One additional detail on my setup. In Chapter 7, Samba3-ByExample lists
Kerberos and Samba features needed for working with AD. Checking my
CentOS 5 installtion, I find one gap in each list.
For Kerberos, the guide shows:
root# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
HAVE_KRB5_ENCRYPT_DATA
HAVE_KRB5_FREE_DATA_CONTENTS
(missing) HAVE_KRB5_FREE_KTYPES
HAVE_KRB5_GET_PERMITTED_ENCTYPES
HAVE_KRB5_KEYTAB_ENTRY_KEY
HAVE_KRB5_LOCATE_KDC
HAVE_KRB5_MK_REQ_EXTENDED
HAVE_KRB5_PRINCIPAL2SALT
HAVE_KRB5_PRINC_COMPONENT
HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
HAVE_KRB5_SET_REAL_TIME
HAVE_KRB5_STRING_TO_KEY
HAVE_KRB5_TKT_ENC_PART2
HAVE_KRB5_USE_ENCTYPE
HAVE_LIBGSSAPI_KRB5
HAVE_LIBKRB5
For Samba, the guide shows:
root # smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
(missing) HAVE_LDAP_DOMAIN2HOSTLIST
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_SET_REBIND_PROC_ARGS
I'm not knowledgeable enough to know if missing either of
HAVE_KRB5_FREE_KTYPES or HAVE_LDAP_DOMAIN2HOSTLIST are showstoppers for me.
Dave
Lemire, David wrote:
Try comparing what you did to these articles. They worked very well
for me on a W2K AD domain.
To me, they're more easily understood than the official docs.
http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
They pretty much describe what I'd done to this point, +/- a couple of
details (which I do realize may be important). One question they bring
up for me is this: In describing krb5.conf, I've seen the
[domain_realms] section shown two or three different ways:
[domain_realms]
.kerberos.server = DOMAIN.NET
[domain_realms]
.mydomain.domain = DOMAIN.NET
[domain_realms]
.mydomain.domain = DOMAIN.NET
mydomain.domain = DOMAIN.NET
The example on MIT kerberos site would seem to indicate that the third
one of those is right (see
<http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#domain_005frealm>),
but I've definitely seen both of the others used as example configurations.
The other thing I came across after posting my question to this list was
a entry in Scott Lowe's block about problems w/CentOS 5 and Active
Directory integration
<http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/>.
OTOH, he was having problems getting the machine to join the domain,
whereas my roadblocks are a step or two beyond that. Still, it makes me
wonder if I shouldn't just one or more pieces of this puzzle (starting
w/samba).
I need to double-check my samba build include the DOMAIN2HOSTLIST
component; I can't check at the moment, but IIRC, that might not have
been in the list when I checked before. Would missing that account for
my winbind / getent disparity?
Dave
Lemire, David wrote:
I'm trying to integrate a Linux machine into our
Win2K3 ADS-based network. The machine must
primarily serve as a user workstation (i.e., a
Samba Client), although it also needs to serve at
least one share for backup purposes. I'd like to
emulate the behavior of our WinXP machines in that
any user in our small company can login to any
computer in the domain based on network
username/password.
I've been following the information in the
"Samba3-By Example" guide (the on-line, PDF
version, 28 Jan 2008), section 7.3.4. I've had
success joining the network and accessing a share
on a server, but then run into a snag where
getent doesn't return equivalent information to
wbinfo for users and groups. I've done scads of
web searching, reading, tinkering with conf files,
and have scanned about six months of this list's
archive without finding a resolution, although my
problem doesn't seem to be uncommon. Before I post conf files with
specifics I'd like
to ask a couple of basic questions:
1) Need I care that getent won't return equivalent
results as wbinfo? The guide describes this is
"to validate the full identity resolution is
functional as required", so I've been taking it as
gospel that I shouldn't tackle PAM until getent
works.
2) Active Directory Configuration: Is it a
requirement that I either make configuration
changes in AD or install Microsoft Services for
UNIX to accomplish what I want? The By-Example
guide seems to indicate that I don't have to (1st
page of 7.3.4), but at least one write-up I've
found on-line states that AD mods are necessary
(<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-
details/>
it is from Dec 2005, so could be out-of-date?).
3) My software versions are:
* PDC and BDC are running Active Directory on
Windows Server 2003 SP2 * Linux machine is running CentOS
5 with current updates * Samba software is 3.0.25b (supplied
w/CentOS) * krb5 software is 1.6.1-17 (supplied w/CentOS) * nss
is 3,11,7 (supplied w/CentOS) * nss_ldap is 253- 5 (supplied w/CentOS)
Do I need to upgrade to newer versions? I've read
of problems with Samba 3.0.23c on Red Hat, but
nothing I've seen indicates a problem with
3.0.25b. If upgrading is recommended, I'd
appreciate a pointer to an appropriate source of
RPMs, as these are newest version in the CentOS
Repositories, and I'm not too comfortable with building
>From source yet.
4) If nsswitch.conf is configured for winbind, do
I need to worry at all about LDAP configuration?
5) I've seen mention about letter case being a
problem in configuring Kerberos and Samba. On our
AD server, the domain appears as "DOMAIN.local",
with the letter case as shown, so the FQDN of the
server is SERVER.DOMAIN.local. Is this somehow
causing me a problem? In the krb5.conf and
smb5.conf files, I've identified the realm as
DOMAIN.LOCAL.
6) One oddity: when I started working on this,
after the machine joined the domain, wbinfo showed
results as DOMAIN+username but somewhere along the
line that change to just the username. Is that
indicative of something I've misconfigured?
Thanks for any insight. My gut tells me I'm not
far off, but I've exceeded my "solve it myself"
frustration level!
Dave Lemire
--
David Lemire
Director of Technology
& Corporate Capabilties
A&N Associates, Inc.
999 Corporate Blvd, Suite 100
Linthicum, Maryland 21090
TEL: 410-859-5449 x111
FAX: 410-859-5292
[EMAIL PROTECTED]
www.anassoc.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
