[Samba] AD authentication against a service name not part of AD.
I have 3 node VCS cluster who all run the same smb.conf file but they are all seperate instances. Samba is not a part of the VCS cluster. I've joined the boxes to AD and based on AD groups can successfully access the desired shares only if you reference the server name and not the service name. The servername is server1.mydomain.com the service name is serviceA.somedomain.net. The service name is simply a DNS zone so no trusts exist. I've pondered the idea of having samba reference the interface where the service lives but in the event the service is moved from server1 to server2 will that crash smb? Ultimatley I want to access the service name to gain access to the shares as the server name is going to be unreliable. I've copied my smb.conf file below and edited it to reflect the names I've used in the first paragraph. [global] > workgroup = mydomain > realm = mydomain.com > server string = %h server (Samba %v) > security = ADS > allow trusted domains = No > password server = auth.mydomain.com > log level = 3 > log file = /var/log/samba/log.%m > max log size = 1000 > name resolve order = host wins bcast > time server = Yes > printcap name = cups > wins support = Yes > idmap uid = 16777217-33554431 > idmap gid = 16777217-33554431 > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > cups options = raw > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > > [unixshare] > comment = UNIX Share > path = /tmp/UNIX_share > valid users = @"mydomain\UNIX System Administrators" > read only = No > browseable = No > > [reports] > comment = Report repository > path = /reports > guest ok = Yes > writeable = yes > > [verify] > path = /verify > guest ok = Yes > writeable = yes > > When trying to access \\serviceA.somedomain.net\reports I get the error that reads: "No process is on the other end of the pipe" However if I try to access \\server1.mydomain.com\reports it works fine. I would appreciate any help. Wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD authentication for local users
> It looks like the problem is AD UID to UNIX UID mapping. The default > TDB backend will create 'virtual' UNIX accounts on demand but I don't > want this -- I want user 'foo' to map to the local user 'foo'. If I > add idmap uid and idmap gid lines the users authenticate okay but the > TDB idmap backend wants to map a new user instead of using the > existing UNIX account by the same name. Have you looked at the 'username map' option? AFAIK you will need to map AD to UNIX users by hand if you don't want the autocreate behaviour. You might be able to script the production of the username mapping file though, which would automate it to a certain extent. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba AD authentication: not prompting for password
I'm using Samba to authenticate against Active Directory. After the initial setup, I mounted the UNIX drive under XP using my AD credentials. Now every time I mount the drives under XP, I am not being asked for a username and password anymore. I have re-booted my XP, deleted the share from My Network Places under XP with no luck. I tried from another XP machine with a different AD user credentials and the first time I mounted the drive, I was asked for a username and password and now I can login withone one! I have done "kdestroy" to destory kerberos cache, restarted smb, nmb, winbind with no luck. Any help would be much appreciated. Thanks. My versions: === samba 3.0 krb5-1.6 samba-winbind 3.0 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD Authentication
Which schema attributes are necessary for an AD user to authenticate against active directory? I am asking because I have some users which can authenticate and some that cannot. I tried to find this information in the samba howto but could not locate it. Thanks. -- Jas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD Authentication Help
Hello there, I have been configuring my Linux hosts to authenticate against a AD trusted domain, but that does not seem to be working. All my Linux hosts are part DOM A Active Directory Domain and all users can login successfully. The DOM A has trust to DOM B Active Directory. - smb.conf file option "allow trusted domain = yes" - wbinfo -m shows the trusted domain - I can see all users of DOM B when I do wbinfo or getent. -kerberes file has the entries for the DOM A and DOM B But when su or ssh as that user, I get access denied. I looked at the messages file, whats happening is when I try to login as user, the kerporos appends the DOM A domain name for the DOM B user. Incorrect password for "DOM [EMAIL PROTECTED] A". If anyone had any idea on how to fix it, pls let me know. Thank you very much.. Thanks, MK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kevin R. Gutch wrote: > I am preparing to install samba with using AD authentication. I have > done this once before. > > I noticed however on this install that smbd -b | grep LDAP does not > produce the following: " HAVE_LDAP_DOMAIN2HOSTLIST" > > Will this cause issues? No. I removed the code that used that call somewhere around 3.0.23. Do our docs say it's required? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG6SqrIR7qMdg1EfYRArufAJ0RuaR1XLGuiEqNL4Wq222XrPP4RQCfR6uw pJX6yR26/D2N+bf0o42fBvA= =lbJC -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD authentication
I am preparing to install samba with using AD authentication. I have done this once before. I noticed however on this install that smbd -b | grep LDAP does not produce the following: " HAVE_LDAP_DOMAIN2HOSTLIST" Will this cause issues? Thanks, Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD authentication
I'm having trouble getting users to authenticate to my samba file server (running FreeBSD 5.4). I am able to view users on Active Directory from BSD via LDAP, kerberos appears to be working properly and I have nsswitch.conf point to ldap as well. I think my problem is with the pam config files. I have not changed them yet and I'm a little hesitant to because the last time I tried changing the pam modules, I locked myself out of my machine. If this what my problem is, can someone give me an example of what the pam modules should look like? If there's something else I've left out, please let me know. I just need some direction. Thanks. Side note: I was able to get my samba server to work when I used winbind however, I had to create local copies of all the accounts. I've been told that winbind is not needed to get this to work and that I can just have everything point to LDAP and then have LDAP point to AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD Authentication help please?
Well I made the changes you suggested but I am still not able to view
any other container contents. I even used the net ads cache flush to
see if I could get it to work.
Thanks for the suggestions.
Edward Brookhouse wrote:
Try changing your winbind separator to a + instead of a /
Here is my global in smb.conf
[global]
netbios name = GOETHE
server string = IT Dev Server
realm = CORP.PHILLIPS.COM
workgroup = CORP
password server = 172.17.17.110
security = ADS
encrypt passwords = yes
socket options = TCP_NODELAY
local master = no
dns proxy = yes
winbind separator = +
winbind uid = 1-2
winbind gid = 1-2
winbind enum groups = yes
winbind enum users = yes
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
Then in my homes definition:
[homes]
comment = Home Directories
browseable = no
writable = yes
user = @"CORP+domain users"
Where 'CORP' is my domain
-Original Message-
From: Jason Gerfen [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 2:26 PM
To: Edward Brookhouse
Subject: Re: [Samba] AD Authentication help please?
Here is the krb5.conf
[libdefaults]
default_realm = DOMAIN.COM
clockskew = 300
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
[realms]
DOMAIN.COM = {
kdc = 192.168.0.10
default_domain = domain.com
admin_server = 192.168.0.10
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
now the contents of the smb.conf
[global]
#
# Network configuration
#
server string = odin-newb
workgroup = DOMAIN.COM
netbios name = ODIN-NEWB
realm = DOMAIN.COM
security = ADS
password server = 192.168.0.10
#
# Domain configuation options
#
prefered master = no
local master = no
domain master = no
prefered master = no
domain logons = no
#
# Security options
#
encrypt passwords = yes
update encrypted = yes
password level = 20
#
# Enumeration options
#
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
#
# User/Group mapping options
#
idmap uid = 15000-2
idmap gid = 15000-2
#
# LDAP/AD configuration options
#
ldap admin dn = "cn=X,ou=users,dc=domain,dc=com"
ldap delete dn = no
use spnego = yes
#
# Networking options
#
hide unreadable = no
wins support = no
dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
#
# Miscellaneous options
#
os level = 20
template shell = /bin/bash
template homedir = /odin/%D/%U
load printers = no
#
# Logging options
#
log level = 4
log file = /var/log/samba.log.%m
The only container I can view (as far as using the wbinfo -u command) is
anything in
LDAP://192.168.0.10/OU=Test,DC=domain,DC=com # I can view these
users
And the users I need to authenticate are in
LDAP://192.168.0.10/CN=auth,DC=domain,DC=com
???
Edward Brookhouse wrote:
No need to be sorry :)
That link you sent speaks to adding the Computer into a particular
container - nothing about users.
What is the layout of your domain? Which container can you see? Which
can you not?
How is your realm setup in krb5.conf ?
-Original Message-
From: Jason Gerfen [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 21, 2005 2:10 PM
To: Edward Brookhouse; samba@lists.samba.org
Subject: Re: [Samba] AD Authentication help please?
Strange, I guess that is my misunderstanding of the how it aquires the
list of users when running a wbinfo -u command.
Yep, here is the output:
[EMAIL PROTECTED]:~> sudo net ads join -U [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password: xx
Using short domain name -- DOMAIN.COM
Joined 'ODIN-NEWB' to realm 'DOMAIN.COM'
And when I check to see if it is avialable within Active Directory
(member server of Win2k domain) I can clearly see the
CN=odin-newb,cn=computers,dc=domain,dc=com listed in the appropriate
container.
