Re: [Samba] wbinfo works, getent and check via smbclient not
On 03/03/2010 15:51, Karsten Römke wrote: Walter Neu schrieb: set the following in the [global] section and try again winbind enum users = yes winbind enum groups = yes Well, then maybe I start seeing where my problem could be: I have them both set to no (we have about 150K users in AD, and about 500K groups), but usually resolution works well. Just sometimes it seems there are problems with domain trust (a machine that worked stops resolving and the log says there are troubles acquiring a ticket -- other machines that were cloned from the same disk continue working without problems). -- Diego Zuccato Servizi Informatici Dip. di Astronomia - Università di Bologna Via Ranzani, 1 - 40126 Bologna - Italy tel.: +39 051 20 95786 mail: diego.zucc...@unibo.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo works, getent and check via smbclient not
Hi Grant, ... delete old text ... you wrote Your join is just fine. That err is the same as happens when I join and mine works excellently otherwise. The join is ok is the important part. There are various tests you can do to see if things are working: KERBEROS kinit usernamewithadminprivileges like: kinit karsten should ask for a password works klist should return a tciket cache for the user just authenticated works kdestroy should make it so when you do klist agin there are no more tickets cached works LDAP I don't know. I'm confused, I thought I need winbind to connect to the windows server. I thought that my pam configuration maybe is wrong. So my question: Do I need winbind or ldap or both. There are any modification needed to my pam.d directory? I found a file named samba there. Thanks Karsten use ldapsearch like: ldapsearch -x -D 'cn=yourldapuserthatyouusetoauthenticate,ou=veryspeicifou,ou=users,ou=yourou,dc=yourad,dc=yourdomain,dc=yourtld' -H ldaps://ldap.yourad.yourdomain.yourtld -W -b 'ou=yourou,dc=yourad,dc=yourdomain,dc=likecom' you don't have to be quite that specific but you get the idea. It returns all the users in your ou. you need to set your /etc/ldap.conf and /etc/ldap/ladp.conf (might be /etc/openldap/ldap.conf depending on your OS) to look at the right places, fer instance: /etc/ldap.conf ssl on port 636 ldap_version 3 tls_checkpeer no uri ldaps://ldap.yourldapurl # limit the base to your departmental OU, wider scopes can affect the output time and entries to be displayed binddn CN=yourkerberosldapaccount,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld #password for the AD user account used to bind to AD LDAP bindpw yourldapuserpassword base OU=yourou,DC=AD,DC=yourdoain,DC=yourtld nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute uid sAMAccountName nss_map_attribute uidNumber uidNumber nss_map_attribute gidNumber gidNumber nss_map_attribute cn sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_map_attribute loginShell loginShell nss_map_attribute shadowLastChange pwdLastSet pam_login_attribute sAMAccountName pam_filter objectclass=user and fer the odder wun: #/etc/ldap/ldap.conf or /etc/openldap/ldap.conf on some OS #Secure LDAP URI/Server uri ldaps://ldap.yourldapurl # restrict to your ou BASE OU=yourou,DC=AD,DC=yourdoain,DC=yourtld # set to the cn for the kerberos user used for authenticating BINDDN cn=yourkerberosuser,OU=yourou,DC=AD,DC=yourdoain,DC=yourtld # during testing switch off ssl cert checking, later you should install the certs from your ldap server and set this always TLS_REQCERT never if those tests are working and you have set up the ldap conf files right and nsswitch.conf as well you should get back the users/groups from your ou when you do getent passwd. or getent group You might try nsswitch.conf settings like passwd: files ldap group: files ldap shadow: files ldap there's some description here: http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss but you might also google for more. Have fun! Grant -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo works, getent and check via smbclient not
On Thu, Mar 4, 2010 at 7:59 AM, grant little grantlid...@gmail.com wrote: OOPS! I misread what you were trying to do. I thought you were using LDAP. Sorry. Please ignore my message -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo works, getent and check via smbclient not
On Thu, Mar 4, 2010 at 8:13 AM, Karsten Römke k.roe...@gmx.de wrote: grant little schrieb: snip/ OOPS! I misread what you were trying to do. I thought you were using LDAP. Sorry. Please ignore my message Hi Grant, I'm not sure if you misunderstand me. As far as I know ADS is nothing else then LDAP. So it is possible that I need LDAP to ask the win2003 server for authentification. I'm still unsure what my next steps should be. Trying to add winbind to the pam-System, which I only understand at the surface or trying to add ldap support. Karsten Hi Karsten, I have made samba with ads work on two servers here, one running centos 5.4 using samba 3.033 and the other ubuntu 9.10 server using samba 3.4.0. On each there is kerberos, ldap and winbind. I looked at the instructions that you used and they look as if they should work but I am now out of my depth. I have never made it work without ldap. I also had samba 3.5.0rc3 running on unbuntu 9.10 server with only kerberos and ldap, that was with no winbind. Note those all use ldap. I don't have personal experience authenticating without ldap. Here they do it without ldap: http://wiki.samba.org/index.php/Samba__Active_Directory so you might try there. Sorry I can't be more help for doing it without ldap, not my area of expertise. There's a good book on samba put out by OReilly called Using Samba Grant -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] wbinfo works, getent and check via smbclient not
Hello, I have a problem in authentification vs ads. History: - Samba works as stand-alone server (non productive) - some experiments with connection to a ldap-Server running on another - machine. - Trying to join to Active Directory, since I have no success I deinstalled samba completely and reinstall it. Versions: OpenSuse 11.1 (actual apart from the kernel) Samba samba-3.2.7-11.4.1 winbind: samba-winbind-3.2.7-11.4.1 Windows 2003 Server with ADS I followed the artikel in http://www.pro-linux.de/NB3/artikel/2/1110/3,next.html (sorry it's german) and looked to the official samba howto. The following tests I have done: not sure: kinit, I set up /etc/krb5.conf (roemke is a local user and a user of ADS with admin rights) net ads join -S hhbnt12.hhb.bonn.de -Uroemke%xyz seems to work, Server says that I have joined the Domain but DNS update failed. test: www:/etc/samba # net ads testjoin Join is OK test: wbinfo -u - shows all usernames on active directory but no machines as mentioned in the samba wiki www:/etc/samba # wbinfo -a roemkea%xyz plaintext password authentication succeeded challenge/response password authentication succeeded roemkea is a non local user, only available in the ads getent passwd shows only local users :-( I checked the nsswitch.conf and do symbolik links /lib/libnss_winbind ... I think at that point I could stop, bu I tested via smbclient: (roemkea is ADS User) smbclient //www/documentsWrite -Uroemkea - NT_STATUS_ACCESS_DENIED Log-File: [2010/03/03 14:34:25, 3] auth/auth.c:check_ntlm_password(220) check_ntlm_password: Checking password for unmapped user [nt_technologie]\[roemk...@[www] with the new password interface [2010/03/03 14:34:25, 3] auth/auth.c:check_ntlm_password(223) check_ntlm_password: mapped user is: [nt_technologie]\[roemk...@[www] [2010/03/03 14:34:25, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [roemkea] - [roemkea] FAILED with error NT_STATUS_NO_SUCH_USER with localuser roemke: NT_STATUS_ACCESS_DENIED but in the Log-File [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(220) check_ntlm_password: Checking password for unmapped user [nt_technologie]\[roem...@[www] with the new password interface [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(223) check_ntlm_password: mapped user is: [nt_technologie]\[roem...@[www] [2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(269) check_ntlm_password: winbind authentication for user [roemke] succeeded [2010/03/03 14:35:33, 2] auth/auth.c:check_ntlm_password(308) check_ntlm_password: authentication for user [roemke] - [roemke] - [roemke] succeeded I found no hint. It seems that for a local user winbind ask the ADS and get back that the authentification is ok, but I don't get access. For a non local user I get the Information that there is no such user. I don't understand what happens. Any help would be nice Karsten -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo works, getent and check via smbclient not
Walter Neu schrieb:
set the following in the [global] section and try again
winbind enum users = yes
winbind enum groups = yes
Hello,
thanks for your hint, I have done that,
I think I should post my smb.conf, the krb5.conf
and the nsswitch.conf in some parts:
smb.conf
[global]
workgroup = NT_TECHNOLOGIE
#printing = cups
#printcap name = cups
#printcap cache time = 750
#cups options = raw
map to guest = Bad User
#logon path = \\%L\profiles\.msprofile
#logon home = \\%L\%U\.9xprofile
#logon drive = P:
#usershare allow guests = No
netbios name = www
#passdb backend = smbpasswd
wins server = hhbnt12.hhb.bonn.de
wins support = No
security = ads
#zusaetzlich zu yast
password server = hhbnt12.hhb.bonn.de
client use spnego = yes
realm = HHB.BONN.DE
winbind separator = /
winbind use default domain = Yes
winbind enum groups = yes
winbind enum users = yes
log level = 0 passdb:3 auth:3
winbind nested groups = Yes
template shell = /bin/bash
#sehr unsicher:
passdb backend = tdbsam
idmap backend = ad
[documentswrite]
comment = Count Dooku
inherit acls = No
path = /srv/www/htdocs/documents
read only = Yes
valid users = roemke römke roemkea
krb5.conf
[libdefaults]
# default_realm = EXAMPLE.COM
default_realm = HHB.BONN.DE
[realms]
HHB.BONN.DE = {
kdc = hhbnt12.hhb.bonn.de
}
#folgendes von prolinux
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
and parts from nsswitch.conf
#passwd:compat winbind
passwd: files winbind
#group: files ldap winbind
group: files winbind
shadow: files winbind
I have nothing done in /etc/pam.d/ - I don't want logins of
Windows-Users.
Karsten
Karsten Römke schrieb:
Hello,
I have a problem in authentification vs ads.
History:
- Samba works as stand-alone server (non productive)
- some experiments with connection to a ldap-Server running on another -
machine.
- Trying to join to Active Directory, since I have no success I
deinstalled
samba completely and reinstall it.
Versions:
OpenSuse 11.1 (actual apart from the kernel)
Samba samba-3.2.7-11.4.1
winbind: samba-winbind-3.2.7-11.4.1
Windows 2003 Server with ADS
I followed the artikel in
http://www.pro-linux.de/NB3/artikel/2/1110/3,next.html
(sorry it's german) and looked to the official samba howto.
The following tests I have done:
not sure: kinit, I set up /etc/krb5.conf
(roemke is a local user and a user of ADS with
admin rights)
net ads join -S hhbnt12.hhb.bonn.de -Uroemke%xyz
seems to work, Server says that I have joined the
Domain but DNS update failed.
test:
www:/etc/samba # net ads testjoin
Join is OK
test:
wbinfo -u
- shows all usernames on active directory but no machines
as mentioned in the samba wiki
www:/etc/samba # wbinfo -a roemkea%xyz
plaintext password authentication succeeded
challenge/response password authentication succeeded
roemkea is a non local user, only available in the ads
getent passwd
shows only local users :-(
I checked the nsswitch.conf and do symbolik links
/lib/libnss_winbind ...
I think at that point I could stop, bu I tested via smbclient:
(roemkea is ADS User)
smbclient //www/documentsWrite -Uroemkea
- NT_STATUS_ACCESS_DENIED
Log-File:
[2010/03/03 14:34:25, 3] auth/auth.c:check_ntlm_password(220)
check_ntlm_password: Checking password for unmapped user
[nt_technologie]\[roemk...@[www] with the new password interface
[2010/03/03 14:34:25, 3] auth/auth.c:check_ntlm_password(223)
check_ntlm_password: mapped user is: [nt_technologie]\[roemk...@[www]
[2010/03/03 14:34:25, 2] auth/auth.c:check_ntlm_password(318)
check_ntlm_password: Authentication for user [roemkea] - [roemkea]
FAILED with error NT_STATUS_NO_SUCH_USER
with localuser roemke:
NT_STATUS_ACCESS_DENIED
but in the Log-File
[2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(220)
check_ntlm_password: Checking password for unmapped user
[nt_technologie]\[roem...@[www] with the new password interface
[2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(223)
check_ntlm_password: mapped user is: [nt_technologie]\[roem...@[www]
[2010/03/03 14:35:33, 3] auth/auth.c:check_ntlm_password(269)
check_ntlm_password: winbind authentication for user [roemke] succeeded
[2010/03/03 14:35:33, 2] auth/auth.c:check_ntlm_password(308)
check_ntlm_password: authentication for user [roemke] - [roemke] -
[roemke] succeeded
I found no hint.
It seems that for a local
