Re: [Samba] Winbind Problems and doubts
Greetings from Maryland :-), What is your windowmaker using for authentication? Is it using PAM? If so, there should be a pam control file in /etc/pam.d. That is where i would start first. Are you using xdm, gdm or kde? I may not be correct (and I am sure someone will correct my in-correctedness), but I believe that the auth is normally performed by the display manager. What distribution are you using? Okay, there was a way to circumvent the "Domain+user" thing. It involved using a different PAM module and running a daemon process. I used it before my company upgrade to win2k, and after we upgraded, I could not get it to work anymore (probably because our Active Directory mode was not mixed mode). I think the module superceded the pam_ntdom module or it may have been that module itself. It's been a while so forgive me. But if you are interested in going that route, you can do some searching on the Linux PAM home page under the modules link. Lastly, /etc/pam.d contains control files for different services. Normally, they are named after the service name. So if you want to say allow users your win2k users to login to your box at a terminal, you will more than likely have to tweak the login control file. I sincerely hope that this helps.. Best Regards, Errol Neal -- Original Message -- From: "Igor Debacker" <[EMAIL PROTECTED]> Date: Wed, 29 Jan 2003 15:41:04 -0300 >Greetings from Brazil, > >1) I installed winbind and everything seems good, but i have kde installed and >i'm trying to run windowmaker.. if i choose 'failsafe' or log into the black >terminal it runs ok.. but when i try to log into the windowmaker.. it does >not log in... what should i do ? > >2) how can i login with the local accounts (root and others) while winbind is running >? i can only login with domain+user accounts !!! > >my /etc/nsswitch.conf is already configured to check files and winbind.. what else >should i do ? > >3) is there an way of my win2kserver users login only with their user name and not as >"DOMAIN+user" ? > >4) where can i find info about /etc/pam.d/ files.. i don't know which one of them i >should change for each specific action, or should i change all of them ?^ > >Thanx in advance > >Igor Vieira Debacker >[EMAIL PROTECTED] >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba > >-- >This message has been scanned for viruses and >dangerous content and is believed to be clean. > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Active Directory - Which Samba version is needed?
You will need samba-3.0 then. It is in alpha, so it is not recommended for production use right now. But I am using it production w/o any issues. It requires samba to be compiled against kerberos and the openldap libraries. It also requires the use of winbindd. Regards, Errol -- Original Message -- From: Alexander Skwar <[EMAIL PROTECTED]> Date: Fri, 07 Feb 2003 10:06:43 +0100 >Hi! > >I'd like to setup a Samba server which should do user authentication >against an Active Directory. Our AD admins told me, that we do not have >Window NT 4.0 Domains available. > >What I'm trying to accomplish, is that the users can login with the same >username/password they use with the AD. Also, if the password is >changed in the AD, this change should be reflected on the Samba server. > It doesn't have to be the other way arround - ie. the Samba server >doesn't have to be able to do password changes. > >The reason is, that I need a way for the Windows users to access files >on NFS shares. > >All this is supposed to work on a HP-UX 11.00 server, but I also do have >a RedHat 8.0 server available. So I'm either looking for a HP-UX >solution (preferrable with the HP CIFS server) or a Linux solution. >Actually, plain OS independant hints are also VERY much appreciated! > >Thanks a lot, > >Alexander Skwar >-- >How to quote: http://learn.to/quote (german) http://quote.6x.to (en) >Homepage: http://www.iso-top.biz | Jabber: [EMAIL PROTECTED] > iso-top.biz - Die günstige Art an Linux Distributionen zu kommen > >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba > >-- >This message has been scanned for viruses and >dangerous content and is believed to be clean. > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to join a linux machine to a "pure" ActiveDirectoryDomain using Samba 3.0alpha21?
