Re: [Samba] Authentication against AD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lukáš Slánský wrote: > - Between DOMA and DOMB is one side trust. > So Windows clients in domain DOMB can authenticate > against user accounts both domains (prefered DOMA). Winbind does not currently support one way trusts. There's an open bug against this IIRC. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7vJWIR7qMdg1EfYRAtN/AKCc2ZbUEhx8bO0ELPqXNdYnwFrWVACePjWG S2Wg1oP4hmsHM6jzQluYSMw= =29C6 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Authentication against AD
Hallo. I have problem configuring winbind to authenticate against Active Directory (Windows Server 2003 R2 in native mode). Our net topology seems as follows: - We have PDCs for domain DOMA (i.e.) - there are user accounts for all people on our university. - We have PDC for domain DOMB (DC for our department) that holds computer accounts. - Between DOMA and DOMB is one side trust. So Windows clients in domain DOMB can authenticate against user accounts both domains (prefered DOMA). I have problem configuring Linux box (FC5 now but it's not necessary) to authenticate against DOMA. I have added it into DOMB and can authenticate against DOMB accounts. But not against DOMA. The wbinfo --sequence gives this: DOMA : DISCONNECTED BUILTIN : 1155834602 FEDORA : 1155834602 DOMB : 37926 Is it possible to authenticate this way? I suppose yes, but don't know how... Thanks for any advice, BoB -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Authentication against AD?
Dimitri Yioulos wrote: On Tuesday 13 September 2005 11:09 am, Jason Gerfen wrote: I am having a hard time getting Samba to authentication correctly against a Windows Active Directory setup. Here is a snap of the smb.conf [global] passdb backend = ldapsam security = domain password server = server1.com server2.com prefered master = No local master = no hide unreadable = yes wins support = no winbind use default domain = yes domain master = No netbios name = samba-newb workgroup = scl prefered master = no dns proxy = no idmap uid = 15000-2 idmap gid = 15000-2 realm = server.com socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ use spnego = yes server string = samba-newb update encrypted = yes domain logons = yes winbind separator = + winbind enum users = yes winbind enum groups = yes encrypt passwords = yes os level = 20 template shell = /bin/bash template homedir = /home/%D/%U [newb] comment = newb inherit acls = Yes path = /usr/local/files/ read only = no force group = users force user = users guest ok = no I can run the net ads join command which works fine, but if I try to authentication without a local account I am recieving errors. Any assistance or pointers is appreciated. -- Jason Gerfen Student Computing Labs, University Of Utah [EMAIL PROTECTED] J. Willard Marriott Library 295 S 1500 E, Salt Lake City, UT 84112-0860 801-585-9810 "My girlfriend threated to leave me if I went boarding... I will miss her." ~ DIATRIBE aka FBITKK Jason, It looks like your smb.conf is set up more for a Samba PDC than for a member server in a Windows AD. Are you looking to make your Samba server a member server? If so: security = ads wins server = ip.of.your.winsserver I don't believe you need: passdb backend = ldapsam Is kerberos installed, and do you have krb5.conf set up properly? I removed the passdb backend = ldapsam Kerberos is installed and the krb5.conf is working as the kinit and klist work for gathering the TGT's I also modified the server to = ads I don't have a wins server, so that is not configured. I am still experiencing the same problems with having this work as a member server. Any other tips out there? Dimitri -- Jason Gerfen "My girlfriend threated to leave me if I went boarding... I will miss her." ~ DIATRIBE aka FBITKK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Authentication against AD?
On Tuesday 13 September 2005 11:09 am, Jason Gerfen wrote: > I am having a hard time getting Samba to authentication correctly > against a Windows Active Directory setup. > > Here is a snap of the smb.conf > [global] > passdb backend = ldapsam > security = domain > password server = server1.com server2.com > prefered master = No > local master = no > hide unreadable = yes > wins support = no > winbind use default domain = yes > domain master = No > netbios name = samba-newb > workgroup = scl > prefered master = no > dns proxy = no > idmap uid = 15000-2 > idmap gid = 15000-2 > realm = server.com > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > add machine script = /usr/sbin/useradd -c Machine -d > /var/lib/nobody -s /bin/false %m$ > use spnego = yes > server string = samba-newb > update encrypted = yes > domain logons = yes > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > encrypt passwords = yes > os level = 20 > template shell = /bin/bash > template homedir = /home/%D/%U > > [newb] > comment = newb > inherit acls = Yes > path = /usr/local/files/ > read only = no > force group = users > force user = users > guest ok = no > > I can run the net ads join command which works fine, but if I try to > authentication without a local account I am recieving errors. Any > assistance or pointers is appreciated. > > -- > Jason Gerfen > Student Computing Labs, University Of Utah > [EMAIL PROTECTED] > > J. Willard Marriott Library > 295 S 1500 E, Salt Lake City, UT 84112-0860 > 801-585-9810 > > "My girlfriend threated to > leave me if I went boarding... > I will miss her." > ~ DIATRIBE aka FBITKK Jason, It looks like your smb.conf is set up more for a Samba PDC than for a member server in a Windows AD. Are you looking to make your Samba server a member server? If so: security = ads wins server = ip.of.your.winsserver I don't believe you need: passdb backend = ldapsam Is kerberos installed, and do you have krb5.conf set up properly? Dimitri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Authentication against AD?
