[Samba] Automating kerberos authentication on Mac OS X?
Is there any way to automate kerberos authentication on Mac OS X? Here's the problem: When a user wants to access samba-3.0.2a -server from a Mac, he/she has to run kinit to get the principal ticket. If this is not done, Mac's tools (Finder) will try to authenticate with NTLM, which is and will be disabled on our servers. Of course, this fails miserably. I have not devised any means to tell the Mac -clients to use kerberos, unless the kerberos ticket is explicitly loaded prior to attempting connections. In such a case, everything works fine, but it is kind of impractical to tell the users to issue kinit manually once a day to load new tickets after them expiring. How could this be integrated to Mac's own tools? Possible solutions would be to use the screen saver password locking to forward the information to kerberos (i.e. run kinit with the password and username from the screen saver) or to have Mac-programs authenticate with kerberos by default. I only haven't found a way to implement this easily. Are there other possibilities? -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SUMMARY: Getent does not get remote users
The problem was solved. Thanks to Stefan Günther for help and for providing a working smb.conf excerpt, which helped to trace the problem. It turned out I had configured samba just right. The problem was, that samba was not compiled with ldap -support and winbindd simply did not ask for users from the active directory domain controller. This was due to the fact, that Gentoo Linux ebuild did not enable all the needed modules. All problems disappeared after I recompiled samba-3.0.2a manually with all the necessary configure --with -switches. The other problem with creating users' home directories was solved as well. It also turned out I had configured PAM just right. The key to success is the keyword obey pam restrictions = yes in smb.conf. If that is not set, samba ignores PAM directives and that's it. Of course, there are still other problems like having to set /home permissions to 1777 since PAM is apparently not run as root and cannot create home directories, if /home is not world writable. I don't actually like this, since local shell users can create files directly on /home, which may or may not be a problem. Also, PAM can only create one level of directories, that is, the base dir must exist before this will work. Thus, if you set template homedir = /home/%D/%U in smb.conf, make sure the directory %D exists in advance! -- ArNO 2-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] How to enable both remote and local users?
Is there any way to enable both local (/etc/passwd or smbpasswd) users and users authenticated remotely by winbindd? I have a problem with samba-3.0.2a not recognizing local users at all, if winbindd is enabled (and vice versa, of course). However, I'd like to have local users take precedence over networked users, i.e. samba would let in a user, if he/she is a local one and only ask the password server, if none is found by that name. This way, it would be easiest to implement a small amount of users able to log in with a shell account the rest being samba-only users. So far, I have found no workaround to this problem, especially, if there is the same username in the active directory domain and local /etc/passwd. In this case, samba gets a real attack of schitzophrenia and doesn't know whom to obey - with a result that nobody with such a duplicate username can get a samba mount. -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to enable both remote and local users?
On 8. Mar, 2004, at 11:26, Manfred Odenstein wrote: take a look in /etc/nsswitch.conf make an entry like : passwd: files winbind should solve your problem I forgot to mention, that I already have it that way. No, it does not work. My PAM configuration looks like this: /etc/pam.d/samba: #%PAM-1.0 # pam_smbpass.so authenticates against the smbpasswd file auth required pam_smbpass.so nodelay accountrequired /lib/security/pam_stack.so service=system-auth-winbind sessionrequired /lib/security/pam_stack.so service=system-auth-winbind password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf So, this one tries to search smbpasswd first. /etc/pam.d/system-auth-winbind: #%PAM-1.0 authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pa ss authsufficient/lib/security/pam_winbind.so authrequired /lib/security/pam_deny.so account sufficient/lib/security/pam_unix.so account required /lib/security/pam_winbind.so passwordrequired /lib/security/pam_cracklib.so retry=3 passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shado w passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0 022 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so This one tries to search /etc/passwd, failing that, goes on to winbind. So, _both_ smbpasswd and /etc/passwd should be checked before winbind, but not avail. regards odi -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SUMMARY: Getent does not get remote users
On 8. Mar, 2004, at 13:42, Andrew Bartlett wrote: the necessary configure --with -switches. These should be on automatically, if your system has such support, but it doesn't harm to add them as well. In my case, ldap support was dropped by the automatic installation software. Thus, the problem was not really samba related, but rather a bug in Gentoo Linux distribution, or at least, there is need for additional installation notes. still other problems like having to set /home permissions to 1777 since PAM is apparently not run as root and cannot create home directories, if /home is not world writable. I don't actually like this, Is this with SSH? This is an OpenSSH bug/feature. This pam module No, but with samba-3.0.2a. That is, winbindd can't create homedirs, unless /home has been set to 1777 -mode (or subdirs in /home, if domain (%D) is being used as an additional level in template directory). Apparently, samba runs the pam-module pam_mkhomedir.so without root-permissions and creates the directory as the owner:group itself. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to enable both remote and local users?
On 8. Mar, 2004, at 15:48, Gerald (Jerry) Carter wrote: This is by design. I'm assuming that you mean you want users in the Windows domain to be mapped to local unix accounts if a matching username already exists on the system. Yes, exactly! It's all or none here. You can tell winbindd to map all windows users to local accounts (winbind trusted domains only = yes) or to handle all remote users/groups itself. Oh well... I guess I'll have to go the all -way then and set up the shells manually for those, who need a shell access plus create all samba users manually as well. Actually, this is not so bad an idea after it has been done, since password management still goes to winbindd and the kerberos servers. I thought I would have saved a lot of work by only listing shell users to the local /etc/passwd and leaving all the rest to winbindd. cheers, jerry -- -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] getent does not get remote users
I have a samba 3.0.2a -server running Linux, which I try to set up to authenticate users from a NT4 PDC using winbindd. Now, everything works to the point, where I try to list users with getent passwd. Getent only gets the local unix-users and has no clue about the NT4 -users. Also, home directories for the NT4 -users are not created and no logs whatsoever are left behind by the PAM module pam_mkhomedir, although I added the debug -switch to it. Otherwise, the system works: the shared secret is ok, wbinfo -u shows all NT4 -users correctly, and the NT4 -users can even create a samba -mount, provided the mounted directory has world rwx -permissions (such as the /tmp below in the smb.conf). This means the authentication works ok, but the unix box is just not aware of any winbindd users, even though samba is. Any clues, where to look for the problem? And yes, I did search through winbindd how-tos and this mailing list archives and tried all the tricks there. I also do not have any local users by the same names as the NT4 has them, thus, no conflicts here. Samba has been compiled with all necessary support (PAM, winbind etc. ) to support this scheme. /etc/nsswitch.conf has been edited to include winbind. ldconfig has been run to include the winbind shared modules. No nscd or any other NSS services are running. What can still be wrong? PAM configuration file samba: #%PAM-1.0 # pam_smbpass.so authenticates against the smbpasswd file auth required pam_smbpass.so nodelay accountrequired /lib/security/pam_stack.so service=system-auth-winbind sessionrequired /lib/security/pam_stack.so service=system-auth-winbind password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf The service -lines were edited according to the instructions in smb.conf comments to include system-auth-winbind: #%PAM-1.0 # $Header: /home/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.1 2002/05/06 19:57:08 woodchip Exp $ authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pass authsufficient/lib/security/pam_winbind.so authrequired /lib/security/pam_deny.so account sufficient/lib/security/pam_winbind.so account required /lib/security/pam_unix.so passwordrequired /lib/security/pam_cracklib.so retry=3 passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 debug session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so My smb.conf looks like: # Global parameters [global] dos charset = 850 unix charset = UTF8 workgroup = TESTWG server string = %h Samba Server %v interfaces = 192.168.1.1/23 192.168.3.1/23 security = DOMAIN map to guest = Bad User log level = 2 log file = /var/log/samba3/log.%m max log size = 500 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups local master = No dns proxy = No remote announce = 192.168.2.255 192.168.3.255 remote browse sync = 192.168.2.255 192.168.3.255 idmap uid = 1-2 idmap gid = 1-2 winbind separator = _ printer admin = '@Domain Admins' hosts allow = 192.168.1., 192.168.2., 192.168.3., 127. hosts deny = ALL map acl inherit = Yes printing = cups [homes] comment = Home dirs read only = No browseable = No [printers] comment = Printers path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes print command = lpr-cups -P %p %s # using cups own drivers (use generic PostScript on clients). browseable = No [print$] path = /var/lib/samba/printers write list = @adm, root guest ok = Yes [tmp] comment = temporary files path = /tmp guest ok = Yes -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent does not get remote users
On 3. Mar, 2004, at 11:52, Stefan Günther wrote: Also, home directories for the NT4 -users are not created and no logs whatsoever are left behind by the As far as I know, the home directories for NT-Users aren't created automatically. But they should - perhaps winbind isn't working for you either. I could also live without this property, but it _would_ be nice to have them owned by someone instead of just seeing numeric UIDs and GIDs on the unix box. I have written a small perl script which gets the NT -users vi wbinfo -u and creates the home directories. IIf you are interested in it I could post it or send it. At least you can send it and if people on the list don't object, please post it as well. Bye, Stefan -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
