On Thu, Feb 14, 2008 at 11:21 AM, Ross S. W. Walker <[EMAIL PROTECTED]> wrote: > Linux Addict wrote: > > > > Greetings!!! > > > > I am using samba 3.0.28 clients authenticating AD R2 with SFU 3.5. I > > have setup nss info to template, sfu get the uid, gid, home dir and > > shell from AD. > > Whoa, slow down, your getting all ahead of yourself. You seem to need > to pick a user authorization (passwd/group) method and a user > authentication method.
My nsswitch configuration is passwd files winbind and group files winbind My authentication method(PAM) reads unix local files, krb5 next and then winbind. I want to keep winbind as I will be using a one way trust in the future to our corp domain. I had some issues with only having krb5 as by default it appended the username with our AD domain only. > User authorization can be nss_ldap or samba+winbind or samba+ldap or > samba+ad (samba+ldap and samba+ad are really the same, but samba > uses ad extensions when storing the attributes). > > I personnally like samba+winbind because with RID mapping I no > longer have to worry about creating and maintaining UIDs and GIDs for > every Windows user and group, which is a big pain. I have around 200 RHEL hosts which will authenticate from AD. I want uid/gid consistency across all the hosts. I wasn't sure if RID will assign the same IDs on all 200 hosts for a specific user. Will it be same if I use RID? > As far as authentication goes, there is pam_ldap, pam_winbind, samba > or kerberos. > > If you authenticating against a Windows AD domain I really don't see > any point to not using Kerberos. It is straight forward, easy to > setup, secure and provides single sign-on functionality. The others > require additional setup procedures and don't do single sign-on. > > > > The problem is it seems to be working for sometime, and then it says > > could not get uid/gid pair. I am assuming some kind of caching is > > causing this. > > It may be your initial setup. It wasn't just initial. It worked for first few logins. Then If I try again after an hour, you would get that error and the user will not be able to login. > > My understanding with SFU is that, there wont be any mappings and the > > specific user will pull the uid,gid from AD Unix Attributes. > > Managing UIDs and GIDs under SFU is a big PITA. I would only use it > under circumstances where winbind wasn't available, but even there > I would probably setup a Linux VM that would dump winbind RID > mappings into NIS maps and then use NIS to send them out. > > > > The winbindd-idmap file throws the following error. > > > > nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613) > > Could not get unix ID > > Did you join the machine to the domain with a 'net ads join' ? > Yes. The host is part of AD. > > This is testparam output. > > > > idmap backend = ad > > idmap uid = 16777216-33554431 > > idmap gid = 16777216-33554431 > > template shell = /bin/bash > > winbind separator = + > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind use default domain = Yes > > winbind nss info = template, sfu > > > > > > > > Please someone help me to all linux clients authenticate > > consistently from AD. > > Make sure you have these installed: > > samba-common > samba-client > cyrus-sasl-gssapi > libgssapi > cyrus-sasl-md5 > cyrus-sasl-lib > cyrus-sasl > cyrus-sasl-gssapi > cyrus-sasl-ntlm > cyrus-sasl-plain > krb5-workstation > pam_krb5 > krb5-libs > krb5-auth-dialog I dont have all, but have most of them. [EMAIL PROTECTED] samba]# rpm -qa |egrep '(samba|cyrus|krb)' krb5-libs-1.3.4-27 cyrus-sasl-md5-2.1.19-5.EL4 samba-common-3.0.28-1 cyrus-sasl-2.1.19-5.EL4 krbafs-1.2.2-6 pam_krb5-2.1.8-1 cyrus-sasl-plain-2.1.19-5.EL4 samba-client-3.0.28-1 krb5-devel-1.3.4-27 cyrus-sasl-devel-2.1.19-5.EL4 krb5-workstation-1.3.4-27 krbafs-devel-1.2.2-6 samba-3.0.28-1 [EMAIL PROTECTED] samba]# > Try this simple starting smb.conf: > > [global] > workgroup = EXAMPLE > realm = EXAMPLE.COM > security = ads > password server = * > use kerberos keytab = yes > passdb backend = tdbsam > allow trusted domains = no > idmap backend = rid > idmap uid = 100000-199999 > idmap gid = 100000-199999 > template homedir = /home/%U > template shell = /bin/bash > winbind use default domain = true > winbind enum groups = yes > winbind enum users = yes > name resolve order = wins bcast host > > [homes] > comment = Home Directories > read only = no > browseable = no > > [printers] > comment = All Printers > path = /var/spool/samba > printable = yes > browseable = no > > And this simple krb5.conf: > > logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = yes > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > krb4_convert = false > } > > [realms] > EXAMPLE.COM = { > kdc = example.com > admin_server = example.com > } > > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > > Then make sure your nsswitch.conf has these defined: > > passwd: files winbind > shadow: files > group: files winbind > > And your /etc/pam.d/system-auth is similar to: > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_krb5.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_krb5.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_krb5.so I have winbind coming after krb5 as I need it to leverage one-way trust. > The modules to pay attention to are, pam_krb5.so and pam_mkhomedir.so. > > Then your Windows users should be able to single sign-on to Linux and access > all the Windows shares and resources. > > -Ross > > ______________________________________________________________________ > This e-mail, and any attachments thereto, is intended only for use by > the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail, you are hereby notified that any dissemination, > distribution or copying of this e-mail, and any attachments thereto, > is strictly prohibited. If you have received this e-mail in error, > please immediately notify the sender and permanently delete the > original and any copy or printout thereof. > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba