RE: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions
I haven't tested but perhaps this pam entry in system-auth will help (insert before winbind account entry) account sufficient/lib/security/$ISA/pam_succeed_if.so uid 100 quiet Noal -Original Message- From: Andre Fernando Goldacker [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 11:06 AM To: Andre Fernando Goldacker Cc: Miles, Noal; samba@lists.samba.org Subject: Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions I made a mistake, group in nsswitch.conf looks like this: group:files winbind sorry about that!! Andre Andre Fernando Goldacker wrote: Hello! passwd, shadow and group looks as follows in nsswitch.conf: passwd: files winbind shadow: files group: files group What really confuses me is that when my AD server is up and running, root or any local user logs in with no problem. And even when AD server is down, after trying a zillion times, root and other local users login, and then if I log them out and try again a few minutes later it won't go again, then again after a few minutes it works again and it keeps going like that. My guess is that when it's not going pam_winbind and winbind are trying to connect to the AD Server resulting in a huge delay in the login process afecting also local users login. That's why I was wondering if there is a timeout option or something for pam_winbind to avoid that. Well, that's my guess I could be wrong and maybe the problem is something else. Anyway thank's so far for your help, if you or anyone has a light... Andre Miles, Noal wrote: You have files before winbind in /etc/nsswitch.conf for passwd, shadow, group? Noal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andre Fernando Goldacker Sent: Wednesday, April 04, 2007 8:40 AM To: samba@lists.samba.org Subject: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions Hello! I've configured samba with winbind and pam_winbind module to authenticate users that connect to my linux box against MS AD. Works like a charm. If a user exists both in AD and locally, login should assume local users. Again, it works pretty well (It seems at least with my current config). If my AD server goes down for any reason, local users should be able to login. For example, root has to login always no matter if my AD server exploded. That's where is the problem. When I shutdown my AD server and I try to login with a local user (root as well), my guess is that it seems that pam_winbind waits for a very very long time trying to find my AD server to authenticate that even the local login times out. I don't really know if that is the reason for this behaviour, but if it is, I'm wondering if there is a hidden or maybe a new timeout option for pam_winbind module as I didn't found anything related in the man pages and the mailing lists archive. Or maybe if login finds the user in the local database, bypass winbind authentication, don't know if that is possible. The reason why I came up with this idea is that when the AD server is down and I try to login with root for eg. over and over many times, after a while it goes (looks like pam config order is right), but a few minutes later it won't again, which made me thought that perhaps winbind or pam_winbind are trying to estabilish a connection with AD and somehow because of that the whole process slows down so much that even local login times out. Samba is configured to catch UID's, GID's from AD using SFU and ad idmap backend. Only users that are members of a specified AD group are able to login. The purpose of the machine is to be an application server and share folders based on AD users and group permissions. My system is RHEL AS3 with update 7 and samba-3.0.24 Below are my pam lines in the system-auth file: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_winbind.so try_first_pass require_membership_of=DOMAIN+group authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so nullok_secure account sufficient/lib/security/$ISA/pam_winbind.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_mkhomedir.so umask=0022 skel=/etc/skel Considering that if a user exists both in the local user database and AD, login
RE: [Samba] CentOS samba upgrade
http://enterprisesamba.com/ is linked off of the samba site and has compiled binaries for RHEL/CentOS... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M Azer Sent: Monday, February 05, 2007 9:41 PM To: samba Subject: [Samba] CentOS samba upgrade Centos samba version is 3.0.10 which is the package that comes with the disto - is the only way to upgrade to the latest samba 3.0.24 is to recompile the samba source? I have tried yum update samba however it says 3.0.10 is the latest so i downloaded 3.0.24 and tried rpm -Uvh or yum localinstall but i get the following dependency errors to # yum install samba-common-3.0.24-1.i386.rpm Setting up Install Process Setting up repositories Reading repository metadata in from local files Parsing package install arguments Examining samba-common-3.0.24-1.i386.rpm: samba-common - 3.0.24-1.i386 Marking samba-common-3.0.24-1.i386.rpm as an update to samba-common - 3.0.10-1.4E.9.i386 Resolving Dependencies -- Populating transaction set with selected