My problem at this point is the only users I can view are in a
different
container. You say you can view all users for all containers right?
Well after joining the domain the first time I followed the
samba3-howto
and attempted to point to a container of users and now those are the
only ones I can view.
http://www.samba.org/
Re: [Samba] AD Authentication help please?
Strange, I guess that is my misunderstanding of the how it aquires the list of users when running a wbinfo -u command. Yep, here is the output: [EMAIL PROTECTED]:~> sudo net ads join -U [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: xx Using short domain name -- DOMAIN.COM Joined 'ODIN-NEWB' to realm 'DOMAIN.COM' And when I check to see if it is avialable within Active Directory (member server of Win2k domain) I can clearly see the CN=odin-newb,cn=computers,dc=domain,dc=com listed in the appropriate container. My problem at this point is the only users I can view are in a different container. You say you can view all users for all containers right? Well after joining the domain the first time I followed the samba3-howto and attempted to point to a container of users and now those are the only ones I can view. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-create-machine-account I am sorry about any confusion. Edward Brookhouse wrote: I still do not understand what you mean by map ? In my setup wbinfo -u shows me 'everything' regardless of the container it's in. It sounds like you think there should be some kind of authentication mapping but there does not need to be one - By adding the computer to the domain - and setting up the kerb conf - when an auth request hits samba he will hand it to the domain and the domain should do a recursive search for user objects under dc=your,dc=toplevel,dc=com The only reason you see the ou=Users in your trace is because Admin lives in ou=Users by default. Can you authenticate ? Have you tried? -Original Message- From: Jason Gerfen [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 1:46 PM To: Edward Brookhouse Subject: Re: [Samba] AD Authentication help please? Sorry, I suppose I am leaving things out. I am able to see the machine in the computers container after I successfully joined the domain using the net ads join command. However while trying (multiple times) to map to the CN=users container in Active directory I mapped to an OU=otherUsers which is now what I see when I do a wbinfo -u command. If what you are saying is correct about the default mapping to the cn=users I need to revert back to this somehow. Edward Brookhouse wrote: Try to forget about where the users live for a sec - get the computer in the domain first. Your net ads join command should return a welcome to the domain if it does not - use a net rpc join command in the same fashion -= Then go look in AD to see if that computer showed up in your Computers container - If It did great .. you should be golden If not - go back to the net join until it works :) -Original Message- From: Jason Gerfen [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 1:22 PM To: Edward Brookhouse Subject: Re: [Samba] AD Authentication help please? Hmm, that might be my problem. I am using the HOWTO and running the commands in this order: %> net ads join -U %> kinit %> net ads join -U "users" as the container which is not found. Do I need to do a net ads leave command? In order to attempt a new mapping for the users container? Edward Brookhouse wrote: I'm still confused on what you are saying - here is why: # net ads join Should join the 'computer' to the domain - the user should already be in there -the ou=users is the default implied container where users live, but it should not matter where the users is in the directory - For example - My domain is laid out like: dc=corp,dc=example,dc=com with ou=users being where admin lives but all my other users live in ou=HD,ou=7811 once you do net ads join the computer should show up in the Computers container. -Original Message- From: Jason Gerfen [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 20, 2005 3:35 PM To: Edward Brookhouse; samba@lists.samba.org Subject: Re: [Samba] AD Authentication help please? When joining the samba box to a domain: %> net ads join -U %> kinit [EMAIL PROTECTED] %> net ads join -U The last command fails and when doing an strace you can clearly see that it is expecting an Organizational Unit (OU) vs. a Common Name (CN) which is where the users I need to authenticate are currently residing. Do I need to move these to an OU vs. a CN? Here is the strace output I am refering to: %> strace -o tmp net ads join -U "Admin" "users" (only inclusing pertinant lines with searching for container to map to) write(6, "0C\2\1\5c>\4\36ou=users,dc=DOMAIN,dc=COM"..., 69) = 69 <-- here is the hard coded ou, I am not 100% familiar with the LDAP RFC but on a windows Active Directory there are CN and OU containe
OU vs. CN in LDAP?Re: [Samba] AD Authentication help please?
