Can somebody with experience making a RedHat Fedora Core 3 server with Samba installed work in a Windows 2003 Active Domain please give me some pointers? I have a small installation with one Windows 2003 Server running as a domain controller for about 10 Windows XP machines. This is working just fine. I decided that I wanted to add a RedHat Fedora Core 3 server as a Mail server, running Cyrus IMAP and Open Group Ware. The first thing that I wanted to do was get the Fedora machine working as a member of the domain and authenticating users from the domain for local login for mail and SSH access. I found several different tutorials on the web about doing this and followed as close as I could to their instructions. My smb.conf file looks like the following:
Smb.conf
[global]
log file = /var/log/samba/%m.log
load printers = yes
idmap gid = 16777216-33554431
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind trusted domains >
realm = PORTLAND-INT.CLIENT.COM
winbind use default domain = yes
template primary group = "Staff"
template homedir = /home/%U
template shell = /bin/bash
dns proxy = no
netbios name = mail
cups options = raw
server string = Mail Linux Samba Server
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = server.portland-int.client.com
workgroup = SKYLINE
os level = 20
os level = 20
printcap name = /etc/printcap
security = ads
preferred master = no
max log size = 50
[homes]
comment = Home Directories
browseable = no
writeable = yes
; [netlogon]
; comment = Network Logon Service
; path = /home/netlogon
; guest ok = yes
; writable = no
; share modes = no
;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
;[tmp]
; comment = Temporary file space
; path = /tmp
; read >
; public = yes
[public]
comment = Public Stuff
path = /home/samba
public = yes
read >
; write list = @staff
EOF
The KRB5.conf file contains:
Krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = PORTLAND-INT.CLIENT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
PORTLAND-INT.CLIENT.COM = {
kdc = server.portland-int.client.com:88
admin_server = server.portland-int.client.com:749
default_domain = portland-int.client.com
}
[domain_realm]
.portland-int.client.com = PORTLAND-INT.CLIENT.COM
portland-int.client.com = PORTLAND-INT.CLIENT.COM
[kdc]
profile = "">
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
EOF
After doing "/etc/init.d/smb restart; /etc/init.d/winbind restart", I was able to issue a "net ads -U administrator join CLIENT" command and received the Welcome to the CLIENT domain message. At this point I can do either of:
wbinfo -a "CLIENT\\markh%MYPASSWD"
wbinfo -a "markh%MYPASSWD"
And receive the response:
plaintext password authentication succeeded
challenge/response password authentication succeeded
The next steps it said to do were to issue a "getent passwd" and a "getent group". The Passwd version only shows what is on the local Linux server, while the Group version shows the local groups and the BUILTIN groups from the active directory. None of the Active Directory users or local groups are shown.
Until I can get past that last step and see more than the BUILTIN groups, I know that I cannot get authorization to work. Can somebody point out what I missed or help walk me through what is needed to make this work?
The one thing I have noted is that the profile file defined for the kdc in krb5.conf doesn't exist. Should it and if so what should it contain?
Any and all help greatly appreciated. It shouldn't be this hard to make Windows and Linux work together… sigh!
markh
====================================================
Mark A. Holm President
InfoArch, Inc.
7456 SW Baseline, PMB#123. Phone: (503) 750-9741
Hillsboro, OR 97123 Fax: (503) 591-8584
http://www.infoarch.com <mailto:[EMAIL PROTECTED]>
_______________________________________________ PDXLUG mailing list [email protected] http://lists.pdxlug.org/mailman/listinfo/pdxlug IRC: irc.freenode.net #pdxlug