packages. Please wait. --- Package samba-common.i386 0:3.0.24-1 set to be updated -- Running transaction check -- Processing Dependency: libc.so.6(GLIBC_2.4) for package: -- samba-common Processing Dependency: libkrb5.so.3(krb5_3_MIT) for -- package: samba-common -- Processing Dependency: libgssapi_krb5.so.2(gssapi_krb5_2_MIT) for package: samba-common -- Processing Dependency: libldap-2.3.so.0 for package: samba-common -- Processing Dependency: libpam.so.0(LIBPAM_1.0) for package: -- samba-common Processing Dependency: liblber-2.3.so.0 for package: -- samba-common Processing Dependency: samba-common = 0:3.0.10 for -- package: samba-client Processing Dependency: rtld(GNU_HASH) for -- package: samba-common Processing Dependency: -- libk5crypto.so.3(k5crypto_3_MIT) for package: samba-common -- Finished Dependency Resolution *Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package samba-common Error: Missing Dependency: libkrb5.so.3(krb5_3_MIT) is needed by package samba-common Error: Missing Dependency: libgssapi_krb5.so.2(gssapi_krb5_2_MIT) is needed by package samba-common Error: Missing Dependency: libldap-2.3.so.0 is needed by package samba-common Error: Missing Dependency: libpam.so.0(LIBPAM_1.0) is needed by package samba-common Error: Missing Dependency: liblber-2.3.so.0 is needed by package samba-common Error: Missing Dependency: samba-common = 0:3.0.10 is needed by package samba-client Error: Missing Dependency: rtld(GNU_HASH) is needed by package samba-common Error: Missing Dependency: libk5crypto.so.3(k5crypto_3_MIT) is needed by package samba-common* -- Unless you try to do something beyond what you have already mastered, you will never grow. Ronald E. Osborn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ntuser.dat
Hmmm...well ntuser.dat is the registry hive that is loaded into HKEY_CURRENT_USER for each user. So..you are making the HKEY_CURRENT_USER registry hive read only? I am guessing that a user wouldn't be able to add printers, customize desktop, etc. However if any application wanted to write to HKEY_CURRENT_USER that would be a problem. You could check out the activity on HKEY_CURRENT_USER by downloading regmon from sysinternal which will show you registry activity that can be filtered to HKEY_CURRENT_USER If you want to see what is in this hive open regedit, highlight HKEY_USERS, select file-Load Hive, and browse to an ntuser.dat that is not in useYou will have to give a temporary name which is how you will identify the loaded hive under HKEY_USERS. Noal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Lynn Sent: Tuesday, February 06, 2007 1:42 PM To: samba@lists.samba.org Subject: [Samba] ntuser.dat What are the implications of locking the ntuser.dat file on the user's server profile? That is, if I make the ntuser.dat file read-only, what affects will that have on the client? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Registering hostnames with an AD server?
net ads dns register -P will be very useful. The only interim solution for Linux clients I have found would be to let a Windows DHCP server register DNS records on behalf of the Linux clients. Of course this means it would be necessary to use Windows DHCP for your Linux clients. vi /etc/dhclient-eth0.conf send fqdn.fqdn hostname.domain.com; send fqdn.encoded off; send fqdn.server-update on; prepend domain-name domain.com; If the Window DNS domain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerald (Jerry) Carter Sent: Friday, February 02, 2007 10:01 AM To: Paul Smith Cc: samba@lists.samba.org Subject: Re: [Samba] Registering hostnames with an AD server? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Smith wrote: So now I want to add my Linux desktop and have the same hostname setting happen... but I can't figure out how to get it to work. Most of the There's new code in the svn tree for secure DNS updates using the machin trust account password. 'net ads dns register -P'. It works against Windows 2000SP4 and Windows 2003 DNS servers. This will be in the next upgrade release. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFw2BWIR7qMdg1EfYRAkViAJ9kb0KE5ibqCd9Dew4+LNV5av+9XwCgg0Rq Bu7/pv/FSDhjBnB51ykdKwE= =OAl8 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind caching group membership issue
After additional newsgroup trolling it appears that the require_membership_of=[SID or NAME] option to pam_winbind.so is the appropriate method for controlling ADS login by group. Unfortunately Red Hat's rpm man page for pam_winbind stated pam_winbind does not support any additional options which is obviously not correct. This was probably correct for the initial 3.x release? Soof a RHEL4_U4 box I did the following: Created /etc/pam.d/auth-winbind with: authsufficient/lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=NameOfGroup1 authsufficient/lib/security/$ISA/pam_winbind.so use_first_pass require_membership_of=NameOfGroup2 Edited /etc/pam.d/system-auth to include: authsufficient/lib/security/$ISA/pam_stack.so service=auth-winbind After a user attempts to logon (pass or fail) their group info is updated so groups username and wbinfo -r username show the correct infoThese 2 commands appear to only