I am having a hard time getting Samba to authentication correctly against a Windows Active Directory setup. Here is a snap of the smb.conf [global] passdb backend = ldapsam security = domain password server = server1.com server2.com prefered master = No local master = no hide unreadable = yes wins support = no winbind use default domain = yes domain master = No netbios name = samba-newb workgroup = scl prefered master = no dns proxy = no idmap uid = 15000-2 idmap gid = 15000-2 realm = server.com socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ use spnego = yes server string = samba-newb update encrypted = yes domain logons = yes winbind separator = + winbind enum users = yes winbind enum groups = yes encrypt passwords = yes os level = 20 template shell = /bin/bash template homedir = /home/%D/%U [newb] comment = newb inherit acls = Yes path = /usr/local/files/ read only = no force group = users force user = users guest ok = no I can run the net ads join command which works fine, but if I try to authentication without a local account I am recieving errors. Any assistance or pointers is appreciated. -- Jason Gerfen Student Computing Labs, University Of Utah [EMAIL PROTECTED] J. Willard Marriott Library 295 S 1500 E, Salt Lake City, UT 84112-0860 801-585-9810 "My girlfriend threated to leave me if I went boarding... I will miss her." ~ DIATRIBE aka FBITKK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Authentication against AD
When you say bleeding edge, does that include FreeBSD 5.1? Are there any patches to get it to work with 5.1? On Thu, 2003-11-13 at 14:45, Andrew Bartlett wrote: > On Fri, 2003-11-14 at 05:49, Morten-Christian Bernson wrote: > > We have a FreeBSD webserver with Samba 2.2.8. It has been set up as a > > member-server of our active directory domain, and all seems good so > > far. > > > > What I want is to let a set of users access a share (www) as the > > www-user, and they should authenticate against AD, and they should not > > need an account on the BSD machine at all. I don't want any add user > > script and so on, I only want them to access the share if they are one > > of the defined users, and the password is aproved by the windows > > servers. > > You still need user accounts, sorry. Use winbind (which needs nsswitch, > which needs some bleeding edge version of FreeBSD) or add the users > manually. > > Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Authentication against AD
On Fri, 2003-11-14 at 05:49, Morten-Christian Bernson wrote: > We have a FreeBSD webserver with Samba 2.2.8. It has been set up as a > member-server of our active directory domain, and all seems good so > far. > > What I want is to let a set of users access a share (www) as the > www-user, and they should authenticate against AD, and they should not > need an account on the BSD machine at all. I don't want any add user > script and so on, I only want them to access the share if they are one > of the defined users, and the password is aproved by the windows > servers. You still need user accounts, sorry. Use winbind (which needs nsswitch, which needs some bleeding edge version of FreeBSD) or add the users manually. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Authentication against AD
We have a FreeBSD webserver with Samba 2.2.8. It has been set up as a member-server of our active directory domain, and all seems good so far. What I want is to let a set of users access a share (www) as the www-user, and they should authenticate against AD, and they should not need an account on the BSD machine at all. I don't want any add user script and so on, I only want them to access the share if they are one of the defined users, and the password is aproved by the windows servers. This is how the config looks now: [global] workgroup = KJ netbios name = Pauling server string = Webserver max open files = 1000 preferred master = no character set = ISO8859-1 client code page = 437 case sensitive = yes log file = /var/log/samba/log.%m max log size = 500 security = domain password server = * encrypt passwords = yes socket options = TCP_NODELAY deadtime = 15 password level = 3 debug level = 1 wins server = dns proxy = no I want a www-share something like this: [www] comment = Webfiles path = /www public = no writeable = yes browseable = yes force user = www force group = www valid users = uib\mcb, uib\nkjmb, student\st01654 But it doesn't work, and I suspect it's the valid users that doesn't understand the domain\ part. Any ideas on how I can accomplish what I want? Some info: The server is a part of the KJ-domain, which is under the UIB-domain in AD. The users are in the UIB-domain (the top of the forest) and in the STUDENT-domain (which is a trusted domain in its own forest). -- Morten-Christian Bernson System Administrator Department of Chemistry, University in Bergen -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba