Bridges [EMAIL PROTECTED] wrote: Do you have a /dev/ums0 (my usb mouse device)? This exists only when my other mouse (the working one) is plugged in, and I have no other /dev/ums* . Also, even when my mouse didn't really work, disconnecting/reconnecting the receiver from the usb port (moving to another or leaving in the same port) would generate log messages that the mouse was being recognized correctly. Ok, when I reconnect it, it recognises as a keyboard and mouse set, and creates two files: /dev/ukbd0 and /dev/uhid0 . It tells me the following May 9 09:06:01 dragon kernel: ukbd0: G-Tech CHINA USB Wireless Mouse KeyBoard V1.01, rev 2.00/0.20, addr 2, iclass 3/1 May 9 09:06:01 dragon kernel: kbd1 at ukbd0 May 9 09:06:01 dragon kernel: uhid0: G-Tech CHINA USB Wireless Mouse KeyBoard V1.01, rev 2.00/0.20, addr 2, iclass 3/1 Hmm, this is what I get upon disconnecting/reconnecting my receiver: - May 9 10:00:10 econ22 kernel: ukbd0: at uhub3 port 1 (addr 2) disconnected May 9 10:00:10 econ22 kernel: ukbd0: detached May 9 10:00:10 econ22 kernel: ums0: at uhub3 port 1 (addr 2) disconnected May 9 10:00:10 econ22 kernel: ums0: detached May 9 10:00:15 econ22 kernel: ukbd0: Logitech USB Receiver, rev 1.10/30.07, addr 2, iclass 3/1 May 9 10:00:15 econ22 kernel: kbd0 at ukbd0 May 9 10:00:15 econ22 kernel: ums0: Logitech USB Receiver, rev 1.10/30.07, addr 2, iclass 3/1 May 9 10:00:15 econ22 kernel: ums0: 16 buttons and Z dir. I found some references (I believe on freebsd-current from January, look for usb mouse support update plans) to a mouse showing up as a uhid device instead of ums -- apparently, it may not be reporting itself as a kind of mouse the USB mouse driver understands so it falls through to the uhid device. I'm not sure if you ever said, but are you on 6.0-RELEASE or something newer? I upgraded to 6.1, which fixed a lot of other unrelated things for me. ~~~ Stephanie Bridges Economics Department -- Iowa State University 80B Heady Hall, Ames, IA 50011 ph: 515.294.8732 ~~ fax: 515.294.0221 http://www.econ.iastate.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Problem with cordless mouse/Keyboard combo set
Lennon Cook wrote: Stephanie Bridges [EMAIL PROTECTED] wrote: I had the same problem with the mouse (would occasionally move the cursor, never any clicks) until I accidentally got the receiver closer to the mouse. I now have the receiver about three inches away from the mouse. Works wonderfully well now. Thanks Stephanie, but unfortunately that didn't help here. I have moved my receiver so close to the mouse that its hard to not bump them, but the mouse still doesn't work. What I have noticed since I sent my original message, is that /dev/sysmouse exists even when only the non-working mouse is connected nto the system. Does this mean that FreeBSD /is/ detecting the mouse (and hence that I should be looking somewhere else than this list for the problem), or does that file simply always exist? Lennon, Do you have a /dev/ums0 (my usb mouse device)? Also, even when my mouse didn't really work, disconnecting/reconnecting the receiver from the usb port (moving to another or leaving in the same port) would generate log messages that the mouse was being recognized correctly. I was assuming that /dev/sysmouse would only exist if the system thought there was a mouse somewhere, but I'm not sure about that. ~~~ Stephanie Bridges Economics Department -- Iowa State University 80B Heady Hall, Ames, IA 50011 ph: 515.294.8732 ~~ fax: 515.294.0221 http://www.econ.iastate.edu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: delivery failed
To send mail to me, you need to add [laundry] to the end of the subject line (eg: Subject: Random message [laundry]). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
how do I
uninstall free bsd from a server? I would really just like the dos prompt back...? Thank you, ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Test please reply back to me
CAN I SEE THIS? = Alisha S. Outridge No one and nothing is perfect but the aspiration to be so should never be lost. Life, like Love, is what you make of it... so make it good! __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