be updated after a logon attempt. Getent will display correct info after winbind cache time expires. So...logins are fast and accurate, problem solved. It is clear pam_listfile.so is not appropriate to use in the manner I had been trying. Hope this helps. Noal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miles, Noal Sent: Friday, December 01, 2006 2:28 PM To: samba@lists.samba.org Subject: [Samba] Winbind caching group membership issue Hi All, I am using samba-common-3.0.10-1.4E.9 on a RHEL4_U4 x86 machine. The ADS server is WS03 sp1 running in Windows Server 2003 interim mode. In general thing are working well. However, when winbind caching is enabled (default), group membership does not appear to update, i.e. wbinfo -r bob and groups bob don't reflect changes in ADS group membership. getent group groupname does show the correct info on the second query. Always takes 2 queries regardless of elapsed time. With winbind caching off, each command returns correctly the first time (though slowly). Using tcpdump with winbind caching enabled, I can see the ADS domain controller being queried when winbind cache time expires when each command is executed. However, the wbinfo and groups results are not updated no matter the amount of elapsed time. It should be noted that if I stop winbind and delete *.tdb then restart, updated info is returned by wbinfo and groups but again, next changes will not be reflected. Why do I care? I am trying to use pam_listfile.so to control what ADS accounts can log on to the box (by group membership). Pam_listfile is not seeing updated group membership when winbind caching is enabled. Somewhat ironically pam_winbind.so sees things correctly I suppose because it never consults the cache. What am I missing? Thanks for the help, Noal Some potentially relevant settings from smb.conf include: idmap backend = idmap_rid:APP=1700-4000 winbind enum users = yes winbind enum groups = yes idmap uid = 1700-4000 idmap gid = 1700-4000 winbind use default domain = yes winbind cache time = 30 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind caching group membership issue
Hi All, I am using samba-common-3.0.10-1.4E.9 on a RHEL4_U4 x86 machine. The ADS server is WS03 sp1 running in Windows Server 2003 interim mode. In general thing are working well. However, when winbind caching is enabled (default), group membership does not appear to update, i.e. wbinfo -r bob and groups bob don't reflect changes in ADS group membership. getent group groupname does show the correct info on the second query. Always takes 2 queries regardless of elapsed time. With winbind caching off, each command returns correctly the first time (though slowly). Using tcpdump with winbind caching enabled, I can see the ADS domain controller being queried when winbind cache time expires when each command is executed. However, the wbinfo and groups results are not updated no matter the amount of elapsed time. It should be noted that if I stop winbind and delete *.tdb then restart, updated info is returned by wbinfo and groups but again, next changes will not be reflected. Why do I care? I am trying to use pam_listfile.so to control what ADS accounts can log on to the box (by group membership). Pam_listfile is not seeing updated group membership when winbind caching is enabled. Somewhat ironically pam_winbind.so sees things correctly I suppose because it never consults the cache. What am I missing? Thanks for the help, Noal Some potentially relevant settings from smb.conf include: idmap backend = idmap_rid:APP=1700-4000 winbind enum users = yes winbind enum groups = yes idmap uid = 1700-4000 idmap gid = 1700-4000 winbind use default domain = yes winbind cache time = 30 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind - how to map ADS group to Unix group
After much experimentation I think I can better frame this problem. I wanted to be able to map an ADS domain group to a local Unix group. I also wanted to be able to map ADS domain groups/accounts to ROOT. For instance I wanted all members of the ADS group Domain Admins to map to ROOT. My Linux box was joined to the ADS domian but is not running smbd. Only winbindd is running. After experimenting with suggestions to use: net groupmap username map I have come to the conclussion that these approaches only work for interaction with smbd and don't help when all that is running is winbindd. It seems to me these approaches work for controlling resources exposed via (smbd). I am running only winbindd because at this point I am not concerned with sharing resources but more concerned with Single Sign On with ADS groups mapped to having rights on Linux boxes. So this is what I have learned. Running winbindd only: use gpasswd -a DOM\Account unixgroup will add a ADS domain account to a local *nix group setting winbind trusted domains only = yes and then creating each domain account locally I can make a domain admin account = ROOT, but of course this means I have to create each account locally which is no fun (I think this is what Choudary Mumtaz was proposing). THE QUESTION: I think at this point I may be trying to make winbindd work in a way it wasn't really designed to. As a