I am sorry to post this again, but I need some help on using Active Directory mapping. Jason Gerfen wrote: When joining the samba box to a domain: %> net ads join -U %> kinit [EMAIL PROTECTED] %> net ads join -U The last command fails and when doing an strace you can clearly see that it is expecting an Organizational Unit (OU) vs. a Common Name (CN) which is where the users I need to authenticate are currently residing. Do I need to move these to an OU vs. a CN? Here is the strace output I am refering to: %> strace -o tmp net ads join -U "Admin" "users" (only inclusing pertinant lines with searching for container to map to) write(6, "0C\2\1\5c>\4\36ou=users,dc=DOMAIN,dc=COM"..., 69) = 69 <-- here is the hard coded ou, I am not 100% familiar with the LDAP RFC but on a windows Active Directory there are CN and OU containers See how it is appending the OU=USERS? This is still the problem, I am able to view users, groups, domains etc using the wbinfo tool wthout problem. However when attempting to map a specific CN container within the Active Directory (Win2k) I recieve this error: ads_join_realm: organizational unit users does not exist (dn:ou=users,dc=COM,dc=COM) After using the ldap tools I find that the "users" container (which is where the users reside that I need to authenticate) is a CN vs. a OU which the net ads join command seems to be expecting (note the strace output from previous post listed above). If there is anyone on this list that has some more insight into this problem please help a brother out. =) Edward Brookhouse wrote: Not sure I understand your question. What are you trying to map? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Gerfen Sent: Tuesday, September 20, 2005 11:25 AM To: samba@lists.samba.org Subject: [Samba] AD Authentication help please? I am having a problem which with much help from this list I have gotten 90% complete. I am attempting to create a samba server which will authenticate users as a Domain member server using active directory. The question I have is how can I map a specific container which is not an OU but a CN in the active directory? Any help is appreciated. -- Jason Gerfen "My girlfriend threated to leave me if I went boarding... I will miss her." ~ DIATRIBE aka FBITKK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD Authentication help please?
When joining the samba box to a domain: %> net ads join -U %> kinit [EMAIL PROTECTED] %> net ads join -U The last command fails and when doing an strace you can clearly see that it is expecting an Organizational Unit (OU) vs. a Common Name (CN) which is where the users I need to authenticate are currently residing. Do I need to move these to an OU vs. a CN? Here is the strace output I am refering to: %> strace -o tmp net ads join -U "Admin" "users" (only inclusing pertinant lines with searching for container to map to) write(6, "0C\2\1\5c>\4\36ou=users,dc=DOMAIN,dc=COM"..., 69) = 69 <-- here is the hard coded ou, I am not 100% familiar with the LDAP RFC but on a windows Active Directory there are CN and OU containers See how it is appending the OU=USERS? Edward Brookhouse wrote: Not sure I understand your question. What are you trying to map? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Gerfen Sent: Tuesday, September 20, 2005 11:25 AM To: samba@lists.samba.org Subject: [Samba] AD Authentication help please? I am having a problem which with much help from this list I have gotten 90% complete. I am attempting to create a samba server which will authenticate users as a Domain member server using active directory. The question I have is how can I map a specific container which is not an OU but a CN in the active directory? Any help is appreciated. -- Jason Gerfen "My girlfriend threated to leave me if I went boarding... I will miss her." ~ DIATRIBE aka FBITKK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD Authentication help please?
I am having a problem which with much help from this list I have gotten 90% complete. I am attempting to create a samba server which will authenticate users as a Domain member server using active directory. The question I have is how can I map a specific container which is not an OU but a CN in the active directory? Any help is appreciated. -- Jason Gerfen "My girlfriend threated to leave me if I went boarding... I will miss her." ~ DIATRIBE aka FBITKK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba / AD authentication - one machine only !!!!
Folks -- thanks for all your help -- I have gotten the SAMBA AUTHENTICATION problem resolved -- I rebuilt the machine -- That machine has had as many as 5 different samba configs on it over the last 3 months as I have tried to get things figured out to make it work right. So now that I had a known working configuration, I just needed to clean all the other junk up Thanks so much for all your help I still have a few questions about how to configure permissions which I posted earlier, if anyone can help out, I would appreciate it TIM Timothy A. Holmes IT Manager / Webmaster / Science Teacher Medina Christian Academy A Higher Standard... Jeremiah 33:3 Jeremiah 29:11 Esther 4:14 Timothy A. Holmes IT Manager / Webmaster / Science Teacher Medina Christian Academy A Higher Standard... Jeremiah 33:3 Jeremiah 29:11 Esther 4:14 > -Original Message- > From: [EMAIL PROTECTED] [mailto:samba- > [EMAIL PROTECTED] On Behalf Of Tim Holmes > Sent: Thursday, July 21, 2005 1:29 PM > To: samba@lists.samba.org > Subject: [Samba] Samba / AD authentication - one machine only > > Hi Folks: > > I am continuing to work on the samba problems. This is a weird one!!! > > I have 3 servers with samba running: > > 2 of them work perfectly and the third one refuses to authenticated > > I am seeing a lot of the following error > > [2005/07/21 12:58:21, 0] lib/util_sock.c:get_peer_addr(1000) > getpeername failed. Error was Transport endpoint is not connected > > > Googleing around has found that it seems to be related to DNS issues, > but that makes no sense, since the two other servers running identical > [global] sections (only differences are machine names etc) and krb5 > configurations are working fine > > The web server works cool > The testbed server works kool > > When I try to access the file server, it asks for authentication > > Kinit shows no errors, so I assume that's working right > > > Here is the smb.conf > [global] > log file = /var/log/samba/%m.log > idmap gid = 1-4 > socket options = SO_RCVBUF=8192 > wins server = 192.168.0.2 > domain master = No > realm = MCASCHOOL.NET > netbios name = srvfs-01 > server string = MCA File Server (test conf) > password server = srvdc01.mcaschool.net > idmap uid = 1-4 > winbind enum users = yes > winbind nested groups = Yes > local master = No > workgroup = MCASCHOOL > os level = 20 > winbind enum groups = yes > security = ads > preferred master = no > > [users] > path = /home > read only = No > > > here is the nsswitch.conf > > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be # > sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an # entry > should stop if the search in the previous entry turned # up nothing. > Note that if the search failed due to some other reason # (like no NIS > server responding) then the search continues with the # next entry. > # > # Legal entries are: > # > # nisplus or nis+ Use NIS+ (NIS version 3) > # nis or yp Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > > # To use db, put the "db" in front of "files" for entries you want to be > # looked up first in the databases # # Example: > #passwd:db files nisplus nis > #shadow:db files nisplus nis > #group: db files nisplus nis > > passwd: files compat winbind > shadow: compat > group: files compat winbind > > #hosts: db files nisplus nis dns > hosts: files dns winbind > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc:nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files winbind > rpc:files > services
[Samba] Samba / AD authentication - one machine only !!!!
Hi Folks:
I am continuing to work on the samba problems. This is a weird one!!!
I have 3 servers with samba running:
2 of them work perfectly and the third one refuses to authenticated
I am seeing a lot of the following error
[2005/07/21 12:58:21, 0] lib/util_sock.c:get_peer_addr(1000)
getpeername failed. Error was Transport endpoint is not connected
Googleing around has found that it seems to be related to DNS issues,
but that makes no sense, since the two other servers running identical
[global] sections (only differences are machine names etc) and krb5
configurations are working fine
The web server works cool
The testbed server works kool
When I try to access the file server, it asks for authentication
Kinit shows no errors, so I assume that's working right
Here is the smb.conf
[global]
log file = /var/log/samba/%m.log
idmap gid = 1-4
socket options = SO_RCVBUF=8192
wins server = 192.168.0.2
domain master = No
realm = MCASCHOOL.NET
netbios name = srvfs-01
server string = MCA File Server (test conf)
password server = srvdc01.mcaschool.net
idmap uid = 1-4
winbind enum users = yes
winbind nested groups = Yes
local master = No
workgroup = MCASCHOOL
os level = 20
winbind enum groups = yes
security = ads
preferred master = no
[users]
path = /home
read only = No
here is the nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be #
sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an # entry
should stop if the search in the previous entry turned # up nothing.
Note that if the search failed due to some other reason # (like no NIS
server responding) then the search continues with the # next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases # # Example:
#passwd:db files nisplus nis
#shadow:db files nisplus nis
#group: db files nisplus nis
passwd: files compat winbind
shadow: compat
group: files compat winbind
#hosts: db files nisplus nis dns
hosts: files dns winbind
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc:files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases:files nisplus
And the /etc/krb5.conf
[libdefaults]
default_realm = MCASCHOOL.NET
[realms]
MCASCHOOL.NET = {
kdc = srvdc01.mcaschool.net
}
[domain_realm]
.mcaschool.net = MCASCHOOL.NET
mcaschool.net = MCASCHOOL.NET
here is the /etc/hosts
# Do not remove the following line, or various programs # that require
network functionality will fail.
127.0.0.1 srvfs-01localhost.localdomain localhost
192.168.0.5 srvfs-01srvfs-01.mcaschool.net srvfs-01
And last but not least the /etc/resolv.conf
domain mcaschool.net
nameserver 192.168.0.2
This one has me totally stumped, because one of the servers that is
running is running an exactly identical hardware set
Any suggestions would be most helpful
Timothy A. Holmes
IT Manager / Webmaster / Science Teacher
Medina Christian Academy
A Higher Standard...
Jeremiah 33:3
Jeremiah 29:11
Esther 4:14
Timothy A. Holmes
IT Manager / Webmaster / Science Teacher
Medina Christian Academy
A Higher Standard...
Jeremiah 33:3
Jeremiah 29:11
Esther 4:14
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD authentication almost but not quite
Client is a centos-3.4 box, Server (DC) is Windows 2K AD.
I'm able to see user and group accounts on the DC but not able to authenticate
against it.
wbinfo -a does not rely on pam module, correct?
[EMAIL PROTECTED] root]# net ads testjoin
Join is OK
[EMAIL PROTECTED] root]# net ads info
LDAP server: 172.16.100.202
LDAP server name: p69ms101
Realm: PORTSEATTLE.ORG
Bind Path: dc=PORTSEATTLE,dc=ORG
LDAP port: 389
Server time: Wed, 11 May 2005 10:32:31 GMT
KDC server: 172.16.100.202
Server time offset: 0
[EMAIL PROTECTED] root]# getent passwd mf1
mf1:x:15975:10003:Foster, Mark:/users/home/mf1:/bin/bash
[EMAIL PROTECTED] root]# wbinfo -u | grep mf1
mf1
[EMAIL PROTECTED] root]# wbinfo -a mf1%therealpwd
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc022)
error messsage was: Access denied
Could not authenticate user mf1%therealpwd with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc022)
error messsage was: Access denied
Could not authenticate user mf1 with challenge/response
Packet trace with ethereal shows...
91.572982 172.16.100.94 -> 172.16.100.202 TCP 1342 > microsoft-ds [SYN] Seq=0
Ack=0 Win=5840 Len=0 MSS=1460 TSV=455514 TSER=0 WS=0
91.573133 172.16.100.202 -> 172.16.100.94 TCP microsoft-ds > 1342 [SYN, ACK]
Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
91.573177 172.16.100.94 -> 172.16.100.202 TCP 1342 > microsoft-ds [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=455514 TSER=0
91.592542 172.16.100.94 -> 172.16.100.202 SMB Negotiate Protocol Request
91.593035 172.16.100.202 -> 172.16.100.94 SMB Negotiate Protocol Response
91.593062 172.16.100.94 -> 172.16.100.202 TCP 1342 > microsoft-ds [ACK]
Seq=184 Ack=187 Win=5840 Len=0 TSV=455516 TSER=22298322
91.595984 172.16.100.94 -> 172.16.100.202 KRB5 AS-REQ
91.598025 172.16.100.202 -> 172.16.100.94 KRB5 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
91.599655 172.16.100.94 -> 172.16.100.202 KRB5 AS-REQ
91.602616 172.16.100.202 -> 172.16.100.94 KRB5 AS-REP
91.605000 172.16.100.94 -> 172.16.100.202 KRB5 TGS-REQ
91.608069 172.16.100.202 -> 172.16.100.94 KRB5 TGS-REP
91.609311 172.16.100.94 -> 172.16.100.202 SMB Session Setup AndX Request
91.611536 172.16.100.202 -> 172.16.100.94 SMB Session Setup AndX Response
91.612501 172.16.100.94 -> 172.16.100.202 SMB Tree Connect AndX Request, Path:
\\P69MS101\IPC$
91.612875 172.16.100.202 -> 172.16.100.94 SMB Tree Connect AndX Response,
Error: STATUS_ACCESS_DENIED
91.612992 172.16.100.94 -> 172.16.100.202 TCP 1342 > microsoft-ds [FIN, ACK]
Seq=1510 Ack=373 Win=5840 Len=0 TSV=455518 TSER=22298322
91.613125 172.16.100.202 -> 172.16.100.94 TCP microsoft-ds > 1342 [FIN, ACK]
Seq=373 Ack=1511 Win=17520 Len=0 TSV=22298322 TSER=455518
91.613148 172.16.100.94 -> 172.16.100.202 TCP 1342 > microsoft-ds [ACK]
Seq=1511 Ack=374 Win=5840 Len=0 TSV=455518 TSER=22298322
[/etc/krb5.conf]
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = PORTSEATTLE.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
[realms]
PORTSEATTLE.ORG = {
kdc = p69ms101.portseattle.org:88
#admin_server = p69ms101.portseattle.org:749
default_domain = portseattle.org
kpasswd_server = p69ms101.portseattle.org
}
[domain_realm]
.portseattle.org = PORTSEATTLE.ORG
portseattle.org = PORTSEATTLE.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
}
Mark D Foster -+- <[EMAIL PROTECTED]>
Linux System Administrator -+- Port of Seattle
206-728-3613 (desk) -+- 206-390-2612 (cell)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD authentication problem
On Wed, Sep 17, 2003 at 12:05:44AM +1000, Andrew Bartlett wrote: > On Tue, 2003-09-16 at 23:16, [EMAIL PROTECTED] wrote: > > ># Try to authenticate a user > > > > > >% wbinfo -a [EMAIL PROTECTED] > > >plaintext password authentication failed > > >error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) > > >error messsage was: No logon servers > > > Your message is "No logon servers", and there is no such declaration in > > your smb.conf. > > How about setting a password server (for example any DC)? > > No, in this case the other logs show this is unrelated. (We can find > the DCs on our own, and unless you have reason to configure otherwise, > it should work just fine). and I did have "password server" set in the smb.conf. Following your suggestion about the workgroup, I have set the workgroup to "S-RES" instead of "S-RES.UVA.NL". It now works much better now. wbinfo -t and wbinfo -a both work correctly. I will now go further with making a share on the linux box with AD authentication but it looks like the problem is solved. Thanks for all the help! Jim -- Jim Mintha Email: [EMAIL PROTECTED] System Administrator Work: +31 20 525-4919 Informatiseringscentrum Home: +31 20 662-3892 University of Amsterdam Debian GNU/Linux: [EMAIL PROTECTED] _There are always Possibilities_ http://www.mintha.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD authentication problem
On Tue, 2003-09-16 at 23:16, [EMAIL PROTECTED] wrote: > ># Try to authenticate a user > > > >% wbinfo -a [EMAIL PROTECTED] > >plaintext password authentication failed > >error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) > >error messsage was: No logon servers > Your message is "No logon servers", and there is no such declaration in > your smb.conf. > How about setting a password server (for example any DC)? No, in this case the other logs show this is unrelated. (We can find the DCs on our own, and unless you have reason to configure otherwise, it should work just fine). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD authentication problem
># Try to authenticate a user > >% wbinfo -a [EMAIL PROTECTED] >plaintext password authentication failed >error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) >error messsage was: No logon servers >Could not authenticate user [EMAIL PROTECTED] with plaintext password >challenge/response password authentication failed >error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e) >error messsage was: No logon servers >Could not authenticate user [EMAIL PROTECTED] with challenge/response > > ># smb.conf >workgroup = S-RES.UVA.NL >netbios name = gnowee >server string = %h server (Samba %v) >log file = /var/log/samba/log.%m >log level = 3 passdb:5 auth:10 winbind:10 >max log size = 1000 >syslog = 0 >panic action = /usr/share/samba/panic-action %d >realm = S-RES.UVA.NL >encrypt passwords = true >password server = s-lorentz.s-res.uva.nl >security = ADS >socket options = TCP_NODELAY >idmap uid = 1-2 >idmap gid = 1-2 >winbind enum users = yes >winbind enum groups = yes Your message is "No logon servers", and there is no such declaration in your smb.conf. How about setting a password server (for example any DC)? -- Vincent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD authentication problem