net ads join will add your samba box to the windows 2000 domain, and the domain does not have to support mixed mode. You will need to have kerberos setup and tested on your system (linux). Do you already have this done? Errol -- Original Message -- From: Alexander Skwar <[EMAIL PROTECTED]> Reply-To: Samba Liste <[EMAIL PROTECTED]> Date: Thu, 13 Feb 2003 11:42:07 +0100 >Hello. > >I've now compiled and installed Samba 3.0 alpha 21 on a Red Hat 8.0 box >(since I sadly don't have a current Mandrake box available in our >network). > >Now I'm somewhat lost - what do I have to do, to make the Samba server >join the Active Directory (which doesn't support NT 4.0 Domains)? > >Is "net ads join" the only thing I've got to do? > >Where do I set which AD is to be joined? Does Samba use the >"workgroup" parameter from smb.conf? Do I have to pay any attention on >how I enter the AD name there, or would "europe.delphiauto.net" do? > >Do I need some sort of adminstrative rights in the AD to be able to >join? > >Which security mode would I need to use? domain? > >Besides Samba, which other software/servers do I need on my server? >Kerberos? I suppose I need to configure it somehow - how? What do I >have to pay attention to? > >I'd be very happy if someone could help me out - FAQ pointers concerning >this are welcome as well! I've Google'd for answers but could basically >just find questions and sometimes answers regarding Samba 2.2.x and NT >4.0 Domains. > >Thanks a lot, > >Alexander Skwar >-- >How to quote: http://learn.to/quote (german) http://quote.6x.to (english) >Homepage: http://www.iso-top.biz |Jabber: [EMAIL PROTECTED] > iso-top.biz - Die günstige Art an Linux Distributionen zu kommen > Uptime: 17 days 4 hours 43 minutes >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba > >-- >This message has been scanned for viruses and >dangerous content and is believed to be clean. > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] "net ads join" hangs
Hello,
I am using samba-3.0alpha21 on a out of the box debian-3.0 box trying to join a native
windows 2000 (active directory) domain. I have used alpha18,19,and 20 in the past with
alot of success on red hat and linux from scratch systems with minimum challenges.
However I cannot seem join the domain in this instance. I am using openldap 2.1.8 and
mit kerberos 1.2.7. The result of "net ads join" using alpha19 is that the command
hangs after scrolling about 5 pages of text. Alpha20 segfaults for a reason unapparent
to me and alpha21 hangs, as alpha19 did but only after the first line. The funny thing
is that "net ads status" shows that my system is a member of the domain, but in
starting winbindd, winbindd reports this:
winbindd version 3.0alpha21 started.
Copyright The Samba Team 2000-2001
[2002/11/29 07:04:07, 1] nsswitch/winbindd_util.c:add_trusted_domain(140)
Added domain JCNTV
[2002/11/29 07:04:07, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
krb5_cc_get_principal failed (No credentials cache found)
[2002/11/29 07:04:07, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
[2002/11/29 07:04:17, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for JCNTV
[2002/11/29 07:04:17, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
krb5_cc_get_principal failed (No credentials cache found)
[2002/11/29 07:04:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
I compiled samba like so..
./configure --prefix=/usr/local/samba3 --with-pam
Here is a copy of my smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2002/09/20 13:46:38
# Global parameters
[global]
workgroup = JCNTV
realm = JCNTV.PRIVATE
ADS server = 192.168.0.2
netbios name = ISAIAH
interfaces = **.**.**.**
bind interfaces only = Yes
security = ADS
wins server = 192.168.0.2
encrypt passwords = yes
host msdfs = Yes
msdfs root = Yes
winbind gid = 1000-65000
winbind uid = 1000-65000
winbind separator = +
[docroot]
path = /home/var/www
follow symlinks = no
browsable = yes
force create mode = 0664
force directory mode = 0755
My krb5.conf ..
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
#default_tags_enctypes = des-cbc-crc
#default_tkt_enctypes = des-cbc-crc
default_realm = JCNTV.PRIVATE
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
JCNTV.PRIVATE = {
kdc = server2.jcntv.private:88
default_domain = jcntv.private
}
[domain_realm]
.jcntv.private = JCNTV.PRIVATE
jcntv.private = JCNTV.PRIVATE
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
and finally, my ldap.conf..
# Your LDAP server. Must be resolvable without using LDAP.
host 192.168.0.2
# The distinguished name of the search base.
base dc=jcntv,dc=private
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# Use SSL
# ssl yes
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Administrator,cn=Users,dc=jcntv,dc=private
bindpw JxZ#!@//
#URI ldaps://192.168.0.2:636
# The credentials to bind with.
# Optional: default is no credential.
# The port.
#port 636
port 389
# The search scope.
scope sub
nss_base_passwd cn=Users,DC=jcntv,DC=private?one
nss_base_shadow cn=Users,DC=jcntv,DC=private?one
nss_base_group cn=Group,DC=jcntv,DC=private?one
nss_map_objectclass posixAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute cn msSFUName
nss_map_attribute userPassword msSFUPassword
nss_map_attribute uniqueMember Member
pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_password ad
Any help would be greatly appreciated. I don't know if this behavior is related to the
version of glibc installed on the machine or what. But again, any help would be
appreciated.
Best Regards,
Errol U. Neal
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
FWD: Re: [Samba] "net ads join" hangs
-- Original Message --
From: "Errol Neal" <[EMAIL PROTECTED]>
Reply-To: <[EMAIL PROTECTED]>
Date: Fri, 29 Nov 2002 17:13:39 -0800
Hello,
In my further investigation, it seems that winbindd cannot locate my kerberos ticket.
Or, at least this is what this log output from winbindd
>[2002/11/29 07:04:17, 1] nsswitch/winbindd_util.c:init_domain_list(220)
> Retrying startup domain sid fetch for JCNTV
>[2002/11/29 07:04:17, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
> krb5_cc_get_principal failed (No credentials cache found)
>[2002/11/29 07:04:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
> ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
Am I correct? But I do have a kerberos ticket...
isaiah:/usr# /usr/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
11/29/02 17:11:59 11/30/02 03:11:45 [EMAIL PROTECTED]
Help would be appreciated...
Best Regards,
Errol U. Neal
-- Original Message ------
From: "Errol Neal" <[EMAIL PROTECTED]>
Reply-To: <[EMAIL PROTECTED]>
Date: Fri, 29 Nov 2002 07:21:23 -0800
>Hello,
>
>I am using samba-3.0alpha21 on a out of the box debian-3.0 box trying to join a
>native windows 2000 (active directory) domain. I have used alpha18,19,and 20 in the
>past with alot of success on red hat and linux from scratch systems with minimum
>challenges. However I cannot seem join the domain in this instance. I am using
>openldap 2.1.8 and mit kerberos 1.2.7. The result of "net ads join" using alpha19 is
>that the command hangs after scrolling about 5 pages of text. Alpha20 segfaults for a
>reason unapparent to me and alpha21 hangs, as alpha19 did but only after the first
>line. The funny thing is that "net ads status" shows that my system is a member of
>the domain, but in starting winbindd, winbindd reports this:
>
> winbindd version 3.0alpha21 started.
> Copyright The Samba Team 2000-2001
>[2002/11/29 07:04:07, 1] nsswitch/winbindd_util.c:add_trusted_domain(140)
> Added domain JCNTV
>[2002/11/29 07:04:07, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
> krb5_cc_get_principal failed (No credentials cache found)
>[2002/11/29 07:04:07, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
> ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
>[2002/11/29 07:04:17, 1] nsswitch/winbindd_util.c:init_domain_list(220)
> Retrying startup domain sid fetch for JCNTV
>[2002/11/29 07:04:17, 1] libsmb/clikrb5.c:krb5_mk_req2(56)
> krb5_cc_get_principal failed (No credentials cache found)
>[2002/11/29 07:04:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(72)
> ads_connect for domain JCNTV failed: NT_STATUS_LOGON_FAILURE
>
>I compiled samba like so..
>./configure --prefix=/usr/local/samba3 --with-pam
>
>Here is a copy of my smb.conf
>
># Samba config file created using SWAT
># from 127.0.0.1 (127.0.0.1)
># Date: 2002/09/20 13:46:38
>
># Global parameters
>[global]
>workgroup = JCNTV
>realm = JCNTV.PRIVATE
>ADS server = 192.168.0.2
>netbios name = ISAIAH
>interfaces = **.**.**.**
>bind interfaces only = Yes
>security = ADS
>wins server = 192.168.0.2
>encrypt passwords = yes
>host msdfs = Yes
>msdfs root = Yes
>winbind gid = 1000-65000
>winbind uid = 1000-65000
>winbind separator = +
>
>[docroot]
>path = /home/var/www
>follow symlinks = no
>browsable = yes
>force create mode = 0664
>force directory mode = 0755
>
>
>My krb5.conf ..
>
>
>[logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
>[libdefaults]
> ticket_lifetime = 24000
> #default_tags_enctypes = des-cbc-crc
> #default_tkt_enctypes = des-cbc-crc
> default_realm = JCNTV.PRIVATE
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
>[realms]
> JCNTV.PRIVATE = {
> kdc = server2.jcntv.private:88
> default_domain = jcntv.private
> }
>
>[domain_realm]
> .jcntv.private = JCNTV.PRIVATE
> jcntv.private = JCNTV.PRIVATE
>
>[kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
>[pam]
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
>
>
>and finally, my ldap.conf..
>
># Your LDAP server. Must be resolvable without using LDAP.
>host 192.168.0.2
>
># The distinguished name of the search base.
>base dc=jcntv,dc=private
>
># The LDAP version to use (defaults to 3
># if su