next step I was thinking of trying to edit the winbind DB and manually set the GID of Domain Admins to 0 or group Domain Users to 503. As far as I can tell there is not a command line interface to change the mappings within the winbindd DB. Does this make sense? Thanks, Noal -Original Message- From: Choudary Mumtaz [mailto:[EMAIL PROTECTED] Sent: Thursday, March 03, 2005 6:30 PM To: Miles, Noal; 'Gerald (Jerry) Carter' Cc: 'samba@lists.samba.org' Subject: RE: [Samba] Winbind - how to map ADS group to Unix group It might be a very silly way to do it, but this is how I accomplished it as I never got any help from the group during my setup. Most of the tools provided by Samba didn't work for me, and I haven't been able to figure out the problem. I have added all the respective SAMBA groups to local /etc/group, so here you may make test2 member of Domain Users group, and it will work. If you would like a take a quick look at my setup, please feel free to visit http://www.miracletechs.com/sambainstall.html http://www.miracletechs.com/sambainstall.html . Thank you. Miles, Noal [EMAIL PROTECTED] wrote: Winbind is configured for ads. I want Domain\Domain Users to be members of local linux group test2. I created a local group on the linux box: Groupadd -u 502 test2 I have tried net groupmap addmem, it tells me the syntax is Net groupmap addmem alias-sid member-sid There is no SID for test2 so how can I use net groupmap addmem? Wbinfo -G 502 Cannot convert gid 502 to sid Net groupmap add ntgroup=Domain\Domain Users unixgroup=test2 Successfully added group Domain\Domain Users to the mapping db Getent group test2 Test2:x:502: So this doesn't work either. I have also tried username map in smb.conf with no success. I appreciate the suggestions thus far. Any additional help would be greatly appreciated. Thanks, Noal -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 8:00 AM To: Miles, Noal Cc: 'samba@lists.samba.org' Subject: Re: [Samba] Winbind - how to map ADS group to Unix group -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miles, Noal wrote: | OK I set winbind nested group = yes use `net groupmap {addmem,delmem,listmem}' cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCJHV4IR7qMdg1EfYRAgauAJ9zI4gmGpn/9H0E0zA4Y3Nips3nnACdHAUj HOXXv8XrN7gaVl2mBrpxLcs= =/mab -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind - how to map ADS group to Unix group
Winbind is configured for ads. I want Domain\Domain Users to be members of local linux group test2. I created a local group on the linux box: Groupadd -u 502 test2 I have tried net groupmap addmem, it tells me the syntax is Net groupmap addmem alias-sid member-sid There is no SID for test2 so how can I use net groupmap addmem? Wbinfo -G 502 Cannot convert gid 502 to sid Net groupmap add ntgroup=Domain\Domain Users unixgroup=test2 Successfully added group Domain\Domain Users to the mapping db Getent group test2 Test2:x:502: So this doesn't work either. I have also tried username map in smb.conf with no success. I appreciate the suggestions thus far. Any additional help would be greatly appreciated. Thanks, Noal -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 8:00 AM To: Miles, Noal Cc: 'samba@lists.samba.org' Subject: Re: [Samba] Winbind - how to map ADS group to Unix group -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miles, Noal wrote: | OK I set winbind nested group = yes use `net groupmap {addmem,delmem,listmem}' cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCJHV4IR7qMdg1EfYRAgauAJ9zI4gmGpn/9H0E0zA4Y3Nips3nnACdHAUj HOXXv8XrN7gaVl2mBrpxLcs= =/mab -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind - how to map ADS group to Unix group
OK I set winbind nested group = yes option in smb.conf. Still can't quite get it to work. The only doc I can find says net rpc group add wheel -L (why would I add this group, it is built in *nix group?) net rpc group addmem wheel DOM\Domain Admins I don't even have smbd running, only winbind. The wheel group is a built in Unix group. When I issue this command as the root account on the box the winbind log says user 'root' does not exist. When I issue the command as an ADS account the command returns could not connect to server 127.0.0.1 Am I missing something? Thanks, Noal -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, February 25, 2005 1:47 PM To: Miles, Noal Cc: 'samba@lists.samba.org' Subject: Re: [Samba] Winbind - how to map ADS group to Unix group -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miles, Noal wrote: | I am running 3.0.10-1.4E on RHEL4. The machine is | a ADS member server. I would like to statically | map the ADS group Domain Admins to the built in | wheel group so all members of Domain Admins | are in the wheel group. Look at the 'winbind nested group' options in smb.conf. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCH4C6IR7qMdg1EfYRAsduAJwNIagA8CUtJysSgb/AS5cDS3eqJQCg3WV/ ugLJWhgpTukzAzuAKNIfja4= =CZvc -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind: how to map Windows groups to existing unix groups; limit windows group to unix groups
Hi, Did you ever find out how to do this? Thanks, Noal -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba