[Samba] Trouble authenticating clients from ADS domain on Samba 3.0.5 file server
I'm so close I can feel it :-) I'm having a problem connecting users to their home directories. Under My Network Places on XP clients I can see my Samba file server (Hobbes) just fine. When I double click on it to open it, I get a login/password prompt that I can't bypass even though I try logins/passwords that exist on the ADS server and/or the UNIX accounts. Do I have to add these users under Samba specifically? I am joined to the ADS domain, I can pull users/groups from wbinfo -t, -u, and -g. When I use webmin I can even go into the Samba module to add users to a share and see all the users from my ADS domain pop up in a window. Here's a copy of my smb.conf (where I think my problem might lie): workgroup = NLES realm = NLES.LOCAL security = ads password server = calvin.nles.local username map = /etc/samba/smbusers os level = 10 dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind use default domain = Yes [homes] comment = %U Home Folder path = /home/%u valid users = %U cgoff administrator # force user = %u writeable = yes browseable = no I think my problem is with the [homes] share, but I'm not sure. Can anyone give me any pointers on what my issue might be? As I said I can talk to the ADS server just fine, seeing lists of users and groups. I'm almost positive I'm not setting up my shares correctly. Chris Goff NLES Network Administrator cgoff at nles.k12.wi.us -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble authenticating clients from ADS domain on Samba 3.0.5 file
I have MIT Kerberos 1.3.4 installed. This is the exact file I used on my Slackware 10 server: http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-1.3.4-i686-pc-linux-gnu.tar Maybe I made a mistake in using binaries instead of compiling from source? Chris Goff NLES Network Administrator cgoff at nles.k12.wi.us [EMAIL PROTECTED] writes: Hmm, What's your kerberos version? I would bet it is MIT-kerberos and the version is something lower then 1.3.3, isn't it? If i'm correct you'll have to update your kerberos to a version =1.3.3 Christoph Chris Goff schrieb: I'm so close I can feel it :-) I'm having a problem connecting users to their home directories. Under My Network Places on XP clients I can see my Samba file server (Hobbes) just fine. When I double click on it to open it, I get a login/password prompt that I can't bypass even though I try logins/passwords that exist on the ADS server and/or the UNIX accounts. Do I have to add these users under Samba specifically? I am joined to the ADS domain, I can pull users/groups from wbinfo -t, -u, and -g. When I use webmin I can even go into the Samba module to add users to a share and see all the users from my ADS domain pop up in a window. Here's a copy of my smb.conf (where I think my problem might lie): workgroup = NLES realm = NLES.LOCAL security = ads password server = calvin.nles.local username map = /etc/samba/smbusers os level = 10 dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind use default domain = Yes [homes] comment = %U Home Folder path = /home/%u valid users = %U cgoff administrator # force user = %u writeable = yes browseable = no I think my problem is with the [homes] share, but I'm not sure. Can anyone give me any pointers on what my issue might be? As I said I can talk to the ADS server just fine, seeing lists of users and groups. I'm almost positive I'm not setting up my shares correctly. Chris Goff NLES Network Administrator cgoff at nles.k12.wi.us -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble authenticating clients from ADS domain on Samba 3.0.5 file
Did you install the PAM from the Samba FTP server, or PAM from padl.com? I ended up following another tutorial than my original post here on the mailing list a day or so back: http://www.rongage.org/manual_samba_howto.html Everything has worked like a charm, although there was no mention of PAM. Chris Goff NLES Network Administrator cgoff at nles.k12.wi.us [EMAIL PROTECTED] writes: My /etc/pam.d/login == #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_winbind.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_mkhomedir.so skel=/etc/skel/ umask=0022 sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble authenticating clients from ADS domain on Samba 3.0.5 file
Hmm, Slackware doesn't support PAM due to security issues. I tried installing the RPM anyway (somewhat of a no-no on Slackware boxes), but it didn't seem to effect anything (still getting a login/pass prompt on WinXP clients attempting to login, and when entering a login/pass it doesn't take it). Looking at some Samba manuals it looks like I can autheticate using LDAP instead of PAM. Anyone know if this is possible/feasible? Chris Goff NLES Network Administrator cgoff at nles.k12.wi.us [EMAIL PROTECTED] writes: On Fri, 2004-07-30 at 17:08, Chris Goff wrote: Did you install the PAM from the Samba FTP server, or PAM from padl.com? I ended up following another tutorial than my original post here on the mailing list a day or so back: http://www.rongage.org/manual_samba_howto.html Everything has worked like a charm, although there was no mention of PAM. I actually used the pam src rpm from fedora core 1/2 which ever was 0.77. rpmbuild --rebuild that.src.rpm Then install it. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Getting Samba 3 to communicate with Win2k3 ADS
I'm having a *terrible* time trying to get Samba 3 to communicate with my Windows 2003 Active Directory Server (the primary and only domain on my network). Basically this is what I'm trying to do: create a Linux File Server to replace my old WinNT 4 File Server. I would like it to show up under all my XP clients on network neighborhood just like the old server, with each account on my network having a folder on the file server that they can work with i.e. John Doe (jdoe account name on the Windows 2003 domain) has a folder on Hobbes (the Linux File Server running Samba 3) named jdoe that only he and anyone in the Administrators group can access. This is how I had it setup with the old WinNT 4 file server. Obviously I'm not looking for anything fancy, just some decent security by using the same users/groups between the file server and the domain server, and some folder shares for each account. I've done some research on the web, read the Samba HOWTO, the Unofficial HOWTO, and a paper on this website: http://www.wlug.org.nz/ActiveDirectorySamba I'm running a Slackware 10 operating system, removed the original Samba 3.0.4 (wasn't compiled with several required options) package and compiled Samba 3.0.5 with the correct options (after installing numerous other libraries such as PAM and OpenLDP). I've primarily been trying to follow the tutorial posed here: http://www.wlug.org.nz/ActiveDirectorySamba. I have run into things that simply don't exist on my system, such as /etc/pam.d/samba, etc. shown as steps in that tutorial. I am able to see the system in my Active Directory on the Win2k3 machine, and I can access shares if I go in manually (shares that I have set up with SWAT) on my WinXP clients using \\Hobbes (presented with login/pass prompt). However, it does not show up as an icon under Network Places, and is shown as a Domain Controller under the Active Directory. Here's a copy of my log.winbindd: Last login: Mon Jul 26 16:07:11 2004 from 10.0.0.3 Linux 2.4.26. [EMAIL PROTECTED]:/usr/local/samba/var# more log.winbindd [2004/07/27 09:13:23, 1] nsswitch/winbindd.c:main(843) winbindd version 3.0.5 started. Copyright The Samba Team 2000-2004 [2004/07/27 09:13:23, 0] param/loadparm.c:map_parameter(2420) Unknown parameter encountered: winbind seperator [2004/07/27 09:13:23, 0] param/loadparm.c:lp_do_parameter(3110) Ignoring unknown parameter winbind seperator [2004/07/27 09:13:23, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain NLES NLES.LOCAL S-0-0 [2004/07/27 09:13:30, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain NLES failed: No such file or directory [2004/07/27 09:13:30, 1] nsswitch/winbindd_util.c:init_domain_list(327) Could not fetch sid for our domain NLES [2004/07/27 09:14:20, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain NLES failed: Transport endpoint is not connected [2004/07/27 10:41:26, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain NLES failed: Transport endpoint is not connected [2004/07/27 11:00:02, 1] nsswitch/winbindd.c:main(843) winbindd version 3.0.5 started. Copyright The Samba Team 2000-2004 [2004/07/27 11:00:02, 0] lib/pidfile.c:pidfile_create(84) ERROR: winbindd is already running. File /usr/local/samba/var/locks/winbindd.p id exists and process id 18315 is running. [2004/07/27 11:01:04, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain NLES failed: No such file or directory [2004/07/27 11:06:18, 1] nsswitch/winbindd.c:main(843) winbindd version 3.0.5 started. Copyright The Samba Team 2000-2004 [2004/07/27 11:06:18, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain NLES NLES.LOCAL S-0-0 [2004/07/27 11:06:18, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306) krb5_cc_get_principal failed (No credentials cache found) [2004/07/27 11:06:18, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain BUILTIN S-1-5-32 [2004/07/27 11:06:18, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain HOBBES S-1-5-21-1198646081-1480357316-948041017 [2004/07/27 11:19:55, 0] nsswitch/winbindd_acct.c:winbindd_create_user(884) winbindd_create_user: Refusing to create user that already exists (Administrat or) [2004/07/27 11:19:55, 0] nsswitch/winbindd_acct.c:winbindd_create_user(884) winbindd_create_user: Refusing to create user that already exists (Administrat or) [2004/07/27 11:19:55, 0] nsswitch/winbindd_acct.c:winbindd_create_user(884) winbindd_create_user: Refusing to create user that already exists (Administrat or) [2004/07/27 11:19:55, 0] nsswitch/winbindd_acct.c:winbindd_create_user(884) winbindd_create_user: Refusing to create user that already exists (Administrat or) [EMAIL PROTECTED]:/usr/local/samba/var# So basically, does anyone have some steps they went through to get a basic samba 3 file server running on their 2003 ADS network? Also, I'd *really* like to be able to use ACL to
Re: [Samba] Getting Samba 3 to communicate with Win2k3 ADS
[EMAIL PROTECTED] writes:
1) winbind separator is spelled wrong in your smb.conf file.
Hmm. That's not even listed in smb.conf...strange.
2) Can you post a snip of the server config section of smb.conf
(e.g. not the share section)?
Here's my entire smb.conf file:
# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2004/07/27 11:19:35
# Global parameters
[global]
workgroup = NLES
realm = NLES.LOCAL
security = ADS
password server = 10.0.0.3
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
[test]
path = /tmp
valid users = cgoff, administrator
admin users = cgoff, administrator
hosts allow = 10.0., 127.0.0.1
[EMAIL PROTECTED]:/usr/local/samba/lib#
3)Did you configure /etc/krb5.conf and run kinit? Does klist give
you any values?
Here's krb5.conf:
[logging]
default = FILE:/var/log/krb5/libs.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/admin.log
[libdefaults]
ticket_lifetime = 24000
default_realm = NLES.LOCAL
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
NLES.LOCAL = {
kdc = 10.0.0.3
default_domain = NLES.LOCAL
}
[domain_realm]
.nles.local = NLES.LOCAL
nles.local = NLES.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
And the output from klist:
[EMAIL PROTECTED]:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
07/27/04 11:14:33 07/27/04 21:14:36 krbtgt/[EMAIL PROTECTED]
renew until 07/28/04 11:14:33
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
kinit was run. As the winbind log shows, I am able to join the domain.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Getting Samba 3 to communicate with Win2k3 ADS
Awesome Greg, I'll give it a shot though I'm sure I'll have more questions for the list here. I'll have to see how to get EXT3 with ACL support on a re-install of Slack 10 (might as well just start over, I made a heck of a mess in the tree :-D). I like reiser, but oh well.. Chris [EMAIL PROTECTED] writes: On Tue, 2004-07-27 at 14:59, Chris Goff wrote: [snip a buncha] So basically, does anyone have some steps they went through to get a basic samba 3 file server running on their 2003 ADS network? Also, I'd *really* like to be able to use ACL to control folder permissions from WinXX clients rather than fudging with unix permissions. Does ReiserFS support ACL, or do I need to use another file system? Not properly. Use either XFS or ext3 with ACL support compiled into the kernel. Samba n00b, frusterated but hanging in there... Even me being as good as I am in general, Samba hath shamed me these past 2 weeks. I want you to know that reference really works well. That at least got me in the RIGHT direction. The thing that made everything work for me, was making sure the kerberos setup was absolutely proper, and making sure the shared libraries that winbind uses are the proper versions. I had a three shared libraries not get replaced... screwed up everything. Anyhow, I suggest you take a look back at the samba archive and look for an e-mail by me called: Chasing the ads_add_machine_acct: Insufficient access problem Everything in there in the building of samba and kerberos is very crucial. Make and install kerberos v1.3.4 first. Then without setting up kerberos just make and install samba (was 3.0.4) 3.0.5 that way. Things should be very good. It is a good baseline. Now, as far as smb.conf thingers... things in smb.conf and ads and kerberos have to line up exactly , domain names, realm names, etc... Once you do that, you should be golden. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
