Well, I've continued to muck with this with no real progress to show. I still have a situation where "wbinfo -u" lists domain users but "getent passwd" only lists local users. Here are my configuration files for Samba, Kerberos, and NSSwitch. Maybe someone can see what's wrong / missing.
Right now I'll be happy to get to the point that a network user can log in on this CentOS machine based only on their network credentials. Dave ================= smb.conf [global] workgroup = MYCOMPANY realm = MYCOMPANY.LOCAL server string = Samba Server / LLINDELL01 security = ADS log file = /var/log/samba/%m.log max log size = 50 password server = mydc.mycompany.local idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = false ================= smb.conf (end) ================= krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYCOMPANY.LOCAL [domain_realm] .mycompany.local = MYCOMPANY.LOCAL mycompany.local = MYCOMPANY.LOCAL ================= krb5.conf (end) ================= nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus ================= nsswitch.conf (end) -----Original Message----- From: [EMAIL PROTECTED] on behalf of Lemire, David Sent: Tue 2/19/2008 2:37 PM To: samba@lists.samba.org Subject: Re: [Samba] CentOS 5 client in W2K3 AD Domain, getent only showslocal info One additional detail on my setup. In Chapter 7, Samba3-ByExample lists Kerberos and Samba features needed for working with AD. Checking my CentOS 5 installtion, I find one gap in each list. For Kerberos, the guide shows: root# smbd -b | grep KRB HAVE_KRB5_H HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_KRB5 HAVE_KRB5_AUTH_CON_SETUSERUSERKEY HAVE_KRB5_ENCRYPT_DATA HAVE_KRB5_FREE_DATA_CONTENTS (missing) HAVE_KRB5_FREE_KTYPES HAVE_KRB5_GET_PERMITTED_ENCTYPES HAVE_KRB5_KEYTAB_ENTRY_KEY HAVE_KRB5_LOCATE_KDC HAVE_KRB5_MK_REQ_EXTENDED HAVE_KRB5_PRINCIPAL2SALT HAVE_KRB5_PRINC_COMPONENT HAVE_KRB5_SET_DEFAULT_TGS_KTYPES HAVE_KRB5_SET_REAL_TIME HAVE_KRB5_STRING_TO_KEY HAVE_KRB5_TKT_ENC_PART2 HAVE_KRB5_USE_ENCTYPE HAVE_LIBGSSAPI_KRB5 HAVE_LIBKRB5 For Samba, the guide shows: root # smbd -b | grep LDAP HAVE_LDAP_H HAVE_LDAP (missing) HAVE_LDAP_DOMAIN2HOSTLIST HAVE_LDAP_INIT HAVE_LDAP_INITIALIZE HAVE_LDAP_SET_REBIND_PROC HAVE_LIBLDAP LDAP_SET_REBIND_PROC_ARGS I'm not knowledgeable enough to know if missing either of HAVE_KRB5_FREE_KTYPES or HAVE_LDAP_DOMAIN2HOSTLIST are showstoppers for me. Dave Lemire, David wrote: >> Try comparing what you did to these articles. They worked very well >> for me on a W2K AD domain. >> To me, they're more easily understood than the official docs. >> >> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 >> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1 >> > > > They pretty much describe what I'd done to this point, +/- a couple of > details (which I do realize may be important). One question they bring > up for me is this: In describing krb5.conf, I've seen the > [domain_realms] section shown two or three different ways: > > [domain_realms] > .kerberos.server = DOMAIN.NET > > > [domain_realms] > .mydomain.domain = DOMAIN.NET > > > [domain_realms] > .mydomain.domain = DOMAIN.NET > mydomain.domain = DOMAIN.NET > > The example on MIT kerberos site would seem to indicate that the third > one of those is right (see > <http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#domain_005frealm>), > > but I've definitely seen both of the others used as example configurations. > > > The other thing I came across after posting my question to this list was > a entry in Scott Lowe's block about problems w/CentOS 5 and Active > Directory integration > <http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/>. > > OTOH, he was having problems getting the machine to join the domain, > whereas my roadblocks are a step or two beyond that. Still, it makes me > wonder if I shouldn't just one or more pieces of this puzzle (starting > w/samba). > > > I need to double-check my samba build include the DOMAIN2HOSTLIST > component; I can't