On Tue, 2003-09-16 at 11:38, Jim Mintha wrote: > I'm having a problem authenticating to Active Directory. I can join > the machine to the domain, wbinfo -g/-u will list the groups and users > and I can map a drive using: smbclient -k //s-lorentz.s-res.uva.nl/c\$ > However when I try to get the linux machine to authenticate a user > it doesn't work giving the error NT_STATUS_NO_LOGON_SERVERS > (0xc05e). Looking further in the logs it fails at: > > [2003/09/16 03:20:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(493) > Doing kerberos session setup > [2003/09/16 03:20:22, 5] nsswitch/winbindd_cm.c:cm_get_netlogon_cli(625) > cm_get_netlogon_cli: Using short for of domain name [S-RES.UVA.NL] for netlogon > rpc bind > [2003/09/16 03:20:22, 3] rpc_client/cli_pipe.c:rpc_api_pipe(457) > Bind NACK received on pipe 8003! > workgroup = S-RES.UVA.NL Is this really the netbios workgroup name? This is different to the domain name. For 'security=ads' you should also specify the realm. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] AD authentication problem
I'm having a problem authenticating to Active Directory. I can join
the machine to the domain, wbinfo -g/-u will list the groups and users
and I can map a drive using: smbclient -k //s-lorentz.s-res.uva.nl/c\$
However when I try to get the linux machine to authenticate a user
it doesn't work giving the error NT_STATUS_NO_LOGON_SERVERS
(0xc05e). Looking further in the logs it fails at:
[2003/09/16 03:20:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(493)
Doing kerberos session setup
[2003/09/16 03:20:22, 5] nsswitch/winbindd_cm.c:cm_get_netlogon_cli(625)
cm_get_netlogon_cli: Using short for of domain name [S-RES.UVA.NL] for netlogon rpc
bind
[2003/09/16 03:20:22, 3] rpc_client/cli_pipe.c:rpc_api_pipe(457)
Bind NACK received on pipe 8003!
[2003/09/16 03:20:22, 2] rpc_client/cli_pipe.c:cli_nt_establish_netlogon(1578)
rpc bind to \PIPE\NETLOGON failed
[2003/09/16 03:20:22, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(312)
could not open handle to NETLOGON pipe (error: NT_STATUS_UNSUCCESSFUL)
[2003/09/16 03:20:22, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(379)
NTLM CRAP authentication for user [EMAIL PROTECTED] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
On the windows side I see the error:
Pre-authentication failed:
User Name: gnowee$
User ID:S-RES\gnowee$
Service Name: krbtgt/S-RES.UVA.NL
Pre-Authentication Type:0x0
Failure Code: 0x19
I've tried everything I can thing of (I'm using the debian package
3.0rc4, but I've tried compiling my own too) but can't figure out what
I've missed. Anyone else have an idea?
Thanks for any help,
Jim
Details on what I have done:
(s-lorentz.s-res.uva.nl - AD Domain Controller
admin - Domain Admin for AD
jim - regular user
gnowee.ic.uva.nl - Linux machine)
# initialize kerberos sucessfully with:
% kinit [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]: gandalf
# Join the machine to active directory
% net ads join -U [EMAIL PROTECTED]
[EMAIL PROTECTED] password: gandalf
Using short domain name -- S-RES.UVA.NL
Joined 'GNOWEE' to realm 'S-RES.UVA.NL'
# try out wbinfo
% wbinfo -g
S-RES.UVA.NL\blaahgroup
S-RES.UVA.NL\testgroep
...
# Try to authenticate a user
% wbinfo -a [EMAIL PROTECTED]
plaintext password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e)
error messsage was: No logon servers
Could not authenticate user [EMAIL PROTECTED] with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e)
error messsage was: No logon servers
Could not authenticate user [EMAIL PROTECTED] with challenge/response
# /etc/krb5.conf:
[libdefaults]
default_realm = S-RES.UVA.NL
[realms]
S-RES.UVA.NL = {
kdc = s-lorentz.s-res.uva.nl
}
# smb.conf
workgroup = S-RES.UVA.NL
netbios name = gnowee
server string = %h server (Samba %v)
log file = /var/log/samba/log.%m
log level = 3 passdb:5 auth:10 winbind:10
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
realm = S-RES.UVA.NL
encrypt passwords = true
password server = s-lorentz.s-res.uva.nl
security = ADS
socket options = TCP_NODELAY
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
--
Jim Mintha Email: [EMAIL PROTECTED]
System Administrator Work: +31 20 525-4919
Informatiseringscentrum Home: +31 20 662-3892
University of Amsterdam Debian GNU/Linux: [EMAIL PROTECTED]
_There are always Possibilities_ http://www.mintha.com
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