check at the moment, but IIRC, that might not have > been in the list when I checked before. Would missing that account for > my winbind / getent disparity? > > Dave > > > > > > >> >> Lemire, David wrote: >>> I'm trying to integrate a Linux machine into our >>> Win2K3 ADS-based network. The machine must >>> primarily serve as a user workstation (i.e., a >>> Samba Client), although it also needs to serve at >>> least one share for backup purposes. I'd like to >>> emulate the behavior of our WinXP machines in that >>> any user in our small company can login to any >>> computer in the domain based on network >>> username/password. >>> >>> I've been following the information in the >>> "Samba3-By Example" guide (the on-line, PDF >>> version, 28 Jan 2008), section 7.3.4. I've had >>> success joining the network and accessing a share >>> on a server, but then run into a snag where >>> getent doesn't return equivalent information to >>> wbinfo for users and groups. I've done scads of >>> web searching, reading, tinkering with conf files, >>> and have scanned about six months of this list's >>> archive without finding a resolution, although my >>> problem doesn't seem to be uncommon. Before I post conf files with >>> specifics I'd like >>> to ask a couple of basic questions: >>> >>> 1) Need I care that getent won't return equivalent >>> results as wbinfo? The guide describes this is >>> "to validate the full identity resolution is >>> functional as required", so I've been taking it as >>> gospel that I shouldn't tackle PAM until getent >>> works. >>> >>> 2) Active Directory Configuration: Is it a >>> requirement that I either make configuration >>> changes in AD or install Microsoft Services for >>> UNIX to accomplish what I want? The By-Example >>> guide seems to indicate that I don't have to (1st >>> page of 7.3.4), but at least one write-up I've >>> found on-line states that AD mods are necessary >>> (<http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication- >>> details/> >>> it is from Dec 2005, so could be out-of-date?). >>> >>> 3) My software versions are: >>> >>> * PDC and BDC are running Active Directory on >>> Windows Server 2003 SP2 * Linux machine is running CentOS >>> 5 with current updates * Samba software is 3.0.25b (supplied >>> w/CentOS) * krb5 software is 1.6.1-17 (supplied w/CentOS) * nss >>> is 3,11,7 (supplied w/CentOS) * nss_ldap is 253- 5 (supplied w/CentOS) >>> >>> Do I need to upgrade to newer versions? I've read >>> of problems with Samba 3.0.23c on Red Hat, but >>> nothing I've seen indicates a problem with >>> 3.0.25b. If upgrading is recommended, I'd >>> appreciate a pointer to an appropriate source of >>> RPMs, as these are newest version in the CentOS >>> Repositories, and I'm not too comfortable with building >>> >From source yet. >>> >>> 4) If nsswitch.conf is configured for winbind, do >>> I need to worry at all about LDAP configuration? >>> >>> 5) I've seen mention about letter case being a >>> problem in configuring Kerberos and Samba. On our >>> AD server, the domain appears as "DOMAIN.local", >>> with the letter case as shown, so the FQDN of the >>> server is SERVER.DOMAIN.local. Is this somehow >>> causing me a problem? In the krb5.conf and >>> smb5.conf files, I've identified the realm as >>> DOMAIN.LOCAL. >>> >>> 6) One oddity: when I started working on this, >>> after the machine joined the domain, wbinfo showed >>> results as DOMAIN+username but somewhere along the >>> line that change to just the username. Is that >>> indicative of something I've misconfigured? >>> >>> Thanks for any insight. My gut tells me I'm not >>> far off, but I've exceeded my "solve it myself" >>> frustration level! >>> >>> Dave Lemire >>> > -- David Lemire Director of Technology & Corporate Capabilties A&N Associates, Inc. 999 Corporate Blvd, Suite 100 Linthicum, Maryland 21090 TEL: 410-859-5449 x111 FAX: 410-859-5292 [EMAIL PROTECTED] www.anassoc.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba